Mandiant reminds us: forget Log4j . not

Join today’s leading executives at the Data Summit on March 9. Register here.

After the disclosure of a critical vulnerability in the widely used Apache Log4j logging software in December, many in the industry predicted we would be hearing about it for a long time to come.

They were right.

It has now been three months since the remote code execution (RCE) vulnerability in Log4j, known as Log4Shell (CVE-2021-44228), was first revealed. And we’re still learning more details about how attackers managed to exploit the flaw.

The latest revelation — coming today from Mandiant — was that a threat actor believed to be operating out of China had exploited the vulnerability in Log4j “within hours” of an advisory about the flaw released on Dec. 10.

And here’s the most disturbing part: The group managed to compromise the networks of “at least” six state governments in the US, in part by exploiting Log4j, Mandiant researchers said in a blog post. The states in question were not named by the company.

Along with Log4j, the threat actor also exploited a zero-day vulnerability (CVE-2021-44207) in USAHerds, an application used for livestock disease tracking, Mandiant said.

The Chinese threat actor, known as APT41, is a “productive” state-sponsored group targeting espionage, Mandiant researchers said in the post. The exact goals of the group’s campaign against state governments “remain unknown,” the researchers said.

What is known is that the group acted very quickly when it came to the Log4j vulnerability.

“Within hours of the advisory, APT41 began exploiting the vulnerability to later endanger at least two US state governments, as well as their more traditional targets in the insurance and telecommunications industries,” the Mandiant researchers said.

Persistent threat

Mandiant, who had a busy news day today, reported that the APT41 campaigns against US state governments did not stop in December either.

“In late February 2022, APT41 once again endangered two previous victims of the US state government,” the researchers said – “demonstrating their relentless desire to access state government networks.”

So while there have been fewer impactful cyberattacks using the Log4j vulnerability to date than expected, it’s becoming clearer that we haven’t had the full picture.

And in all likelihood, the full extent of the damage will be unknown for some time to come. For example, attackers can wait for an opportune moment to use the access they gained by breaching systems with Log4Shell.

Alarm clock

It also appears that many systems are still not patched against the vulnerability. According to data from security vendor Qualys, 30% of Log4j instances remain vulnerable.

The ubiquity of the Log4j logging software — and the fact that it’s often used indirectly through Java frameworks — makes the problem difficult for many organizations to fully address.

The cyber attack unveiled today by Mandiant will hopefully serve as a wake-up call for some organizations, said Aubrey Perin, chief analyst for national threat intelligence at Qualys.

In addition, it reminds us that “although all eyes are on Russia and Ukraine, there are other threats that need to be watched closely,” Perin said.

Ultimately, Mandiant’s disclosure follows today “with the typical time-lapse we see with zero-day vulnerabilities like Log4Shell,” said Brian Fox, CTO at Sonatype.

“The Equifax breach, which was similar in nature, took about five months to clear the airwaves of the first exploit,” Fox said. “So from a historical perspective, this isn’t surprising. A high-spread, low-complex vulnerability equals a 100% chance of being used.”

VentureBeat’s mission is to be a digital city square for tech decision makers to learn about transformative business technology and transactions. Learn more

This post Mandiant reminds us: forget Log4j . not

was original published at “”