Log4j Vulnerability Timeline: Patches, Log4Shell Cyberattacks and CISA Status Updates

Credit: Getty Images

The Log4j vulnerability has triggered global headlines. MSPs, MSSPs and security pros are racing to mitigate the vulnerability before more hackers exploit the widespread security issue. Here's how the Log4j vulnerability was discovered, reported, exploited and mitigated, according to ongoing reports from CyberRisk Alliance brands (ChannelE2E, MSSP Alert and SC Media) and third-party reports.

Note: This CISA guidance offers concise advice on how MSPs and MSSPs can mitigate the Log4j vulnerability.

Here's our ongoing timeline of coverage. Keep checking backup for more updates.

Thursday, January 6, 2022: Two cybersecurity experts, Beau Woods and Adam Bregenzer, have developed an open source search tool to help cybersecurity professionals navigate an increasingly cumbersome list of software products affected by the Log4j vulnerability. Source: SC Media.

Tuesday, January 4, 2022: The FTC is warning companies to remediate the Log4j vulnerability in order to "reduce the likelihood of harm to consumers, and to avoid FTC legal action." Source: FTC.

Monday, January 3, 2022: Microsoft on January 3 updated its guidance for preventing, detecting and hunting Log4j vulnerabilities. Source: Microsoft.

Wednesday, December 29, 2021: Multiple updates...

  • Log4j Exploit?: Aquatic Panda, a China-based hacker group, has attempted to infiltrate an academic institution through the Log4j vulnerability. The bug involved VMware’s software, according to SC Media. SourceCrowdStrike.
  • Log4j and Crypto Trading: One of the largest Vietnamese crypto trading platforms, ONUS, recently suffered a cyberattack on its payment system running a vulnerable Log4j version. Threat actors approached ONUS to extort a $5 million sum and threatened to publish customer data should ONUS refuse to comply, the report said. Source: Bleeping Computer.
  • Microsoft Fixes False Log4j Positives: Microsoft Defender for Endpoint suffered some Log4j false positive reports, but Microsoft has updated the security software to correct the issue. Source: VentureBeat.

Tuesday, December 28, 2021: Checkmarx, an application security testing firm, discovered a way to use Log4j to launch malicious code, forcing yet another round of patching for affected users. The latest issue, which was considered less severe compared to the earlier Log4j issues -- was patched in Log4j 2.17.1, 2.12.4, and 2.3.2. Source: SC Media.

Monday, December 27, 2021: Multiple updates...

  • Internet scanning for vulnerable Log4j systems dipped nearly 40% since the day before Christmas, hitting its lowest levels in more than two weeks, Sophos said. But the figure may rise again. Source: SC Media.
  • The Microsoft 365 Defender portal now features a consolidated Log4j dashboard to help customers identify and remediate files, software and devices that are exposed to the Log4j vulnerabilities. Source: Microsoft.

Thursday, December 23, 2021: Alibaba conceded it was slow to report the Log4j vulnerability because it was unaware of its severity, a day after China’s tech industry overseer suspended cooperation on cybersecurity with the online retail giant. Source: Bloomberg.

Wednesday, December 22, 2021: Fully 10% of all assessed assets are vulnerable to Log4Shell, and 30% of organizations haven’t even begun looking for this bug. Source: Tenable.

Friday, December 17, 2021: Multiple updates...

Wednesday, December 15, 2021: Multiple updates...

Tuesday, December 14, 2021: Multiple updates...

  • Check Point Software Technologies found that 24 hours after the initial outbreak, its sensors recorded almost 200,000 attempted attacks across the globe. As of early this morning, when it posted its blog, some 72 hours after the initial outbreak, the number hit more than 800,000 attacks. Source: SC Media.
  • Cybersecurity companies CrowdStrike and Mandiant confirmed that Chinese and Iranian state actors are leveraging the Log4j vulnerability – while other state actors are likely preparing to do the same. Source: SC Media.
  • While most of the recent Log4j attacks have targeted Linux servers, researchers have been studying a new strain of ransomware — Khonsari — that attacks Windows systems. Bitdefender first reported about Khonsari in a blog, where it said that the malicious payload was downloaded as a .NET binary written in C#. Source: SC Media.

Monday, December 13, 2021:

  • CISA convenes a "national call with critical infrastructure stakeholders" during which CISA’s experts were available to provide further insight and address questions." Source: CISA.
  • Log4j vulnerability cleanup could take months. Source: SC Media.

Sunday, December 12, 2021: ChannelE2E tracks MSP software company statements about the vulnerability. The regularly updated coverage includes statements from Auvik NetworksConnectWiseDatto, KaseyaLiongardN-ableNinjaOne and Pax8. Source: ChannelE2E.

Saturday, December 11, 2021: Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly releases a statement about Log4j, and offers some initial mitigation guidance. She notes that the vulnerability poses a "severe risk." Source: MSSP Alert.

Friday, December 10, 2021: Multiple updates...

  • The National Vulnerability Database lists CVE-2021-44228 -- a log4j vulnerability -- as a critical0-level issue. Source: NIST.
  • Cloud services such as Steam and Apple iCloud are vulnerable, as well as apps like Minecraft. Source: SC Media.
  • MSP-friendly security companies such as Blackpoint Cyber and Huntress offer Log4j security guidance to MSPs and MSSPs. Source: MSSP Alert.

Friday, November 26, 2021: The date the vulnerability is first recorded into the CVE list. Source: CVE.

Wednesday, November 24, 2021: The Log4j vulnerability is disclosed to Apache by Chen Zhaojun of Alibaba Cloud Security Team. Source: Cyber Kendra.

Keep checking backup for more updates.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.