There’s no way to sugarcoat it: the widespread vulnerability in Apache Log4j will be exploited for some nastier cyberattacks than those we’ve seen so far. And the worst of them may actually be months — or even years — into the future.

Sophisticated attackers often create a backdoor into an exploited server, enabling them to bypass security tools as they re-enter and exit. So even if an organization has patched against the vulnerability in Log4j, an attacker may be able to remain in the network, undetected, until the time is ideal to strike.

If that sounds scary — well, it probably should.

“In many cases, attackers breach a company, gain access to networks and credentials, and leverage them to carry out huge attacks months and years later,” said Rob Gurzeev, cofounder and CEO of CyCognito.

New players

The vulnerability in the widely used Log4j logging library was publicly revealed a week ago, and an onslaught of more than 1 million attempted attacks have followed, according to Check Point. Researchers at the company said they’ve observed attempted exploits on more than 44% of corporate networks worldwide.

Most of the malicious attack volume over the past week has involved “hobbyists” or solo operators, said Casey Ellis, founder and chief technology officer at Bugcrowd. But evidence has emerged that more sophisticated threat actors have begun to exploit the vulnerability in Log4j, as well. Those include attackers looking to get a foothold in networks in order to sell that access to ransomware operators.

In comparison to the hobbyists, these attackers are more like a multinational enterprise, Ellis said. “Their business model is built on scale and reliability of intrusion,” he said.

And crucially, “sophisticated attackers don’t want to get caught before they’ve gotten their job done, so they tend to develop techniques and operating practices that make them quieter, and harder to see,” Ellis said.

Once they’ve established a foothold, sophisticated attackers will often take their time in surveying users and security protocols before executing the full brunt of their attacks, said Hank Schless, senior manager for security solutions at Lookout.

This helps them strategize how to most effectively avoid existing security practices and tools, Schless said, “while simultaneously identifying what parts of the infrastructure would be most effective to encrypt for a ransomware attack.”

Other activities can include exfiltrating data slowly — so slowly that it typically won’t be blocked or detected, Gurzeev said.

Evading detection

It’s not that hackers can’t be detected in this situation, but they also continuously hone their tactics to evade detection attempts, said Asaf Karas, chief technology officer for security at JFrog. Over the past week, “we’ve already seen the use of obfuscation to avoid detection,” Karas said.

In the case of the Sony breach of 2014, the New York Times reported that the attackers spent two months mapping the company’s systems and identifying key files. (“They were incredibly careful, and patient,” a person briefed on the investigation told the Times, speaking of the attackers.) Wired reported that the attackers may have been stealing data over the course of a full year.

The attackers in the SolarWinds Orion breach, meanwhile, are believed to have had access for nine months to “some of the most sophisticated networks in the world,” including cybersecurity firm FireEye, Microsoft, and the U.S. Treasury Department, said Peter Firstbrook, a research vice president and analyst at Gartner, at the firm’s recent security conference.

For attackers, “if the motive is to steal sensitive information, you might want to just be really quiet and just listen in and steal data as it’s coming,” said Sonali Shah, chief product officer at Invicti.

But after a breach comes to light, it’s not always clear how the attackers even got in originally — especially if a large amount of time has passed. And that may very well be the case with any major attacks that stem from the vulnerability in Log4j, Gurzeev said.

“Since we might only learn about the attacks in months or years from now, it might be tough to correlate,” he said.

‘Sky is the limit’

Researchers have said they do expect more serious attacks to result from the vulnerability in Log4j, known as Log4Shell. Many applications and services written in Java are potentially vulnerable to Log4Shell, which can enable remote execution of code by unauthenticated users. Vendors including Bitdefender and Microsoft have already reported attempted ransomware attacks exploiting the vulnerability in Log4j.

Additionally, Microsoft and cyber firm Mandiant said this week that they’ve observed activity from nation-state groups—tied to countries including China and Iran—seeking to exploit the Log4j vulnerability. In one instance, an Iranian group known as Phosphorus, which has previously deployed ransomware, has been seen “acquiring and making modifications of the Log4j exploit,” Microsoft said.

The likelihood of ransomware attacks deriving from Log4Shell is high, researchers have said. But when it comes to remote code execution, “the sky is the limit on what an attacker can achieve as an end result as they pivot and execute commands on other apps, systems, and networks,” said Michael Isbitski, technical evangelist at Salt Security.

Due to the widespread nature of the flaw, “the long tail on this vulnerability is going to be pretty long,” said Andrew Morris, the founder and CEO at GreyNoise Intelligence. “It’s probably going to take a while for this to get completely cleaned up. And I think that it’s going to be a little bit before we start to understand the scale of impact from this.”

Response effort

The good news is that in some ways at least, businesses are in a better position to avoid a catastrophe now than in the past. This being 2021, many businesses are more primed to respond quickly — as evidenced by the rapid response of security teams late last week, many of which worked through the weekend to secure their systems.

Meanwhile, key technologies for defenders looking to root out the attackers sitting in their networks can include web application firewall (WAF) and intrusion prevention system (IPS) technologies, Ellis said.

“A motivated attacker will find a bypass for them, but the noise generated by everyone else will be turned down in the process, making their activities easier to see,” he said.

For larger organizations, “the big thing is to do everything you can to know where Log4j is or is likely to be in your environment, then logging everything and watching it — especially internally — like a hawk, and treat suspected attacks against these systems as though they were successful,” Ellis said.

For smaller organizations who might lack the headcount to do this, “working on an ‘assume breach’ basis and deploying honeypots and honeytokens is a low-noise, high-signal way to detect post-exploitation activity,” he said. Honeypots are fake “vulnerable” servers meant to catch attackers in the act, while honeytokens offer a similar concept but for data.

Ultimately, getting a handle on all of the assets and systems that the organization possesses is a critical first step, Gurzeev said.

“You can’t protect what you don’t know,” he said. “But once you know, you can set compensating controls, close the gaps, and take other steps to minimize customer risk and business risk — which should be everyone’s top priority.”