Log4j remained a top attack vector for threat actors in 2023, while a new vulnerability, HTTP/2 Rapid Reset is emerging as a significant threat to organizations, according to Cloudflare’s annual “Year in Review” report. The report is based on data from Cloudflare’s network, which spans 310 cities in more than 120 countries.
Worldwide, the attack volume targeting Log4j consistently dwarfed that seen for other vulnerabilities and saw spikes during the last week of October and mid-late November, Cloudflare’s report noted. “Attackers are still actively targeting Log4j because if it’s successfully exploited, it has the potential to do some significant damage,” says Cloudflare’s Head of Data Insight David Belson. “If the attackers weren’t having much success, they’d have moved on by now.”
One in three applications still run vulnerable versions of Log4j
Chris Eng, chief research officer at Veracode, a provider of cloud-based app intelligence and security verification services, explains that despite a large-scale effort to patch Log4Shell vulnerabilities, more than one in three applications still run vulnerable versions of Log4j. “Many teams reacted quickly to patch the initial Log4Shell vulnerability, but then reverted to the previous behavior of not patching even after the release of 2.17.1 and beyond,” he says.
Eng notes that Veracode has found that 32% of applications are using a version of Log4j that reached end-of-life in August 2015. He adds that 79% of the time developers never update their third-party libraries after including them in a code base. “That explains why such a large percentage of applications are running an end-of-life version of Log4,” he says.
“I think organizations have not yet made open-source software library updates a part of their culture,” adds Jeff Williams, CTO and co-founder of Contrast Security, a maker of self-protecting software solutions. “Even in an emergency like Log4Shell, many organizations don’t put in the relatively minor work to make the updates.”
HTTP/2 Rapid Reset attack easy to pull with high reward
The report predicted that throughout the coming year attackers will continue to target the HTTP/2 Rapid Reset vulnerability, which can lead to resource exhaustion on a targeted web or proxy server. Its analysis of Rapid Reset attacks from August to October found the average attack rate was 30 million requests per second (rps), with 90 of the attacks peaking above 100 million rps. Those numbers are concerning because a malicious actor can generate large distributed denial-of-service (DDoS) attacks with a relatively small botnet — 20,000 compromised machines compared to hundreds of thousands or millions of hosts.