Log4j remained a top attack vector for threat actors in 2023, while a new vulnerability, HTTP/2 Rapid Reset is emerging as a significant threat to organizations, according to Cloudflare’s annual “Year in Review” report. The report is based on data from Cloudflare’s network, which spans 310 cities in more than 120 countries.
Worldwide, the attack volume targeting Log4j consistently dwarfed that seen for other vulnerabilities and saw spikes during the last week of October and mid-late November, Cloudflare’s report noted. “Attackers are still actively targeting Log4j because if it’s successfully exploited, it has the potential to do some significant damage,” says Cloudflare’s Head of Data Insight David Belson. “If the attackers weren’t having much success, they’d have moved on by now.”
One in three applications still run vulnerable versions of Log4j
Chris Eng, chief research officer at Veracode, a provider of cloud-based app intelligence and security verification services, explains that despite a large-scale effort to patch Log4Shell vulnerabilities, more than one in three applications still run vulnerable versions of Log4j. “Many teams reacted quickly to patch the initial Log4Shell vulnerability, but then reverted to the previous behavior of not patching even after the release of 2.17.1 and beyond,” he says.
Eng notes that Veracode has found that 32% of applications are using a version of Log4j that reached end-of-life in August 2015. He adds that 79% of the time developers never update their third-party libraries after including them in a code base. “That explains why such a large percentage of applications are running an end-of-life version of Log4,” he says.
“I think organizations have not yet made open-source software library updates a part of their culture,” adds Jeff Williams, CTO and co-founder of Contrast Security, a maker of self-protecting software solutions. “Even in an emergency like Log4Shell, many organizations don’t put in the relatively minor work to make the updates.”
HTTP/2 Rapid Reset attack easy to pull with high reward
The report predicted that throughout the coming year attackers will continue to target the HTTP/2 Rapid Reset vulnerability, which can lead to resource exhaustion on a targeted web or proxy server. Its analysis of Rapid Reset attacks from August to October found the average attack rate was 30 million requests per second (rps), with 90 of the attacks peaking above 100 million rps. Those numbers are concerning because a malicious actor can generate large distributed denial-of-service (DDoS) attacks with a relatively small botnet — 20,000 compromised machines compared to hundreds of thousands or millions of hosts.
“While HTTP/2 provides improved web performance and user experience, it also introduces new attack vectors that might be appealing to threat actors,” says Patrick Tiquet, vice president for security and architecture at Keeper Security, a password management and online storage company. “The HTTP/2 Rapid Reset exploits a vulnerability in the HTTP/2 protocol to generate DDoS attacks at a magnitude we’ve never seen.”
“Simply put, the attack is easy to pull off with a high reward for bad actors, accomplishing DDoS attacks that are reportedly 300% or more effective than traditional DDoS methods,” adds Ken Dunham, cyber threat director of the threat research unit at Qualys, a provider of cloud-based IT, security, and compliance solutions.
Post-quantum cryptography internet traffic rising
The report also revealed that internet traffic using post-quantum cryptography reached 1.7% during the year. Right now, Google’s Chrome browser is the leader in supporting PQC, which is designed to protect data from the quantum computers of the future, but the report predicted usage to grow in the coming year as more browsers follow Google’s lead.
“This is a great step toward fulfilling the urgent need to migrate network traffic to quantum safe encryption. However, only 1.7% adoption of PQC is still too low,” says Craig Debban, CISO at QuSecure, a maker of quantum-safe security solutions. Since PQC only works on TLS 1.3, it could take years for PQC to gain traction. “Today’s businesses need to be able to orchestrate their cryptography to accelerate adoption and define their encryption everywhere without waiting for customers and vendors to upgrade their systems,” he says.
“Every cybersecurity team receives sympathy from their peers when surprised by new and completely unknown hacking techniques,” adds Denis Mandich, CTO and co-founder of Qrypt, an enterprise data security provider. “There will be no such forgiveness for anyone unprepared to switch to quantum-safe tooling. To avoid getting eaten by the panda, you only have to run faster than the next guy. In the quantum and AI era, that means quantum solutions.”