What’s old is new again in our security focus today.
According to research by Veracode, nearly 4,000 businesses globally are still vulnerable to Log4j exploits, with 2.8% using versions with the original Log4Shell vulnerability and 3.8% running Log4j 2.17.0 that still contains a vulnerability allowing remote control exploits. The study also found that around 32% of applications were using Log4j2 1.2x, which no longer receives security updates. The research highlights the failure to regularly update Log4j versions and the prevalence of at-risk applications due to teams patching the initial vulnerability but not remaining vigilant.
An unidentified threat actor gained access to two public-facing Web servers at a US federal government agency by exploiting a previously patched vulnerability in Adobe ColdFusion. The intrusions were likely part of a reconnaissance attempt, with no evidence of data exfiltration or lateral movement. The vulnerability, CVE-2023-26360, enables remote code execution and affects multiple ColdFusion versions. CISA stated that the hackers conducted a reconnaissance effort, and it is unclear if any data was exfiltrated. Microsoft Defender for Endpoint alerted the agency to the exploitation and quarantined the hackers’ activities. CISA ordered all federal agencies to patch the known vulnerability in Adobe ColdFusion.
According to a report by the Government Accountability Office (GAO), only three out of the 23 civilian Chief Financial Officer Act agencies have met the cyber event logging standards set by President Joe Biden’s cybersecurity executive order and an Office of Management and Budget memo. The Department of Agriculture, the National Science Foundation, and the Small Business Administration have reached advanced (tier 3) status for logging, while the remaining agencies still need to make progress.
WatchGuard Technologies has released its latest Internet Security Report, highlighting the increasing instances of remote access software abuse, the rise of cyber adversaries using password-stealers and info-stealers, and the pivot from script-based attacks to other living-off-the-land techniques. The report also reveals a surge in the Medusa ransomware variant and a decline in malware arriving over encrypted connections. Network attacks saw a 16% increase, with ProxyLogon being the top vulnerability targeted.
According to Cycode’s State of ASPM 2024 report, CISOs consider software supply chain security a bigger blind spot for application security than Gen AI or open source. The report highlights the challenges of managing AppSec attack surfaces, improving relationships between security and development teams, and consolidating AppSec tools into a single platform.
Why do we care?
The fact that many applications still use Log4j2 1.2x, which no longer receives security updates, raises concerns about legacy systems and their maintenance. This highlights the service offering for adopt a more proactive approach to software updates and vulnerability management, and should justify managed services. Layer the ColdFusion example there too.

