Four months after the discovery of the zero-day Log4Shell critical flaw, millions of Java applications still remain vulnerable to compromise, researchers have found.

Researchers at security firm Rezilion analyzed the current potential attack surface for the vulnerability in the popular open-source Apache Log4j framework that threatened to break the internet when it was discovered in December. The flaw in the ubiquitous Java logging library Apache Log4j is easily exploitable and can allow unauthenticated remote code execution (RCE) and complete server takeover.

Rezilion expected that due to the “massive amount of media coverage” the bug unsurprisingly received, the majority of applications would already be patched, Head of Vulnerability Research Yotam Perkal wrote in a report published Tuesday. However, their analysis found a very different story, he said.

“We learned that the landscape is far from ideal and many applications vulnerable to Log4Shell still exist in the wild,” Perkal wrote in the report.

Supporting Evidence

Researchers did a search on the Shodan search engine to see how many apps vulnerable to Log4Shell are exposed to the internet. They identified 90,000 potential vulnerable internet-facing applications, which they believe “is just the tip of the iceberg in terms of the actual vulnerable attack surface,” Perkal wrote.

Researchers divided the apps into three categories; the first two are containers that in their latest version, still contain obsolete versions of Log4j; and containers that while their latest version is up-to-date yet still show evidence of using previous versions.

The third category are publicly facing servers of the world’s favorite internet game Minecraft, which highlight the risks with outdated proprietary software, researchers noted.. Indeed, it Minecraft sites where the vulnerability first turned up and apparently still persists.

Researchers cited other sources for further proof that the Log4Shell attack surface remains vast. One was the Google service Open Source Insights, which scans millions of open-source packages. The service found that out of a total of 17,840 packages affected by the flaw, only 7,140 were patched, making nearly 60 percent still vulnerable.

Moreover many applications are still using Log4J version 1.x and likely aren’t patched because the original Log4Shell vulnerability, tracked as CVE-201-44228, doesn’t apply to this version, researchers noted.

However, this is a misconception as that version has been “in an end-of-life state since August 2015 (which means it does not get any security updates), and contains plenty of other vulnerabilities, including RCE vulnerabilities, Perkal noted.

“This should definitely worry organizations that are still using it,” he wrote.

Under Active Exploitation

Perhaps most worrying about the vulnerable attack surface is that Log4Shell remains a hot target for threat actors, researchers noted. Indeed, attackers immediately set upon the bug once it was discovered—already under active exploitation—and haven’t let up much since.

While Apache released a patch for Log4Shell within a day of discovery, it, too, had issues that could lead to DoS attacks—and apparently still hasn’t been applied in many cases.

Initial attempts to exploit the bug in the wild were aimed at ransomware deployment and coin miners; however, as time when on APT groups joined the fray and began pummeling the flaw in earnest, researchers said.

Most recently, active exploitation of Log4Shell has been linked to the Chinese APT 41 group and Deep Panda, Perkal said. Before that, the Chinese state-sponsored espionage group HAFNIUM and Iranian-backed groups APT35 (aka Newscaster) and Tunnel Vision also targeted the flaw.

Currently there are still dozens of recorded daily exploitation attempts of Log4Shell, according to a honeypot set up by the SANS Internet Storm Center, researchers noted.