Log4j vulnerability has kick-started a storm in the cyber world since last weekend, with system administrators and IT security experts spending sleepless nights over the security risk.
Dubbed CVE-2021-44228 or Log4Shell, the flaw is exposing some of the world’s most popular applications and services to attack, and the outlook hasn’t improved since the vulnerability came to light last week. It could be the most significant security threat we’ve seen in years, causing the number of global exploitation attempts to grow 300 times just over one weekend. It’s vulnerability exposes countless servers to attackers, who can hijack them to run arbitrary code with relative ease is potentially capable of putting the entire internet at risk. Last time the world saw such growth rates was during the WannaCry attack.
With over 400,000 downloads from its GitHub repository, Apache Log4j, a logging package developed by the Apache Software Foundation, is so ubiquitous that the vulnerability could have a global, all-consuming impact. The reason for this is that practically every major Java-based enterprise software and server on the market uses this open-source Java library.
“The Log4shell vulnerability in Log4j is definitely in the top-5 most severe vulnerabilities of the last decade, one that allows for remote code execution (RCE). It compares to the EternalBlue used by WannaCry, or the ShellShock Bash vulnerability. What makes it so serious is how simple it is to exploit it remotely, as well as the huge number of applications using it,” says Candid Wuest, Acronis VP of Cyber Protection Research.
For example, many types of enterprise and open-source software, including cloud platforms, online applications, e-commerce and email services, employ ‘Apache Log4j and allows users to log in to a variety of popular applications. The risk allows hackers to conduct remote code execution (RCE) attacks on a target system. What’s even more worrying is that these attacks are very easy to carry out for anyone aware of its working.
Cisco and Cloudflare researchers said hackers have been exploiting Log4Shell since early December. However, the hackers scaled up their attacks after Apache’s disclosure last Thursday. Researchers at Microsoft have also said that till date, hackers have used the vulnerability to install cryptominers, steal data and system credentials, and dig deeper into compromised networks.
Major tech players, including Amazon Web Services, Microsoft, Cisco, Google Cloud, and IBM have all found that at least some of their services were vulnerable and have been rushing to issue fixes and advise customers about how best to proceed.
The range of the impact is so broad because of the nature of the vulnerability itself. Developers use logging frameworks to keep track of what happens in a given application. To exploit Log4Shell, an attacker only needs to get the system to log a strategically crafted string of code. From there they can load arbitrary code on the targeted server and install malware or launch other attacks. Notably, hackers can introduce the snippet in seemingly benign ways, like by sending the string in an email or setting it as an account username.
Tim Mackey, principal security strategist, Synopsys Cybersecurity Research Center explains, “Apache log4j is the de-facto way Java applications write their log information. This means that a very large number of applications are potentially impacted by CVE-2021-44228, and we’ve already seen reports of just how easy it is to trigger the exploit. That’s the worrisome aspect of most zero-day vulnerabilities – that it’s easy to trigger and impacts a ubiquitous piece of software.”
The exact extent of the exposure is still coming into view, although it is evident that smaller developers who may lack resources and awareness will be slower to confront the Log4Shell threat. In addition, it also takes longer to patch – as it’s not just one vulnerable software that can be updated, but rather a library that’s included in many applications, resulting in many different updates that need to be installed, agrees Wuest, as a result of which dealing with Log4j is not only a difficult task, but it continues to put millions of firms at danger of cyber theft.
As the number of companies and services affected by Log4Shell rises, so does the number of attacks that take advantage of the flaw. Hence, security professionals note that while it’s important to be aware of the vulnerability’s inevitable lasting impact, the first priority is to take as much action as possible now to shorten that tail as the frenzy of exploitation continues.
Roman Kováč, Chief Research Officer at ESET, said, “The volume of our detections confirms it’s a large-scale problem that won’t go away anytime soon. Certainly, attackers are testing many exploit variations, but not all exploitation attempts are necessarily malicious. Some may be benign considering that researchers, infosec companies, and penetration testers are also testing the exploits for defense purposes.”
A new report by Checkpoint Research (CPR) now records a spike in attacks targeted at this vulnerability. The report mentions that CPR is observing over 100 hacks per minute related to LogJ4. With this, more than 40% of corporate networks in India have already had an attempted exploit. Around the world, about 2 lakh targeted attempts were made within twenty-four hours of the initial outbreak.
Lotem Finkelstein, Director, Threat Intelligence and Research for Check Point Software Technologies. “I cannot overstate the seriousness of this threat. On the face of it, this is aimed at crypto miners but we believe this creates just the sort of background noise that serious threat actors will try to exploit in order to attack a whole range of high value targets such as banks, state security and critical infrastructure.”
Researchers warn that at least 40% of corporate networks have been targeted by attackers seeking to exploit the flaw. More than 250 vendors have already issued security advisories.
Finkelstein explains with an example. “It can be exploited either over HTTP or HTTPS (the encrypted version of browsing). The number of combinations of how to exploit it gives the attacker many alternatives to bypass newly introduced protections. It means that one layer of protection is not enough, and only multi layered security posture would provide a resilient protection.”
Unlike other major cyber-attacks that involve one or limited number of software, Log4j, he says is basically embedded in every Java based product or web service. It is very difficult to manually remediate it. Once an exploration was published (on Friday), scans of the internet ensued (to allocate surfaces which are vulnerable due to this incident). Those who won’t implement a protection are probably already scanned by malicious actors. We already saw over 470,000 attempts to scan networks of around a third of all enterprises globally. Most worrying is the fact that almost half of those attempts were made by known malicious groups.
“This vulnerability, because of the complexity in patching it and easiness to exploit, will stay with us for years to come, unless companies and services take immediate action to prevent the attacks on their products by implementing a protection. Now is the time to act. Security teams need to jump on this with utmost urgency as the potential for damage is incalculable. The need for a rapid response is highlighted by the fact that this was discovered at the end of the working week in the run up to the holiday season when security teams may be slower to implement protective measures,” he says.
Mackey highlights that protecting against exposure to CVE-2021-44228 starts with a basic element of software supply chain risk management – know the code that powers your business. If you don’t know which applications run Java and have a vulnerable version of log4j, then you can’t guarantee you’ve patched everything. If you’re relying on periodic scans of software or configurations to determine whether you’re exposed to something, then it’s time to start looking at continuous monitoring for software supply chain issues and possibly implementing automated pen-testing capabilities. After all, it’s always possible for a vulnerable version of something that should’ve been patched to be used elsewhere or by a different supplier.
“As the vulnerability has been exploited for days already, the security teams need to analyze if they were compromised and if any backdoor has been installed by attackers. Attacks have varied from nuisances – such as cryptocurrency miners – to backdoor and ransomware, which can compromise the whole organization,” says Wuest.
Apache meanwhile has already released an update for Log4j as Version 2.15.0, which patches the vulnerability. However, the sheer scale of use of the logging library makes it an almost impossible task for organizations to update each Log4j application. It now remains to be seen how the cyber industry protects itself from the major security risk, before malicious groups are able to exploit it.