A severe flaw found within a software framework known as “Log4j” has recently put hundreds of millions of users at risk. The issue carries a severity rating of 10 on the Common Vulnerability Scoring System scale, the highest rating on the scale.
According to Jen Easterly, Director of America’s Cybersecurity and Infrastructure Security Agency(“CISA”), the Log4j vulnerability “poses a severe risk.” It is the “most serious” vulnerability she’s seen in her decades-long career, and it could take years to address. Easterly also told reporters that federal officials fully expect “the vulnerability to be widely exploited by sophisticated actors.”
On November 24, an employee on Alibaba Group Holding Ltd.’s cloud-security team became aware of the bug and notified Apache stating, “I want to report a security bug,” adding “the vulnerability has a major impact.” On Dec. 8, details of the vulnerability became apparent on the Chinese blogging platform WeChat, and further information was disclosed the day after.
Since then, employees of Apache, a widely used web server software, have worked around the clock to fix the issue while security researchers have analyzed the impact. Although progress has been made in patching the vulnerability, a significant difficulty is quantifying the breach. This is because of how Log4j is inserted into different pieces of software. This can make it very difficult to track the tools reach.
Log4j is a Java-based logging library or logging framework released for free from the non-profit Apache Software Foundation. A logging library is a code you embed into your application to create and manage log events.
The software framework is used broadly in various consumer and enterprise services, websites, and applications. It is also used to track performance and record user activity. Bloomberg notes that, ironically, those detailed logs can help programmers debug software. The free, open-sourced platform is installed on millions of devices and has been widely trusted by small and large companies before this event.
According to researchers at cyber security technology company Bitdefender, the current flaw in Log4j allows attackers to download and run scripts on targeted servers. This can allow attackers to steal data and install malware. The vulnerability has been called “Log4Shell” as it gives attackers shell access to a server’s system.
This is essentially a dream for attackers as it gives them complete remote control of millions of systems. Cybercriminals can use this attack, ranging from mining cryptocurrency to large-scale assault on internet infrastructure. It can be especially concerning if the attacker installs ransomware, allowing the criminal to lock up data until they receive a payment in return.
To make matters worse, the bug is easy to exploit for the attacker. According to the security company, F-Secure Oyj, ransomware and malware attacks have already been detected because of the flaw in Log4j.
When former Log4j developer Christian Grobmeier, now a vice president at the Apache Software Foundation, heard of the issue, he immediately realized how pervasive the case is, stating, “I was just realizing how many people were using this software. This is basically half of the world, maybe even more. This is just crazy.”
This includes a long list of tech giants, including Apple, Amazon, Cloudflare, IBM, Microsoft Corp.’s Minecraft, Palo Alto Networks Inc., and Twitter. According to Mandiant Inc. and Microsoft Corp., it is believed that attackers exploiting Logj4 could be linked to China and Iran. However, Microsoft has also seen nation-backed hackers from North Korea and Turkey.
Although denied by Beijing, Microsoft believes it may be the same group responsible for a hack of its Exchange Server email product earlier in the year. Researchers at Check Point Software Technologies have tracked more than 1.27 million attempts by hackers to exploit the vulnerability, amounting to almost half of their corporate customers’ networks.
According to Industrial Cybersecurity expert Dragos, this issue extends beyond just tech companies. The problem is so widely used that it is vendor-agnostic and affects both proprietary and open-source software. This leaves industries such as electric, power, water, food and beverage, manufacturing, transportation, and more vulnerable to Log4j exploitation.
Apache volunteers at the Apache Software Foundation have worked diligently to release security updates in response to the recent attack. On December 10th and 13th, Apache released separate security updates to address the vulnerability.
Separately, the United States government stepped in due to the severity of the issue. The main goal of U.S. officials right now is communicating with cybersecurity companies, cloud service providers, and telecommunications businesses to inform them about the issue.
According to Eric Goldstein, Executive Assistant Director of the Cybersecurity and Infrastructure Security Agency, U.S. agencies have not seen any activity of their system being breached. President Biden has mandated that all agencies patch their systems by Christmas Eve (WSJ) to ensure protection. Despite current measures being taken, Bitdefender wrote that the vulnerability would likely last for an extended period due to the widespread use of the framework.
According to Easterly, business leaders cannot delay measures to protect themselves from the Log4j vulnerability. It is essential not to overlook Easterly’s advice. Peter Membrey, Chief Architect of ExpressVPN, said, “As soon as I saw how you could exploit it, it was horrifying” “like one of those disaster movies where there’s a nuclear power plant, they find it’s going into meltdown, but they can’t stop it. You know what’s coming, but there are minimal things you can do.”
Security updates
Thankfully, CISA has provided a webpage on Apache Log4j vulnerability guidance. CISA recommends that users should refer to the vendors of their products/services for security updates. Vendors should immediately identify, mitigate, and update affected products using Log4j. Vendors are also responsible for informing their end-users on products that contain these vulnerabilities and strongly urge them to prioritize software updates.
Here are some of the main tips that CISA has provided thus far:
CISA also suggests installing a web application firewall with rules that automatically update your software so that your team can concentrate on fewer alerts. Companies have also created patches to the vulnerability, including Oracle Corp. Despite these updates, Teresa Walsh, Global Head Intelligence at the Financial Services Information Sharing and Analysis Center, also recommends limiting unnecessary outbound internet traffic to protect vulnerable systems further.
In summary, it is imperative to check if you are susceptible to the Log4j cyber-attacks. Due to its wide use, there is a good chance that you are! So what do you do now? Stay informed and ensure that you do everything to mitigate your risk and keep your software updated.
The log4j vulnerability is just one of many cyber threats. Once log4j is resolved, it won’t be long before a new threat pops up that could put your business at risk. Not to mention there are many other forms of cyber threats occurring every day simultaneously.
As a managed service provider, we find it critical to stay ahead of these cyber threats with proactive processes and technology. This helps ensure that our business and our clients’ business are not at significant risk when new threats arise.
If you are interested in learning the best cybersecurity tools and processes to mitigate the risk of a cyber attack, check out this article: The Best Cybersecurity Tools to Protect Your Business From Cyber Attacks.