The Log4j security vulnerability known as Log4Shell is shaping up to be one of the worst security flaws of the year, potentially affecting millions of applications and painting a bullseye on unpatched systems that hackers can compromise and control. Fortunately, there are steps you can take to make sure your own systems are protected.
SEE: Patch management policy (TechRepublic Premium)
Revealed last week but reported to Apache in November, Log4Shell is a zero-day vulnerability in the company’s Log4J utility, which is used by developers and organizations around the world to log requests and error messages for Java applications. Since Java is such a ubiquitous programming language, the flaw impacts a huge number of applications, systems and servers.
Designated as CVE-2021-44228 by The National Institute of Standards and Technology (NIST), the bug also is easy to exploit, requiring little or no programming skills. And though Apache has released an updated and patched version of the tool, affected users may not be able to upgrade quickly enough. For that reason, hackers are hungrily looking for unpatched systems that they compromise. If successful, an attacker can then gain control of a server to install malware, steal confidential information or mine digital currency.
“It’s safe to say this vulnerability will have, and already is having, a massive effect on the industry,” said Dan Piazza, technical product manager for Netwrix. “Log4j is used by thousands of applications, libraries, and frameworks, meaning the number of potentially impacted organizations is staggering. And with attackers already scanning the internet to find vulnerable targets, if organizations haven’t already started taking mitigation steps then it may already be too late.”
No actual breaches have officially been announced yet, according to security provider Cloudflare. But security researchers are seeing plenty of attempts.
In a blog post published Tuesday, Cloudflare said that its researchers are currently watching around 1,000 attempts per second actively trying to exploit the flaw. Fellow security firm Bitdefender said it’s observed real-world attacks on machines outfitted with its endpoint protection product. Specifically, the firm has discovered several attacks trying to exploit the bug with the intent of launching crypto jacking campaigns once server access has been achieved.
One botnet spotted by Bitdefender in the attempt is Muhstik, a threat that takes advantage of vulnerabilities in web applications. Also trying to exploit the Log4Shell flaw has been XMRIG miner, which uses computing resources to mine digital currency without the owner’s knowledge or permission. Of course, ransomware is never far behind in a flaw like this. A new ransomware family named Khonsari seems to be targeting Linux servers, according to Bitdefender.
Security provider Check Point Software said it has discovered more than 1.2 million attempts to exploit the vulnerability, stretching across 44% of corporate networks around the world. One specific attack seen by Check Point hit five victims in finance, banking, and software across the US, Israel, South Korea, Switzerland and Cyprus. In this one, cybercriminals able to exploit the flaw can install a Trojan malware, which downloads an executable file that then installs a cryptominer.
SEE: NIST Cybersecurity Framework: A cheat sheet for professionals (free PDF) (TechRepublic)
Recommendations for mitigating the Log4j vulnerability
Organizations affected by the Log4Shell flaw are urged to upgrade Log4j to version 2.16.0, released by Apache on December 13. Initially, the company deployed version 2.15.0 to mitigate the bug, but that version was itself flawed in that it could let someone execute a denial of service attack. Anyone still using Java 7 should upgrade to the Log4j 2.12.2 release, according to Apache.
Despite previous advice, just updating Java is not enough to combat the bug, Piazza said.
“For organizations that still need to mitigate the vulnerability, they must update the log4j package itself and should not just update Java,” Piazza said. “This was an early misconception, that updating Java could reduce the severity of the vulnerability, which is simply not true. It’s also a good idea to consult with software vendors to see if they use log4j in any way, and if so if they’ve already provided patches for their products.”
Third parties also have been quick to launch their own patches and tools to combat the vulnerability. Cisco, Oracle and VMware have rolled out patches and fixes. Open source security provider WhiteSource released a free developer tool called WhiteSource Log4j Detect that organizations can run to detect and resolve Log4j vulnerabilities.
“If an organization uses log4j or software that includes the library, then it’s safest to assume breach and review potentially impacted applications for odd behavior,” Piazza said. “Furthermore, if an organization feels they’re already breached then they should consult an incident response firm and remove all physical network access to the affected server.”
As hackers continue to look for vulnerable systems, however, organizations need to act fast to protect themselves from this flaw being used against them.
“This vulnerability, because of the complexity in patching it and easiness to exploit, will stay with us for years to come, unless companies and services take immediate action to prevent the attacks on their products by implementing a protection,” said Lotem Finkelstein, head of threat intelligence at Check Point Software. “Now is the time to act. Given the holiday season, when security teams may be slower to implement protective measure, the threat is imminent. This acts like a cyber pandemic — highly contagious, spreads rapidly, and has multiple variants, which force more ways to attack.”