A recently discovered vulnerability in the popular Log4j software has presented a field day to hackers while leaving the cybersecurity community scrambling. Log4j is part of the Java programming language used by millions of websites and apps, including Apple iCloud, Amazon Web Services, and Minecraft. Experts estimate that attempts to exploit the code have reached hundreds of thousands or even millions.
Jen Easterly, U.S. Cybersecurity and Infrastructure Security Agency (CISA) director, commented, “The Log4j vulnerability is the most serious vulnerability I have seen in my decades-long career.”
What is Log4j?
Log4j is open-source software provided by the Apache Software Foundation, ubiquitous to many operating systems. The software records system events and communicates them to administrators and users.
For example, if you type the wrong web address, you receive a 404-error message saying the page you are looking for does not exist. The web server uses Log4j to record that event and transmit it to system administrators.
Log4Shell: The Log4j Vulnerability
Log4Shell, the zero-day vulnerability in Log4j, allows users to create custom code for formatting a log message. If there were no malicious actors in the world, that would be fine. But what happens when hackers discover that they can create custom codes? They can send them to targeted computers that can steal personal information, take control of the system, and more.
For example, hackers can trigger log messages (like the 404-error message) that include malicious content. Log4j will process the message, creating a reverse shell and allowing hackers to gain remote control of the server.
So far, there have been reports of hackers installing cryptocurrency mining software on hacked computers, ransomware attacks on Minecraft users, and geopolitical enemies breaching each other’s government agencies and businesses.
Why Are the Challenges of Log4Shell So Significant?
Several aspects of Log4Shell make it very serious. First, Log4j software is incredibly widespread. It is not like the lock of one door is broken, but the locks of millions of doors.
Second, Log4j is often bundled with other software, so some system administrators do not even know their systems use it. Cybersecurity experts have been working around the clock just to ascertain whether their clients have Log4j in their systems.
For now, CISA has announced the release of a scanner that can identify web services impacted by certain Log4j remote code. That will help companies who are not aware of their digital assets, but not those whose data has been compromised.
A third challenge regarding Log4Shell is that it is relatively easy to exploit—in Minecraft it is as simple as typing one line of malicious code into the public chat box. But while exploitation is easy, patching it requires intense, customized effort from cybersecurity experts. The fix depends on how the software is incorporated into the system and can require different plans of action.
Preparing for Future Attacks
The discovery of Log4Shell has left companies and government agencies scrambling to see whether their systems use Log4j and whether they need to be patched. But is there anything we can learn about this vulnerability that can help prepare for future attacks? At this stage of the game, we know that cyberattacks are regular occurrences. The question isn’t “if” another large-scale flaw will be exploited, but “when.”
According to Mark Manglicmot, Vice President of Security Services at Arctic Wolf, the Log4j vulnerability highlights the importance of every company knowing their digital assets. Companies that don’t know what they have will be left playing catch-up when the next big attack hits. Those that are aware of their digital assets will be able to mitigate the damage more quickly.