Unless you’ve been in lockdown and/or incommunicado for the last week or so, the most devastating cybersecurity flaw in years or even decades, has sparked widespread alarm because it exists in a universally used logging framework in Java applications, presenting bad actors or hackers with an unprecedented gateway to penetrate and compromise millions of servers and other digital devices globally.
According to TheHackerNews.com and other cybersecurity sites, blogs and even CNN, this remotely exploitable fl aw also impacts thousands of major products and services from a number of companies such as Amazon, Apache, Apereo, Atlassian, Broadcom, Cisco, Cloudera, ConnectWise, Debian, DockerFortinet, Google, IBM, Intel, Juniper Networks, Microsoft, Okta, Oracle, Red Hat, SolarWinds, SonicWall, Splunk, Ubuntu, VMware and Zoho, etc…etc, posing an unprecedented software supply chain risk.
According to Checkpoint – the Israeli cybersecurity firm, unlike other major cyberattacks that involve one or a limited number of software, Log4j is basically embedded in every Java-based product or web service. The vulnerability has been dubbed the Log4Shell. It is very difficult to manually remediate it.
The vulnerability, because of the complexity in patching it and easiness to exploit, is likely to be around for years to come, unless companies and services take immediate action to prevent the attacks on their products by installing the patches or upgrade versions and thoroughly vetting their entire software applications and servers.
How many are willing to take the time and effort to carry out this exercise with its related costs and possible downtimes?
To illustrate the severity of this vulnerability, this piece of java logging software – Log4j, is used in many applications and software packages and applications and more critically in networking equipment including fi rewalls and other intrusion detection devices. It is part of a widely used library of software modules that are integrated into many applications and Internet services. In fact it is so widespread that you may not even know how many applications or services on your PC, laptop or Smartphone may be using Log- 4Shell.
In the days after the vulnerability was publicised, many cyberattackers have jumped on the exploit bandwagon and almost 80 per cent of corporate networks globally already have been under attack as of the December 15. Furthermore, criminal gangs acting as access brokers have begun using the vulnerability to gain initial foothold into target networks and then sell the access to ransomware- as-a-service (RaaS) affiliates on the Darknet following the business model which I had highlighted in previous articles.
Incidentally, this now includes nation-state actors originating from China, Iran, North Korea, and Turkey, with Microsoft’s Detection the “activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives”. The large-scale weaponisation of the remote code execution flaw has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add Log4Shell to its Known Exploited Vulnerabilities Catalog, giving federal agencies a deadline of December 24 to incorporate patches for the vulnerability and urging vendors to “immediately identify, mitigate, and patch affected products using Log4j”.
Although hackers have been exploiting the bug since the beginning of December, according to researchers from Cisco and Cloudfl are, attacks ramped up dramatically following Apache’s disclosure last week. So far, cyberattackers have exploited the flaw to install cryptominers on vulnerable systems, steal system credentials, burrow deeper within compromised networks, and steal data, according to a recent report from Microsoft. The range of impacts is so broad because of the nature of the vulnerability itself.
Software developers use logging frameworks to keep track of what happens in any given application. To exploit Log4Shell, an attacker only needs to get the system to log a strategically crafted string of code.
From there they can load arbitrary code on the targeted server and install malware or launch other attacks. Notably, in seemingly benign ways, like by sending the string in an email or setting it as an account username. Whilst the full extent of the exposure is still coming emerging, less fastidious organisations or smaller developers who may lack resources and awareness will be slower to confront the Log4Shell threat.
The vulnerability is already being used by a “growing set of threat actors”, US Cybersecurity and Infrastructure Security Agency director Jen Easterly said in a statement last Saturday. She added that the fl aw is “one of the most serious I’ve seen in my entire career, if not the most serious” in a call with critical infrastructure operators on Monday, as first reported by CyberScoop. In that same call, a CISA official estimated that hundreds of millions of devices are likely affected. The hard part will be tracking all of those down. Many organisations don’t have a clear accounting of every program they use and more importantly the software components within each of those systems. The UK’s National Cyber Security Centre emphasised last Monday that enterprises need to “discover unknown instances of Log4j” in addition to patching the usual suspects.
By its nature, open source software can be incorporated wherever developers want, meaning that when a major vulnerability crops up, exposed code can lurk around every corner. Even before Log4Shell, software supply chain security advocates had increasingly pushed for “software bills of materials”, or SBOMs, to make it easier to take stock and keep up with security protections. Security professionals note that while it’s important to be aware of the vulnerability’s inevitable lasting impact, the first priority is to take as much action as possible now to shorten that tail as the frenzy of exploitation continues. “If you have an internet-facing server vulnerable to Log4Shell that you haven’t patched yet, you almost certainly have an incident response on your hands,” says incident responder and former NSA hacker Jake Williams. “Threat actors were quick to operationalise this vulnerability.”
Williams adds that while logging systems are important and it can be risky to implement fixes quickly, it should be technically doable—and worth it—for most organisations. “On the defense side, we’re seeing a lot of enterprises afraid to patch without testing,” he says.
“That’s the wrong approach in this case.” The concern remains, too, that the situation could get even worse. Attackers could potentially develop a worm that exploits the fl aw and spreads automatically from vulnerable device to the next. But while it’s technically possible, it may not be a top priority for malicious hackers, as they are more likely trying to breach networks to insert covert command and control malware. Cyberattackers will still look for creative new ways to discover and continue exploiting as many vulnerable systems as possible.
The scariest part of the Log4Shell, though, is how many organisations won’t even realise that they have systems or applications at risk as many use customised software or even inhouse developed software that integrates the modules or libraries with the Log4Shell. Once it’s compiled and working as expected, who goes back to check the original code assuming it’s still available and the developers properly documented everything!
As former Chairman of Microsoft – John W. Thompson points out – “Second issue is the rapidly accelerating increase in the number of vulnerabilities that get discovered every day. And, equally importantly, is the shortening of time between the discovery of the vulnerability and the release of an exploit”.
Here’s acknowledging that some information was sourced, distilled and quoted from cybersecurity sites, blogs and news agencies. As always, God bless and stay safe in both digital and physical worlds this weekend.
ILAITIA B. TUISAWAU is a private cybersecurity consultant. The views expressed in this article are his and not necessarily shared by this newspaper. Mr Tuisawau can be contacted on ilaitia@cyberbati.com
