The Log4J bug that created vulnerabilities in millions of devices in December 2021 is still persistent in the new year, and will likely continue well past 2022 according to experts, with some predicting it could take years to address. Also known as Log4Shell, this exploit allows hackers to take advantage of a serious error in a logging tool used in Java programs that are embedded in some of the biggest technology brands, including Oracle, IBM and Amazon Web Services (AWS).
What is Log4J?
Apache Log4J 2 is the latest version of an open-source Java utility developed by the Apache Software Foundation, providing a logging framework that enables systems to record, track and otherwise manage errors and other events in their code. The vulnerability appeared in Log4J 2.14, with Apache releasing the updated 2.15 version 3 days before publicly announcing the zero-day exploit. However, subsequent bugs were found and as of this writing 2.17.1 is the latest version, containing several fixes to prevent intrusion.
The Log4J Bug & Log4Shell
Log4Shell was discovered and brought to Apache’s attention on November 24, 2021, by a security researcher at Alibaba Cloud, although it is believed to have existed since 2013. It was disclosed to the public at large December 8, 2021, preceding a chaotic scramble as enterprise vendors rushed to assess the risk to their systems and roll out stopgap fixes. Simultaneously, Microsoft’s security researchers noted a spike in hacker activity that could be traced back mostly to probing operations carried out across the malware ecosystem, although they also uncovered evidence of attempts made before even the public announcement.
The Widespread Risk of the Vulnerability
The Log4J bug has spawned multiple CVE (Common Vulnerabilities and Exposures) notices beyond even just the initial Log4Shell that potentially affect “hundreds of millions” of devices in widespread usage today. Since the exploit leverages a remote code execution (RCE), cloud services like AWS and Google Cloud are particularly vulnerable, with some experts claiming that up to 93% of all cloud-based environments being at risk. Other possibly impacted platforms include VMware, Microsoft Azure and RedHat.
Cyber Attacks Using Log4J
Cybersecurity research and defense teams have seen multiple attacks in the wild attempting to leverage Log4J exploits since the news broke, including some firsthand as their clients were in the process of being hacked. According to Microsoft’s own security researchers, the majority of activity still revolves around scanning for vulnerable systems (which includes legitimate professionals checking internally for affected components), but some cybercriminals have already directly breached several systems with the zero-day. Attacks seen so far have included “cryptojacking” for cryptocurrency mining as well as botnet networks, two models that take control of a computer’s processing power for the hacker’s external usage.
The malware ecosystem quickly jumped on Log4Shell with ransomware gangs buying credentials and other data from access brokers who already breached vulnerable systems. Ransomware as a Service (RaaS) affiliates have been extra active around Log4J bugs, with a large-scale cryptocurrency platform hosted in Vietnam hacked and extorted for $5 million only a few days after it became public news. This attack in particular revealed deeper potential dangers tied to the Log4Shell vulnerability, as it also leveraged AWS misconfigurations seen in past breaches, reflecting how hackers can take advantage of multiple exploits.
Besides the typical cybercriminal syndicates, many nation-state hackers and gangs known to be tied to national cyber espionage groups (with all the overlap in-between) seem to be especially interested in the Log4J exploit. Several Chinese APTs (advanced persistent threats) as well as teams tracked out of Iran, North Korea and Turkey have been observed testing possible toolkits being developed to take advantage of the bug for future attacks. The real-world consequences of this may already be apparent, as the Belgian defense ministry was breached using a Log4J exploit.
Exacerbating the impact of Log4Shell is a warning from the Federal Trade Commission (FTC) alerting companies regulated under the Gramm Leach Bliley Act and similar laws that they are expected to quickly apply fixes to the vulnerability, or face penalization for nonconformance. They specifically referred to the 2017 Equifax breach and subsequent $700 million settlement with the FTC as a very explicit example of the consequences of a breach, with promises from the agency to “use its full legal authority” against businesses that do not take the recommended steps to mitigate exposure.
Work with SWK to Protect Your Business from Log4J
The good news for clients of SWK Technologies is that our team has been painstakingly reviewing our deployed systems since the news came to our attention, and have worked to patch any vulnerable components in our portfolio. If you have questions about what to do about the rest of your technology stack or about handling Log4J in general, please reach out to us promptly to get in touch with one of our experts.
Contact SWK today to learn about how we keep your systems protected from threats like Log4J.
Reach out to the cybersecurity experts at SWK