A hole in open source Apache logging library Log4j sent system administrators and security experts to scramble last weekend. Dubbed Log4Shell, the vulnerability is leaving some of the world’s most popular applications and services vulnerable, and the outlook has not improved since the flaw was announced on Thursday. If anything happens, it’s clear that Log4Shell will continue to wreak havoc on the Internet for years to come.
Hackers have been exploiting this bug since the beginning of the month, according to researchers from Cisco and Cloudflare. But attacks have increased significantly following Apache’s disclosure on Thursday. To date, attackers have exploited the vulnerability to install encryption tools on vulnerable systems, steal system credentials, dig deeper into compromised networks and steal them. data, according to a recent report. from Microsoft.
The range of effects is very wide because of the very nature of vulnerability itself. Developers use a logging framework to keep track of what happens in a given application. To exploit Log4Shell, an attacker simply requires the system to record a sequence of strategically generated code. From there they can load arbitrary code on the targeted server and install malware or launch other attacks. Notably, hackers can introduce the code in seemingly benign ways, like by sending a string in an email or setting it as an account username.
Big tech players, including Amazon Web Services, Microsoft, Cisco, Google Cloud, and IBM Both found that at least some of their services had vulnerabilities and rushed to issue fixes and advise customers on the best way to proceed. However, the exact level of exposure is still being considered. Less demanding organizations or smaller developers may lack the resources and awareness to be slower in the face of the Log4Shell threat.
Independent security researcher Chris Frohoff said: “It is almost certain that in years, people will discover the long tail of vulnerable software when they think about new places to put strings. exploit”. “This will likely show up in reviews and penetration tests of custom enterprise apps for a long time.”
The vulnerability has been used by “a growing group of threat actors,” US Infrastructure and Cybersecurity Administration Director Jen Easterly said in a statement. statement on Saturday. She added that the vulnerability was “one of the most egregious flaws I’ve seen in my entire career, if not the most severe” during a call with facility operators. critical infrastructure on Monday, as first reported. by CyberScoop. During that same call, a CISA official estimated that hundreds of millions of devices were potentially affected.
The hard part will be keeping track of all of that. Many organizations do not have clear accounting for every program they use and the software components in each of those systems. UK’s National Cyber Security Center emphasize on Monday that businesses need to “discover unknown Log4j instances” in addition to patching the usual suspects. In essence, open source software can be incorporated anywhere developers want, meaning that when a major security hole emerges, exposed code can lurk around every corner. Even before Log4Shell, software supply chain security advocates increasingly pushed for “software bill of materials,” or SBOM, to make it easier to stock inventory and keep up with new developments. security protection measures.
