Dubbed as one of the most severe vulnerabilities on the internet by Check Point Software TechnologiesOpens a new window , hackers have leveraged Apache’s Log4j flaw to target more than 40% of corporate networks worldwide. Since the vulnerability was first reported on December 10, nearly a third of all web servers worldwide have been compromised, making Log4j a potentially catastrophic circumstance, according to CybereasonOpens a new window . Here are details and recommendations organizations can use to detect future attack variants.
One of the leading cybersecurity firms, Check Point, described Log4j as “one of the most serious vulnerabilities†in recent years. According to their blog postOpens a new window , over 4,300,000 attempts were prevented from granting access to the vulnerability and known malicious groups made more than 46% of those attempts. As more and more companies claw their way to patching the vulnerability, it’s critical to understand everything that’s happened since the Log4j vulnerability was exposed.Â
Here’s what you need to know:
What Is the Log4j Zero-Day Vulnerability?
Coded in Java, Log4j is open-source software created by Apache Software Foundation’s developers to run across three platforms, macOS, Windows, and Linux. The open-source software allows users to create a built-in “log†or record of activity to troubleshoot issues or even track data within their programs. According to cybersecurity experts, the open-source and free nature of this software is the reason why it was used as the “logging library†across the globe, leading to the attack.Â
In a tweet, Alejandro Mayorkas, who oversees as the secretary of homeland security, called Log4j, “one of the most critical cyber vulnerabilities ever encountered,†on Wednesday. He further urged organizations of “all sizes†to evaluate guidelines on the Apache Log4j vulnerability.
DHS is currently responding to one of the most critical cyber vulnerabilities ever encountered. I urge organizations of all sizes to review @CISAgovOpens a new window guidance on the Apache Log4j vulnerability and take quick action to secure their systems:
— Secretary Alejandro Mayorkas (@SecMayorkas) December 15, 2021Opens a new window
As the threat surface of the zero-day vulnerability grows, more open-source software applications continue to be at risk, warned security experts. Kayla Underkoffler, senior security technologist, HackerOne, earlier told Toolbox, “open-source software is behind nearly all modern digital infrastructure, with the average application using 528 different open-source components.†As most organizations lack control over open-source software, it becomes highly difficult to fix these supply chain weaknesses, Underkoffler pointed.Â
See More: 7 Key Insights on Building a Security Mindset To Guard Against Cyber Crime
Log4j Vulnerability: When Did Hackers Start Exploiting the Flaw?
Several reports confirmOpens a new window that on November 24, after Alibaba’s cloud security team member wanted to “report a security bug,†Apache’s open-source project team received an email notification, which alerted them about a massive cyber attack being planned across the globe.Â
However, the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) first tweeted about the Apache Log4j flaw on December 10, urging companies to “upgrade ASAP†and protect their systems from the remote code execution (RCE) vulnerability.
Upgrade ASAP to protect yourself from the #RCEOpens a new window vulnerability, CVE-2021-44228, affecting Apache Log4j. Read more at #ZeroDayOpens a new window #CybersecurityOpens a new window #InfoSecOpens a new window
— US-CERT (@USCERT_gov) December 10, 2021Opens a new window
According to the cybersecurity researchers at Check Point, over 60 new variations of the original vulnerability patch were introduced in less than 24 hours since its release, spreading the threat landscape to millions of systems.
See More: Building Security Into Products, People, and Processes: Tech Talk With SailPoint’s CISO
How Log4j Works and What Are Hackers Exploiting?
Per Nozomi Networks attack analysisOpens a new window , the “new zero-day vulnerability in the Apache Log4jOpens a new window logging utility that has been allowing easy-to-exploit remote code execution (RCE).†Attackers can use this security vulnerability in the Java logging library to insert text into log messages that load the code from a remote server, security experts at Sophos explain.
Further, the targeted server by attackers can execute a code via calls to the Java Naming and Directory Interface (JNDI), which connects its interface with several services such as Lightweight Directory Access Protocol (LDAP), Domain Name Service (DNS), Java’s Remote Interface (RMI). Attackers will then exploit LDAP, DNS, RMI, and URLs by redirecting to an external server, informed Sophos.
However, “The real problem with a Log4j attack at this point is that the attackers know patches are available and that most vulnerable systems are being updated as quickly as possible,†Tim Mackey, principal security strategist, Synopsys Cybersecurity Research Center told Toolbox.Â
“This means that they can’t afford to carefully craft an attack and are far more likely to install or copy a piece of code that’ll lay dormant on the compromised system. When that dormant code is activated, that’s when we’ll see some of the more sophisticated attacks,†Mackey added.
See More: Cybersecurity Awareness Training: 6 Tips To Raise the Bar on Security
Who Is Affected by the Log4j Attack?
Several enterprises have fallen victim since the Log4j flaw came to light, exposing millions of devices. From cloud platforms to email services and web applications, the Log4j vulnerability has put big tech companies such as Microsoft, Apple, IBM, Oracle, Cisco, Google, Minecraft, and more at risk, as per Check Point.Â
While Microsoft owned Minecraft, the popular video games company, is reportedly one of the first few impacted by the Log4j vulnerability, 12 cybersecurity vendors have also been impacted by the Log4j vulnerability. These include identity management vendors such as CyberArk, ForgeRock, Okta, Ping Identity, Broadcom, Fortinet, F-Secure, Rapid7, RSA Security, SonicWall, Sophos, and VMware Carbon Black, according to CRNOpens a new window .
In a blog, cybersecurity researchers of Check PointOpens a new window also warned about detecting an attack involving a .NET-based malware. “This specific attack affected five victims in the finance, banking, and software industries in countries including Israel, United States, South Korea, Switzerland and Cyprus,†the Check Point post stated.
See More: Cybersecurity Degrees: Types, Comparisons, and Best Practices for Selection
What Can Organizations Do To Protect Themselves?
The most common way to fix a vulnerability is to install a system update or an application patch. The Log4j team has released an upgradeOpens a new window , called Apache Log4j 2, promising to fix existing issues in Logback’s architecture (Logback is dubbed as a successor to the Log4j project). Whereas, in a statement published on their blog, Microsoft has encouragedOpens a new window customers to apply updates released in their Security Update Guide – CVE-2021-44228Opens a new window .Â
Meanwhile, Sammy Migues, principal scientist, Synopsys Software Integrity Group believes that preventing any zero-day attack of a new event is aspirational because most enterprises struggle just to answer, “Are we vulnerable?â€Â
“A key metric is the speed at which a change can be pushed into production. According to DORA, elite performers can complete this cycle in less than an hour, but most organizations will take a day to a week to complete the cycle, after they’ve found all the code to be fixed. Get good at both finding and shipping,†Migues recommended.
In agreement with Migues point, to address the critical vulnerability, Andy Norton, European cyber-risk officer at Armis, suggested in an exclusive conversation with Toolbox that the security teams must take a defense-in-depth approach and follow specific steps to remediate and protect their systems.
As a part of future remediations to any open-source software, Underkoffler advised that securing poorly funded software is imperative for any organization that relies on it. “Use programs to secure open source by pooling funding from business partners to incentivize the discovery and reporting of vulnerabilities to open-source software projects before they are exploited,†she added.
See More: 14 Insights on How To Prevent a Ransomware Attack and Avoid Being the Next Headline
What Is the U.S. Government Cybersecurity Agency’s Action Plan?
The U.S. government released an emergency directive to mitigate the Apache Log4j vulnerability, setting out guidelines for federal civilian agencies and organizations to act in response to the attack.
Chris Inglis, national cyber director and principal adviser to the president on cyber policy and strategy, said there is a sense of “unity of purpose and effort†across the Federal government in response to Log4j. Inglis added, there will be more coming conversations with public and private partners on ways to mitigate this vulnerability and improve asset and vulnerability management more broadly.
Proud of the unity of purpose and effort I see across the Federal government in response to #Log4jOpens a new window , and coming conversations with public and private partners on ways to mitigate this vulnerability, and improve asset and vulnerability management more broadly.
— Chris Inglis (@ncdinglis) December 14, 2021Opens a new window
Jen Easterly, director, CISA, said, “We are working with key private & public partners via Joint Cyber Defence Collaboration and federal partners like FBI and NSA Cyber to manage this evolving threat. We will continue to update our consolidated Log4j web page with the latest info to help all orgs reduce their risk.â€
“We issued a requirement for Fed agencies to patch last week; today’s new requirement mitigates vulnerable products where patches aren’t available,†Easterly explained.Â
Multiple threat actors are actively exploiting #Log4jOpens a new window vulnerabilities. We issued a requirement for fed agencies to patch last week; today’s new requirement mitigates vulnerable products where patches aren’t available. View the Emergency Directive here:
— Jen Easterly (@CISAJen) December 17, 2021Opens a new window
What’s Next for Java Shops Impacted by Log4j
With the holiday season around the corner, security teams are finding themselves in a spot concerning the level of sophistication and scale at which the Log4j vulnerability was exploited. Cybersecurity experts warn that many more may have been exposed to this attack than anticipated, from small and medium-sized businesses to large tech enterprises.
In a statement releasedOpens a new window by Easterly, CISA recommended that asset owners can take three additional steps to secure their data: “enumerate any external facing devices that have Log4j installed, make sure that your security operations center is actioning every single alert on the devices that fall into the category above, and install a web application firewall (WAF) with rules that automatically update so that your SOC is able to concentrate on fewer alerts.â€
In order to provide  transparency on vulnerable software libraries, Easterly emphasized “the urgency of building software securely from the start and more widespread use of Software Bill of Materials (SBOM).â€
Does Log4j flaw surface the risk of using open-source code libraries for enterprise-scale applications? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!
MORE ON LOG4J APACHE VULNERABILITY:
- Apache Log4j Flaw: Best Practices to Respond to the Vulnerability of the Decade
- Five Best Tools to Keep Log4j Vulnerability Exploitations At Bay
- Exploitation of Log4j Flaws May Continue for Years, Microsoft Warns
- Log4j Flaw: Top 10 Affected Vendors and Best Solutions to Mitigate Exploitations
- Log4j Flaw: Critical Zero-day Leaves Millions of Systems at Risk