Over the last month, a serious Java logging package vulnerability, Log4j, was found and poses a severe risk to millions of consumer products, web applications, and enterprise software. This vulnerability opens the door for exploitation to a widespread number of attackers.
What is the Log4j bug?
Most casual computer users have probably never heard of Log4j. In a nutshell, it's a type of software used in just about every computer that helps computer systems log information, such as various system operations and errors. A common example of Log4j is when you get a 404 error after going to a bad web link, and your system will record that event in a log within the server. You may not realize how this essential software puts millions of computers at risk of being compromised.
This key piece of software revealed a major vulnerability in late November 2021, nicknamed the Log4Shell. According to CNN, the U.S. Cybersecurity & Infrastructure Security Agency director, Jen Easterly, called the vulnerability the "worst she's seen in her career. There were millions of attempts to exploit Log4Shell to wreak havoc on an unsuspecting populace during the Christmas season alone. In one account, the cybersecurity company Sophos found that hackers attempted to install cryptocurrency mining software on various servers to generate bitcoin for their own profits.
Discovering the Log4j bug and what happened next?
The Log4j function is an integral component for computer systems, which is why the vulnerability was found and created such a panic. Log4Shell works by abusing the Log4j software. Hackers can create a code that allows them to format a log message to allow greater permissions within the system. By doing this, they can take steps to steal your identity and find other sensitive information about yourself.
Chen Zhaojun, a security researcher at Alibaba, China's version of Amazon, discovered the problem. After discovering the flaw within Log4j, he publicly announced how easy it would be to hack into computers through servers. His goal was to alert governments and other entities worldwide so they could find a fix before hackers could take advantage. Other experts called the announcement "irresponsible" as it gave criminals an open window to cause damage before a fix was found and implemented.
However, it may have been much worse, as the problem could've allowed nefarious governments and terrorist organizations to cause disruptions and steal valuable data and information.
Log4j Timeline of Events
To fully understand the complexity of the vulnerability, you need to be able to visualize the timeline of Log4j events:
November 24th: Chen Zhaojun discovers the vulnerability and officially informs Apache of its existence.
November 26th: Log4j is added to the official CVE (Common Vulnerabilities and Exposures) list.
December 9th: The word about the vulnerability is shared around the world.
December 10th: Patches are developed by companies like Cisco and VMware. Cloudflare also updates its rules about blocked HTTP requests coming through its firewall.
December 11th: CISA director issues an official statement about Log4j.
December 15th: A new vulnerability is found, and Apache quickly releases a patch.
December 16th: A third vulnerability is found.
December 17th: CISA puts out an emergency directive.
December 18th: Apache releases another patch after issues found with the previous one.
December 20th: Log4j was exploited to add malware onto Linux and Windows.
December 22nd: CISA releases a Log4j scanner.
December 27th: Microsoft adds services to help protect Windows users against Log4j problems.
December 28th: A fourth vulnerability is discovered.
December 29th: A Chinese hacker group called Aquatic Panda attempts to hack into an academic institution using Log4j vulnerability.
January 3rd: Microsoft gives an update on protecting against Logj4 vulnerabilities.
January 4th: FTC gives stern warning to companies to fix this issue
January 10th: CISA says no major intrusions have been detected from Log4j vulnerability.
Log4j risk – stay ahead of the game
As investigations and questions continue to be raised, IT departments, Managed Service, and Hosting Providers have worked tirelessly to investigate and provide patches and complete fixes. There are a few things you can do yourself to help your company stay ahead of the present and future vulnerabilities.
The National Cyber Security Centre in the United Kingdom has put together a list of questions any cybersecurity team needs to be asking:
- Who is leading on your response plan?
- What is your overall plan?
- How will you know if you are being attacked, and how will your team respond?
- How much visibility do you have of your software/servers?
- How is your company addressing shadow IT/appliances?
- Do you know if key providers are covering themselves?
- Does anyone in your organization develop Java code?
- How will people report issues they find to your company?
- When did you last check your business continuity plans and crisis response?
How to outsmart cybercriminals
Vulnerabilities like Log4j happen all the time, and it almost seems as if new ones are discovered weekly, creating a lot of stress for everyone concerned. While there are reports of no major intrusions from the Logbj bug, that doesn't mean it can't or won't happen in the near future. That's why major companies hire cybersecurity teams to help protect their information from being hacked and stolen. While a fix is currently in the works, no one knows if more weak points will be found, and Log4j will threaten everyone until this vulnerability is secured.
Because multiple systems use Log4j, it can be difficult to spot areas where hackers can pry their way in. Java-based applications are used by so many digital assets containing private data. While the common reaction may be to panic, there are ways you can help mitigate the impact of such a vulnerability being exploited on your system.
You should first stay on top of all the news regarding Log4j and apply any developed patches.
Protect your digital assets is by quarantining software that's affected connected to the internet. Even if you think you have a secondary computer with little information, you should still quarantine it. Hackers can still find their way onto it and find other sensitive information in your network.
Don't forget to evaluate your vendor, third-party, and service provider's rights. You need to make sure you know their security. If you do not have these rights, you should. Here are five important questions to ask them:
- Has your organization assessed its risk exposure to Log4j vulnerability
- What steps did your organization take to determine the level of vulnerability?
- Did you determine the level of potential malicious execution?
- When did you learn about the vulnerability?
- What patches were applied, and what systems were affected?
Another way to protect your company from Log4j and be proactive is utilizing RedTeam's vast experience in handling cybersecurity flaws. RedTeam Security's penetration testing will identify and exploit your organization's security vulnerabilities through a systematic testing process focused on your networks, applications, physical facilities, and human assets.
Even if you already have a mature cybersecurity program in place, we can help you test the controls to protect your most sensitive data with Advanced Adversary Simulation testing.
Ready to Elevate Your Security Posture?
Are you ready to see how well your organization's security strategy performs? Learn what makes us stand out amongst penetration testing service providers. Schedule your free virtual meeting with a RedTeam Security expert today at (952) 836-2770
10-Point Offensive Security Checklist
Download Free Resource Download Free Resource