(January 18, 2022) Cyber threats make headlines nearly every day. But every few years there’s a threat so severe that it raises alarm among cybersecurity researchers. Today, that threat is Log4Shell, a vulnerability in the Log4j logging utility for Java-based software.
Discovered in November 2021, the flaw enables hackers to trick Log4j into storing and running specific character strings. It is called a remote code execution vulnerability, which allows hackers to execute any code they want on the compromised system.
According to Microsoft, cybercriminals associated with adversarial nation-states, including China, Iran, and North Korea, are actively scanning systems and attempting to exploit the vulnerability. In December, Cloudflare reported roughly 20,000 exploit attempts per minute during peak activity.
Potentially Massive Scale
Log4j is a popular open-source utility that is available at no charge from the Apache Software Foundation. It is used in countless Java, open-source and commercial applications, which means the Log4Shell vulnerability could affect millions of systems.
The Google Open Source Insights Team analyzed approximately 440,000 Java packages stored in the Maven Central Repository and found that about 8 percent were vulnerable. A security flaw is generally considered serious if it affects 2 percent of Java packages.
That puts Log4Shell on par with Heartbleed and Shellshock, two bugs that caused widespread panic when they were discovered in 2014. Heartbleed was a flaw in OpenSSL encryption software that exposed portions of a web server’s memory, enabling hackers to steal encryption keys and other sensitive information. Shellshock was a remote code execution vulnerability that affected the Unix Bash shell, which is used as a command-line interface.
Finding and Fixing the Bug
Generally, if there’s a bug in an application, administrators find all instances of that application in use within the organization and apply the patch. With Log4j it’s not that simple. Because the Log4j utility is compiled within Java applications, someone familiar with Java will have to review the source code, determine which Log4j version is being used, install the upgrade, and test it.
For some organizations, patching the Log4Shell bug will be even more difficult. A Google team found that 80 percent of Java packages affected by the flaw call Log4j indirectly through other libraries, making it harder to address and even harder to find while scanning
It’s also important to remember that Java-based applications are everywhere. Many organizations use Java through third-party vendors and business partners and could be vulnerable to the Log4Shell exploit through other components in the software supply chain. Software vendors are continuing to evaluate their applications and update the list of the affected software. The list will be evolving over the next 12 months and checking back often will be necessary.
Looking for Suspicious Activity
All of that will take time. In the meantime, organizations should continuously monitor the network for any suspicious activity that could indicate an attempt to exploit the vulnerability.
Threat actors are scanning systems, so it’s important to monitor for that kind of inbound activity. Additionally, organizations should monitor for outbound activity such as a script attempting to contact a command-and-control server. If identified, any such actions should be blocked.
Java is frequently used on mobile devices, so endpoints should be monitored for indications of compromise. Because Log4Shell attacks are diverse in nature, there are no “rules” for spotting them. Therefore, behavioral analytics should be used to identify anomalous activity. Solutions such as Intrusion Detection Systems/Intrusion Prevention Systems or Managed Detection and Response/Extended Detection and Response can help in monitoring for these types of activity. Organizations should not delay in addressing this serious vulnerability. A qualified managed services provider (MSP) can assist with developing a Layered Security Architecture and Incident Response Plan that includes monitoring, detection, endpoint security, security awareness training, and other techniques to reduce the risk of a Log4Shell attack.
ABOUT MAINSTREAM TECHNOLOGIES
Mainstream Technologies delivers a full range of technology services in Arkansas and the surrounding region including managed technology services and consulting, custom software development, and cybersecurity services. We also offer industry-leading data center services in our Little Rock facilities. Established in 1996, Mainstream has earned a reputation for delivering quality, reliable, and professional technology services for public and private-sector customers across the United States.
Jeff Pracht
IT Business Development Manager
(479) 715-8629 Office
(501) 529-0008 Mobile