A vulnerability in the open source Apache logging library Log4j sent system administrators and security professionals scrambling over the weekend. Known as Log4Shell, the flaw is exposing some of the world's most popular applications and services to attack, and the outlook hasn't improved since the vulnerability came to light on Thursday. If anything, it's now excruciatingly clear that Log4Shell will continue to wreak havoc across the internet for years to come.
Hackers have been exploiting the bug since the beginning of the month, according to researchers from Cisco and Cloudflare. But attacks ramped up dramatically following Apache's disclosure on Thursday. So far, attackers have exploited the flaw to install cryptominers on vulnerable systems, steal system credentials, burrow deeper within compromised networks, and steal data, according to a recent report from Microsoft.
The range of impacts is so broad because of the nature of the vulnerability itself. Developers use logging frameworks to keep track of what happens in a given application. To exploit Log4Shell, an attacker only needs to get the system to log a strategically crafted string of code. From there they can load arbitrary code on the targeted server and install malware or launch other attacks. Notably, hackers can introduce the snippet in seemingly benign ways, like by sending the string in an email or setting it as an account username.
Major tech players, including Amazon Web Services, Microsoft, Cisco, Google Cloud, and IBM have all found that at least some of their services were vulnerable and have been rushing to issue fixes and advise customers about how best to proceed. The exact extent of the exposure is still coming into view, though. Less fastidious organizations or smaller developers who may lack resources and awareness will be slower to confront the Log4Shell threat.
“What is almost certain is that for years people will be discovering the long tail of new vulnerable software as they think of new places to put exploit strings,” says independent security researcher Chris Frohoff. “This will probably be showing up in assessments and penetration tests of custom enterprise apps for a long time.”
The vulnerability is already being used by a “growing set of threat actors,” US Cybersecurity and Infrastructure Security Agency director Jen Easterly said in a statement on Saturday. She added that the flaw is “one of the most serious I’ve seen in my entire career, if not the most serious” in a call with critical infrastructure operators on Monday, as first reported by CyberScoop. In that same call, a CISA official estimated that hundreds of millions of devices are likely affected.
The hard part will be tracking all of those down. Many organizations don't have a clear accounting of every program they use and the software components within each of those systems. The UK's National Cyber Security Centre emphasized on Monday that enterprises need to “discover unknown instances of Log4j” in addition to patching the usual suspects. By its nature, open source software can be incorporated wherever developers want, meaning that when a major vulnerability crops up, exposed code can lurk around every corner. Even before Log4Shell, software supply chain security advocates had increasingly pushed for “software bills of materials,” or SBOMs, to make it easier to take stock and keep up with security protections.
Security professionals note that while it's important to be aware of the vulnerability's inevitable lasting impact, the first priority is to take as much action as possible now to shorten that tail as the frenzy of exploitation continues.
“If you have an internet-facing server vulnerable to Log4Shell that you haven't patched yet, you almost certainly have an incident response on your hands,” says incident responder and former NSA hacker Jake Williams. “Threat actors were quick to operationalize this vulnerability."
Williams adds that while logging systems are important and it can be risky to implement fixes quickly, it should be technically doable—and worth it—for most organizations. “On the defense side, we're seeing a lot of enterprises afraid to patch without testing,” he says. “That's the wrong approach in this case.”
The concern remains, too, that the situation could get even worse. Attackers could potentially develop a worm that exploits the flaw and spreads automatically from vulnerable device to the next. But while it's technically possible, it may not be a top priority for malicious hackers, says researcher Marcus Hutchins, who found a kill switch for the notorious WannaCry worm in 2017.
“Whilst it's always a possibility, worms for these kinds of exploits are rare, due to the development overhead generally exceeding perceived benefits,” Hutchins says. “It's much easier to just spray exploitation attempts from a server than develop self-propagating code. It's also usually a race to exploit as many systems as possible before they are patched or exploited by others, so it doesn't really make sense to take the time to develop a worm.”
Attackers will still look for creative new ways to discover and continue exploiting as many vulnerable systems as possible. The scariest part of the Log4Shell, though, is how many organizations won't even realize that they have systems at risk.
- 📩 The latest on tech, science, and more: Get our newsletters!
- The Twitter wildfire watcher who tracks California’s blazes
- A new twist in the McDonald’s ice cream machine hacking saga
- Wish List 2021: Gifts for all the best people in your life
- The most efficient way to debug the simulation
- What is the metaverse, exactly?
- 👁️ Explore AI like never before with our new database
- ✨ Optimize your home life with our Gear team’s best picks, from robot vacuums to affordable mattresses to smart speakers
