If you’re actively tracking your IT infrastructure’s security, you’ve probably heard of the Log4j exploit or the Log4Shell vulnerability, and are racing to patch up your network as a safety measure. The bad news is that it’s just about everywhere and the ‘attack surface’ is larger than experts predicted.
It seems developers are playing a game of catch-up with threat actors as new attack vectors keep getting discovered, only for them to be patched later. This raises a big question: how does the exploit work and why is it creating such a state of hysteria?
To start off, you should be safe as long as your organization has patched up its systems and followed the latest remediation steps. While Log4Shell is vulnerable in the library’s default configuration, the updated versions are less vulnerable, and there is a very minimal chance of being exploited.
This is why organizations should upgrade all their Log4j instances to v2.12.2 (for systems on Java 7) and v2.17.0 (for systems on Java 8). This cannot be stressed enough. If you are unable to roll out system updates soon enough, we recommend the complete removal of the JndiLookup class from the classpath.
Measuring the Impact of the Log4j Exploit
As mentioned earlier, the Log4j vulnerability has affected large swathes of Java packages, or nearly 35,000 according to Google.
Sonatype, which is keeping track of all Log4j downloads, reports nearly 6 million downloads since December 10th. The US Department of Homeland Security Secretary Alejandro Mayorkas went so far as to label the vulnerability as ‘omnipresent’ because of its prevalence.
So what makes Log4j so bad?
When an operating system or browser has a security hole, it can only affect the users of that operating system or browser. The developer works on a new update that patches security vulnerabilities and rolls out another update, which closes the process.
Log4j is radically different. It’s not an operations system, browser, or even an application. Instead, it’s a code module, or a package, that serves a very special purpose – keeping a log on server activity.
Since it’s more effective to reuse the existing code instead of making a new one from scratch, developers rely on pre-existing code from libraries. The Log4j module happens to be the most widely used webserver software and is found on millions of servers.
Here’s the worrying part. Attackers are using the vulnerability in Log4j to log a line of text that can forcefully install malware on servers. According to Microsoft, state-sponsored threat actors are using the vulnerability to spread ransomware. The main targets of the vulnerability are large corporations like Apple, Twitter, Valve, and Cloudflare.
In fact, many ransomware groups, botnets, coin miners, access brokers, and state-backed hackers are having a field day with the exploit. They have so many targets they don’t know what to do with them. Here’s what can happen in the worst-case scenarios:
- An entire network of websites could go down in a matter of minutes
- Ecommerce businesses may not be able to ship or receive goods
- Remote management systems and utility systems may be shutdown
The Apache Foundation is pushing out updates just as soon as it finds vulnerabilities, but realistically, there is no possible way to cover every possible path that the exploitation can take.
Evaluating the Recently Discovered Vulnerabilities
The problem with the log4j exploit is that it can take weeks and maybe even months to search for clues on which systems and applications have been targeted and breached. New variants of log4j empower threat actors with the ability to utilize input data with the help of the JNDI lookup pattern, causing a denial of service (DoS) attack.
More vulnerabilities are popping up on GitHub and getting swatted down, but the first exploit seems to have opened a can of worms – and there’s no going back.
Cryptominers remain a key threat for servers because exploiting the vulnerability is a simple procedure. Simply set up a C2 server scan for vulnerable networks, and drop the malware as and where needed. Generating cryptocurrency requires bulk infections to work on a large scale, this is why crypto miners prefer to attack indiscriminately. This is a major component of the Log4j vulnerability.
How Can Businesses Secure Their Systems?
Experts recommend that the most immediate step for businesses is to reduce exposure by updating and patching all aspects of their network systems and infrastructure that have been exposed and potentially compromised. Businesses should run an incident response process to look for remote access Trojans such as command-and-control callbacks.
Data stored on exposed networks should be recycled and removed. Lastly, consider opting out of third-party vendors who are also at risk of the exploit.
How to Avoid Similar Zero-Day Vulnerabilities in the Future
It could be argued that the Log4j exploit has changed the landscape of malware and ransomware attacks. The problem is the massive attack surface that threat actors have at their disposal. It’s a game of whack-a-mole that human developers will simply not be able to keep up with – at least not in time to prevent data breaches.
This is why organizations need to update their cloud security strategy. Here are a few recommendations:
i) Automation of Security Processes
Human developers can’t preempt upcoming attacks and stay on top of every single threat actor out there. This is why organizations need access to applications with security systems that evolve automatically.
ii) Deploy AI and MI to Discover Vulnerabilities
Humans simply do not have the time and resources to analyze data trends, especially if the trends are evolving on the go. Now is the opportunity to leverage new security technology that leverages artificial intelligence and machine learning to evolve security applications faster than humans can respond.
iii) Create a Zero Trust Security Framework
Zero Trust security requires all users to authenticate and verify their credentials before gaining access to resources, whether inside or outside the network. This additional layer of security may be inconvenient to many users, but it is one of the best means of preventing data breaches.
Need help in updating your cloud network and systems infrastructure to prevent Log4j exploits? The team at Microsys can be of assistance to you.
Contact us to set up a consultation on how you can beef up your security systems.