Log4j vulnerability: what you need to know

A vulnerability residing inside Java-based software known as “Log4j” rocked the Internet this week.
The list of potential victims includes nearly a third of all web servers in the world, according to cybersecurity company Cybereason. Twitter, Amazon, Microsoft, Apple, IBM, Oracle, Cisco, Google, and one of the world’s most popular video games, Minecraft are among the multitude of tech and industry giants running popular software code that , according to U.S. officials, has left hundreds of millions of devices on display.
As of Friday, more than 3,700,000 hack attempts were made to exploit the vulnerability, according to leading cybersecurity firm Checkpoint, more than 46% of which were carried out by known malicious groups.
Jen Easterly, head of the Cybersecurity and Infrastructure Security Agency (CISA), called it “the most serious flaw” she’s seen in her decades-long career.
Cyber ââsecurity companies are now warning that ransomware criminals and hackers linked to foreign governments have already attempted to exploit the vulnerability to gain access to the computer systems of targets.
US officials say civilian federal agencies “most likely” use products with the vulnerability built in.
Here’s what you need to know:
What is Log4j?
Log4j is programming code written in the Java computer language and created by volunteers within the Apache Software Foundation to run on a handful of platforms: Apple’s macOS, Windows, and Linux. Free, open-source software creates a built-in “journal” or activity record – like a journal – that software developers can use to troubleshoot problems or track data in their programs. Its usefulness and the fact that it is free have spread the “journaling library” to every corner of the Internet, according to cybersecurity experts.
âLogging is essential in everything we do. Because this library is used by most web services around the world, it means most web services are vulnerable to attack,â said Sergio Caltagirone, vice president threat intelligence from leading cybersecurity company Dragos.
According to cybersecurity researchers, the flaw leaves a long list of critical infrastructure functions such as power, power, power, communications, critical manufacturing and water ready for possible intrusion.
DHS secretary Alejandro Mayorkas, whose department oversees CISA, called Log4j “ubiquitous” during a cybersecurity panel Thursday. âThe challenge it presents is its prevalence,â Mayorkas said.
âIt could mean that entire e-commerce sites go down during the Christmas holidays. It could mean that entire manufacturers could not ship or receive goods,â Caltagirone added. “This could mean that water utilities with automated and remote management systems are now vulnerable to attack.”
“This piece of code that has proven to be vulnerable literally exists all over the world,” said Mark Ostrowski, engineering manager at security firm Checkpoint Research. “It’s built into the video games our kids play and into infrastructure like cloud products.”
Ostrowski noted that the Log4j programming code has been downloaded over 400,000 times. “That’s a lot, and who knows how many times it’s even been used in those downloads?” “
When did the attack start?
The Apache Software Foundation volunteer group was alerted on November 24 to the vulnerability, after a member of Alibaba’s cloud security team discovered it.
But late last week, an unusual warning sent shockwaves through staff in the cybersecurity community after makers of the Minecraft sandbox video game shared the vulnerability in a blog post, alerting gamers that hackers had identified a flaw in their game that could infiltrate their computers. Staff also released a patch, but cybersecurity experts quickly discovered that the offending vulnerability was built into the widespread software tool used for more than just building a virtual world.
How do hackers exploit it?
US officials say they have yet to observe “highly sophisticated attacks” by state actors.
âA lot of it is low-level activities like crypto-miners,â CISA Executive Deputy Director Eric said on Tuesday, âbut we expect adversaries of all kinds to use this. vulnerability to achieve their strategic objectives “.
Microsoft updated its blog on Tuesday to report that state-backed hackers from China, Iran, North Korea and Turkey attempted to capitalize on the Log4j flaw.
An Iranian hacking group known as APT 35 or “Charming Kitty” attempted to exploit the Log4j vulnerability against seven Israeli targets in the government and business sectors, Checkpoint Research reported Wednesday.
Threat research teams have started tracking efforts to infiltrate targets by ransomware-as-a-service organizations that negotiate access to vulnerable networks to the highest bidder. Researchers at cybersecurity firm Cybereason have observed hackers attempting to deploy various ransomware variants, including Quantam, Kimsuky, Muhstik, Cerber, Black Sun, and Khonsari.
DHS Secretary Mayorkas was quick to point out on Thursday that the threat grows over time as new criminal actors take advantage of the loophole. “When a vulnerability has been exposed and others can embark on exploiting that vulnerability, it can really multiply the damage,” Mayorkas said.
U.S. cybersecurity professionals and officials remain concerned about the initial ease of access to a victim’s network, allowing criminal actors to infiltrate a network. Detecting whether the Log4j vulnerability is hacked will require weeks, if not months, of careful monitoring.
The director of CISA predicts that consumers will struggle with the vulnerability for “a very long time.”
âIt’s not going to be something that’s going to be fixed and finished,â Easterly said Thursday. “This is something that we will be working on, probably, for months, if not years.”
What can businesses and consumers do to protect themselves?
Some fixes known as “fixes” and technical support have been released widely. The Apache software foundation released upgrades to its tool this week, and Microsoft has encouraged customers to contact software application vendors to confirm they are using the Java programming language.
CISA recommends that companies review their Internet programs that use Log4j, respond to alerts connected to these devices, and install a firewall with automatic updates.
For those who cannot immediately correct the vulnerability, Cybereason has released a free “vaccine” to temporarily ward off intruders.
As businesses scramble to patch vulnerabilities, consumers need to stay tuned for updates to their devices, software, and apps.
How is the US government responding?
Deputy National Security Advisor Anne Neuberger said Thursday that a “small number of government systems” had been affected by the Log4j vulnerability, with that number expected to increase in the coming days.
“I think we are going to see widespread exploitation by all kinds of threat actors, and likely impacts on public and private infrastructure. We are doing everything we can with our partners to move forward,” said Director of Cyber ââSecurity and Infrastructure Security Agency (CISA) Jen Easterly said in an interview with CNBC on Thursday.
âThese are products that are used by all the big organizations around the world,â Goldstein told reporters Tuesday, referring to the Log4j library. “And so, it’s likely that federal agencies are actually using some of these products that have the vulnerable library built-in.”
U.S. officials said no civilian federal agency was compromised Thursday evening, but noted that the visibility of network systems remains an ongoing challenge.
The CISA on Friday ordered federal civilian agencies to immediately repair or “patch” vulnerable systems. The new memo replaced a previous mandate requiring a fix from federal agencies by December 24, a deadline many cybersecurity experts feared was too late.
The agency at the head of the US government’s response has also released a growing catalog of potentially impacted products to outsource affected software products and eliminate the dissemination of false information online.
How does this hack compare to Solarwinds?
While both attacks took place over the holiday season and garnered a lot of attention, they differ in sophistication and scope.
âWith SolarWinds, we had a targeted supply chain attack by a highly sophisticated and specific adversary intended to compromise specific organizations to achieve popular goals,â Goldstein explained. “What we have here is an extremely widespread, easy to exploit, and potentially very damaging vulnerability that could certainly be used by adversaries to cause real damage.”
âFrom the point of view of the scale, the [Log4j vulnerability] is astronomical compared to SolarWinds, âOstrowski told CBS News. âIt’s not just a software package that businesses use. It’s software code that we consumers – you and I – use every day. It’s a piece of open source code that everyone has access to. “
And after?
The White House sent a letter to CEOs on Thursday warning them of increased risks of cybersecurity attacks during the holidays, a time of year when business operations often rely on a small staff.
Cyber ââsecurity experts remained concerned that malicious actors would exploit the vulnerability to target small and medium-sized businesses, schools and hospitals with limited resources, including victims who may not be aware of the risk.
âWhat we are learning today compared to what we knew 24 hours ago is very different. This is the speed at which it is changing,â Ostrowski said. âSo our apocalypse is asking: what will next week be like? “”
The vulnerability also sparked a debate around the regulation of open source code, widely available for use by the masses. Some experts are now advocating a âsoftware nomenclatureâ that lets consumers know what kind of software is inside their products and applications, like a Nutrition Facts label for foods.
âAs the toll of damage from cybersecurity vulnerabilities, exposures and hacks increases, it’s all the more important that we treat software the way we treat food,â Caltagirone said. âPeople may say, ‘Am I allergic to peanuts? Does it contain nuts? Now we need to be able to say, “This log4j vulnerability is out. Do I have it in my environment?” “
Dan Patterson contributed to this report.