The tech world was shaken this past week. A vulnerability affecting Apache Log4j versions 2.0 to 2.14.1 was disclosed on the project’s GitHub page. Apache comprises about one-third of all web servers in the world—making this flaw, dubbed Log4Shell, highly critical and an urgent priority for IT teams.
What’s the big deal, some may ask? Log4j operates as an open-source Java logging library that’s widely used in a range of software applications and services around the world. The vulnerability in Log4j can allow threat actors the opportunity to take control of any Java-based, internet-facing server and engage in remote code execution (RCE) attacks.
The problem with Log4j is how the Java Naming and Directory Interface (JNDI) can “lookup” commands and how they are wrapped in the data structure. There isn’t necessarily something unique or special about Log4j logs that make this a more critical flaw. Other logging databases, such as Splunk, use different data structures, and have different APIs and tools, so it’s still possible for a similar type of vulnerability to exist on other logging platforms. They just aren’t affected by this flaw.
The fallout from Log4Shell
The impact from this vulnerability has been widespread. Within 24 hours of the flaw being disclosed on GitHub, there were already reports of threat actors actively engaging in mass internet scanning to identify potential targets. On Tuesday, a second vulnerability was discovered. And there are additional reports that threat actors, including nation-states such as China, Iran and others are now leveraging the vulnerability in ransomware attacks. We can expect this trend to continue as hackers will take full advantage of it to conduct more ransomware attacks.
Organizations are scrambling to patch and update their Apache implementations. Vendors have shared various mitigations, but attackers are quickly finding ways to bypass or subvert them. A researcher discovered a bypass for the built-in security feature that prevents exploitation of the Log4j vulnerability in newer Java versions—so it seems like nobody is safe.
Developers quickly created Log4j version 2.16.0, which completely disables JNDI by default. Organizations need to assess the update, though, and it takes time to patch systems. It may not be possible to patch some systems easily—or at all. In the meantime, we must consider every system running a version of Log4j earlier than 2.16.0 vulnerable.
Cybereason researchers developed a temporary workaround “vaccine” called LogOut4Shell. It uses the flaw itself to set the flag that turns it off. More importantly, it works and prevents exploits of Log4Shell to buy time for organizations to patch and update. As hackers continue to find new exploits, this vaccine has become even more critical. It disables the entire JNDI mechanism, preventing every scenario we have seen so far, and buys time for security teams to assess, test, and patch.
Ripple effect of Log4Shell
Unfortunately, this vulnerability will likely have lasting repercussions. There are reports of greater than 1,000 attacks per second on the internet, and Cloudflare revealed that attackers are rapidly adapting from simple attack strings to actively trying to evade blocking by web applications firewalls.
One of the big questions haunting security teams right now: “What, exactly, are threat actors doing when they exploit Log4Shell?”
A successful exploit grants the attacker control of the affected system, but smart attackers won’t necessarily show their hand right away. Many of the attacks out there may simply set up backdoors and quietly maintaining persistence on compromised systems for a future attack. It’s a land grab for now.
How to protect your company
Security teams should update their Apache Log4j implementations to version 2.16.0 or later as quickly as possible. If the company can’t patch immediately, there’s the option to vaccinate the systems with LogOut4Shell to prevent the vulnerability from being exploited in the meantime.
Focus on the basics: Test to see if the company is vulnerable, the vaccine works for that as well. Then update all systems while proactively hunting for indicators of behavior (IOBs) that reveal potential or ongoing malicious activity. Most important: Stay vigilant because the attackers are lurking, staying patient for a more targeted attack in the weeks and months ahead.
Sam Curry, chief security officer, Cybereason