Major cybersecurity hacks seem to be becoming a holiday tradition. Last year, it was the SolarWinds-Orion hack, which affected as many as 300,000 global customers potentially impacted. This year, it’s the Log4j exploit of Apache’s open-source library for logging errors and events in Java-based applications that puts “countless millions” of devices at risk.
According to this Morphisec article (Protecting Against the Log4j (Log4shell) Vulnerability – What is it & What Actions Can You Take?, written by Michael Gorelik), the Log4j exploit allows threat actors to take over compromised web-facing servers by feeding them a malicious text string. It exists within Log4j, an open-source Apache library for logging errors and events in Java-based applications. Third-party logging solutions like Log4j are a common way for software developers to log data within an application without building a custom solution.
In the case of Minecraft, where the Log4 Shell exploit first surfaced last week, this malicious string is entered through the chatbox. In other examples, text entered into the username box on web applications, like Apple iCloud, can also start the compromise.
The Log4J vulnerability is triggered by attackers inserting a JNDI lookup in a header field (likely to be logged) linking to a malicious server. After Log4j logs this string, the server is queried and gives directory information leading to the download and execution of a malicious java data class. This means cybercriminals can both extract private keys and, depending on the level of defenses in place, download and run malware directly on impacted servers.
The graphic above from GovCERT.ch, the Computer Emergency Response Team of the Swiss government, does the best job I’ve seen of illustrating the Log4j JNDI attack flow.
Log4j is an extremely popular Apache library used by millions of Java programs and applications. As a result, the actual number of internet-facing applications exposed to the Log4j vulnerability is almost impossible to quantify. Researchers have noted that the vulnerability is likely to impact products and services provided by tech giants such as Apple, Amazon, Steam, Tesla, and Twitter.
We’re already starting to see reports that efforts to capitalize on the Log4j exploit are widespread, with 40% of corporate networks globally already having been targeted in activity seeking to exploit the flaw, the Conti ransomware operation using it to gain rapid access to internal VMware vCenter Server instances and encrypt virtual machines. Per Sharon Nelson’s Ride the Lightning blog, Microsoft Threat Intelligence Center (MSTIC) and Mandiant have reported that multiple state-backed hackers linked to governments in China, Iran, North Korea, and Turkey have rapidly deployed Log4Shell exploits in their attacks. Microsoft also said that access brokers used by ransomware-as-a-service (RaaS) operations (yes, that’s a real thing) have also joined these ongoing attacks.
The Morphisec article states that organizations need to be “searching the entire IT state regardless of whether servers are using Windows, Linux, or Mac for any Java code and determining if it uses the Log4j library”, which can be a major undertaking for many organizations.
Here’s the other problem. It also says that “[w]herever you find Log4j, you need to update it to the latest 2.15.0 version patch.” Alas, that was two patches ago – Apache is up to version 2.17.0 – three patches released in one week! So, your organization not only has to be quick, it may have to apply a patch more than once if security vulnerabilities keep popping up. ‘Tis the season for data breach nightmares!
So, what do you think? Is your organization impacted by the Log4j exploit? Please share any comments you might have or if you’d like to know more about a particular topic.
Disclaimer: The views represented herein are exclusively the views of the authors and speakers themselves, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.