The Log4j Logjam
It's one of the most pervasive security vulnerabilities in the past decade
What happens when a harmless piece of software that’s used for recording all the activities of online services and applications suddenly becomes the biggest security threat? You have a LogJam!
News about a critical vulnerability in the widely used Log4j logging library broke last week when proof-of-concept exploits started to emerge on December 9. Since then, a barrage of threat actors, both state-backed and criminal groups, have jumped in on the exploit bandwagon, triggering a wave of massive attacks targeted vulnerable systems to spread malware and infiltrate networks.
The critical security issue, now addressed, could be exploited to achieve arbitrary code execution on vulernable systems. Dubbed Log4Shell, the flaw has received the highest possible severity rating, once again highlighting the threat open-source software presents as a growing portion of the world's critical supply chain attack surfaces. To make matters worse, the patch released by Log4j maintainers was found to contain holes, necessitating a second round of fixes.
Not only is the vulnerability trivial to exploit, the pervasiveness of Log4j across a vast array of applications, services, and enterprise software tools has posed a lucrative entry point for opportunistic hackers. The unprecedented situation, echoing the Heartbleed bug of 2014, has set alarm bells ringing, as the cybersecurity world kicked into overdrive to identify vulnerable applications (there are hundreds!), detect potential attacks, and apply patches to mitigate possible threats.
But the severity of the flaw, combined with its simplicity and prevalence, has also created a perfect storm for bad actors, who have been observed mass scanning for vulnerable servers and unleashing attacks to drop coin miners, Cobalt Strike malware, the new Khonsari ransomware, the Orcus remote access trojan (RAT), the Mirai botnet, and reverse bash shells for future incursions. Other attacks have involved access brokers selling their Log4j footholds to cybercriminals looking to deploy ransomware and other malicious tools.
More than 46% of corporate networks globally already have been targeted in activity seeking to exploit the flaw and create footholds in desirable networks for follow-on activity, with Israeli security firm Check Point recording over 2.8 million exploitation attempts to date.
If anything, the active weaponization of the flaw represents a key step forward in how attackers can gain initial entry and then achieve a stealthy persistent presence on compromised systems to exfiltrate data and perform other nefarious activities, particularly in scenarios where espionage-focused actors may have already gotten access prior to the flaw being fixed.
“Given that Log4j has been a ubiquitous logging solution for Enterprise Java development for decades, Log4j has the potential to become a vulnerability that will persist within Industrial Control Systems (ICS) environments for years to come,” industrial security firm Dragos said. “The ease with which the flaw can be exploited, coupled with the widespread prevalence of Log4j, makes it imperative to patch the vulnerability to avoid any potential attacks.”