Log4j – Pandemic of the Year?
IBM, Oracle, Google and Amazon may have been exposed to one of the most serious cybersecurity threats ever seen. Here’s how:
On 24 November 2021, Chen Zhaojun of the Alibaba Cloud Security team reported promptly the initial traces of a software vulnerability that could potentially impact hundreds of millions of devices all over the world. The vulnerability – something Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency of the United States considered “one of the most serious” flaws she had ever seen in her career – became apparent to the world rather soon.
“It will take years to address this while attackers will be looking… on a daily basis [to exploit it],” according to David Kennedy, CEO of cybersecurity firm TrustedSec. “This is a ticking time bomb for companies.”
As of 14 December, over 100 hacking attempts were occurring per minute, according to research from cybersecurity firm Check Point.
Log4j: Turtling all the way down
One of the most popular java-based logging libraries used online, Log4j gives software developers an efficient way to record activities such as auditing, data tracking and troubleshooting. Given that it is open-source and free, it touches several aspects of the internet. An excerpt from a December 16 report from CNN quoted Chris Eng, the chief research officer at cybersecurity firm Veracode:
“It’s ubiquitous. Even if you’re a developer who doesn’t use Log4j directly, you might still be running the vulnerable code because one of the open-source libraries you use depends on Log4j. This is the nature of software: It’s turtles all the way down.”
The vulnerabilities to Apache Log4j, a Java-based logging utility software used by several large global organisations to configure applications, poses major threats to “much of the internet”. CNN reports, “Apple’s cloud computing service, security firm Cloudflare, and one of the world’s most popular video games, Minecraft, are among the many services that run Log4j, according to security researchers.”
A blog from Microsoft reads: “The CVE-2021-44228 vulnerability allows unauthenticated remote code execution, and it is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component.”
Experts are particularly concerned by this vulnerability as this would essentially allow hackers to not only gain easy access to any company’s computer server, give them access to any part of their private network, as well run their own code on all the aspects that require the use of Log4j. Additionally, it would be next to impossible to figure out where exactly the vulnerability lay and if a system was already compromised.
Yet another vulnerability was spotted on December 14, the fix for which, however, was soon released by the Apache Software Foundation for all the organisations to apply.
Cyber Pandemic?
According to American-Israeli outlet Check Point Research, a pandemic-like outbreak has been recorded since news of the vulnerability first blew up on the internet on December 9th. The number of attacks being perpetrated by hackers around the world recorded an initial surge of almost 200,000 on the first day itself. As of three days after the initial outbreak, the volume of attacks had crossed the 800,000-mark.
Coming in about a year since the infamous SolarWinds attack, it is being regarded as one of the most serious software vulnerabilities on the internet in recent years – and the potential for damage is almost incalculable.
In fact, Check Point Research regards this as a truly global ‘cyber pandemic’, with over 90 countries in the world already affected by the attacks. As commented in an excerpt from the report: “..the impact itself is also wide and reaches peaks of countries seeing over 60% of corporate networks impacted, and many distributions seeing over 50% of corporate networks within the country being impacted.”
As it stands, given the degree of complexity involved in patching the software and the ease by which it can be exploited, the vulnerability is set to stay with us indefinitely unless global corporations take immediate collective effort.
Image by Pete Linforth from Pixabay
