A vulnerability in a widely used open-source logging tool from the Apache Foundation has left millions of web applications at the mercy of cybercriminals. The zero-day vulnerability, known as Log4Shell, is caused by a problem in Apache’s Log4J logging library and allows threat groups to launch remote code attacks against affected systems.
Cybercriminals are currently using the vulnerability to hack into servers and mine cryptocurrencies, and could soon move on to trying to steal valuable personal data. Patching is the only solution to the problem, but tracking down all affected applications may not be that simple, experts have warned.
Update: Is Spring4Shell vulnerability the new Log4J?
What is the Log4j zero-day vulnerability?
Details of the vulnerability, dubbed CVE-2021-44228, were published on Github on Friday, and it has since been exploited in numerous ways. The vulnerability is caused not by a bug, but a logging feature that can be exploited by criminals, explains Paul Ducklin, principal research scientist at security company Sophos. “It’s a feature that was built into this logging-for-Java program, which actually comes from Apache”, he says. Log4J is a feature that allows someone to customise their logging, continues Ducklin. “It’s a fantastic feature that makes that makes your logging super easy,” he says. “Unfortunately, somebody figured that it also makes it very easy for almost anybody who wants to exploit this.”
The vulnerability can be used to access compromised systems and remotely launch code, meaning that cybercriminals can potentially use it to steal data or launch malware.
Where is Log4j used?
Log4j is used by millions of web applications, including Minecraft, Apple iCloud, Twitter and Steam. It is widely deployed in enterprise tech and as part of cloud platforms, and as a result data from businesses around the world which use these services could potentially be accessed by criminals. “The bulk of attacks that Microsoft has observed at this time have been related to mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers,” says the Microsoft 365 Defender Treat Intelligence Team in their analysis.
Why is the Log4j exploit so dangerous?
This vulnerability is dangerous because, Ducklin says, it is “extravagantly exploitable”. No real hacking ability is needed to take advantage of the weakness, “You literally just send it a command saying ‘here’s a website, there’s a program on it. Go and get it and run it,” he says.
To compound matters, the widespread use of Log4J means systems everywhere will have duplicates of the vulnerability, making it difficult to remove. “Each app could have its own separate copy, so even if you have it installed as an operating system package and you update that, there may be other copies of the vulnerable code elsewhere on your server that some other apps use,” says Ducklin.
How has the Log4j vulnerability been used so far?
The biggest threat from this vulnerability appears to be illegal crypto mining. “It seems the main way crooks are using this to steal money from people so far has been through crypto mining, where you steal someone else’s electricity or disk space to make crypto do cryptocurrency transactions, but you keep the money yourself,” Ducklin says. “You can not only use this to plant malware for things like crypto mining [but] you can also use this as a way of exfiltrating data out of the network.”
He adds: “In amongst all the actual attacks, we also have an enormous background radiation of people just trying this to see what happens.”
How to defend your system against the Log4j exploit
Conducting a thorough audit of affected systems and patching the vulnerability everywhere it appears is the only real solution, Ducklin says. A tool has been made available on GitHub to help detect the exploitation. The UK’s National Cyber Security Centre has issued guidance about how to protect systems against the vulnerability.
But patching may not be as easy as it seems. “The simple solution is to apply the patch,” Ducklin says. “The difficult part is that it’s everywhere. You basically have to scan through everything to find out where this thing is because it will probably show up in some far-flung and unexpected places.”
While businesses race to patch their systems, cybercriminals will continue to find new ways to exploit the vulnerability. “Considering the fact that at the moment we’re fighting a sort of pretty big battle against ransomware, it could be pretty dire if people don’t rush to patch and patch properly,” Ducklin says.