In terms of cybersecurity, 2021 had an eventful end as security researchers identified a significant issue with the Apache Log4j software library. By exploiting the remote code execution (RCE) vulnerability that became known as Log4Shell, bad actors can potentially commandeer the system running the program, according to guidance from the Cybersecurity & Infrastructure Security Agency (CISA).
After researchers uncovered the RCE issue, additional vulnerabilities involving denial-of-service and untrusted deserialization as well as remote code execution came to light, according to the Center for Internet Security (CIS) Log4j Zero-Day Vulnerability Response page. Apache released fixes for the known issues. The page (last updated on January 7, 2022) states, “We expect this cycle of vulnerability-fix vulnerability-fix will continue as attackers and researchers continue to focus on Log4j.”
Because Log4j software is everywhere, the presence of these flaws means millions of web applications, enterprise software solutions and consumer products are potentially at risk, according to the Federal Trade Commission (FTC). In December, The Wall Street Journal reported that Akamai Technologies Inc. recorded 10 million Log4Shell exploitation attempts per hour in the U.S., and impacted suppliers and software included Minecraft, IBM, Twitter and Amazon, among many others.
The CISA and FTC urge anyone who could be affected (including companies across all industries) to identify all assets that utilize Log4j, update to the latest version of the software, and monitor for unusual traffic and signs of compromise. Potentially affected organizations should review the Apache Log4j Security Vulnerabilities page and the CISA’s GitHub repository, which includes a list of affected vendors.
Key takeaways from the Log4j vulnerabilities and exploits
The issues with the Log4j library impact multiple industries and have inspired a new surge of cybercrime. A Microsoft Security blog entry on Log4j vulnerabilities notes that the remote code execution issues have created a novel attack vector and led to hacking involving mass-scanning, coin mining, red-team activity and remote shell establishment.
Reflecting on the identification and ongoing exploitation of issues in Log4j software, here are a few key points to take away from the situation.
1. A comprehensive cybersecurity program is critical if you want to combat zero-day threats like Log4Shell.
As noted in a previous Cyber Corner post, zero-day threats – which are brand new and therefore capable of bypassing signature-based defenses – have been on the rise for a while. WatchGuard’s Threat Lab found that 74 percent of malware detected during the first quarter of 2021 was zero-day.
If you want to minimize the damage zero-day exploits like Log4Shell can do to your systems, you need a team of IT security professionals to implement and manage advanced solutions such as extended detection and response (XDR) as well as deliver incident response services. It’s crucial to proactively monitor for signs of compromise and have experts on your side capable of rapidly identifying and remediating threats.
2. Staying up-to-speed on patching is crucial.
The Log4j library is far from the only software that could leave you vulnerable to cyberattacks if you fail to update it. Ensure your IT team or an external service provider routinely patches and updates all the programs you rely on to keep your risk level low. Running outdated software could not only lead to a data breach but could also land you in hot water legally: The FTC notes that organizations that don’t locate and patch vulnerable Log4j software might violate the Federal Trade Commission Act.
3. Reliance on open-source software maintained by often underfunded teams of volunteers is increasingly unsustainable.
The cybersecurity crisis caused by the Log4j vulnerabilities has shed light on the larger issue of the internet’s reliance on open-source programs maintained by volunteers with limited incident response resources, according to the MIT Technology Review article “The internet runs on free open-source software. Who pays to fix it?”
Filippo Valsorda, a cryptography engineer with Google, told the Review that companies should find ways to pay the developers who maintain open-source software. In August 2021, for example, Google announced plans to invest $10 billion over 5 years in various cybersecurity initiatives, including efforts to improve open-source security.
The FTC notes that Log4Shell represents only “part of a broader set of structural issues” and is one of thousands of open-source services that constitute critical internet infrastructure.
“This overall dynamic is something the FTC will consider as we work to address the root issues that endanger user security,” the agency notes in a blog entry on Log4j.
Ultimately, the fallout of the Log4j issues underscores the need for a proactive and current cybersecurity strategy. Our advisors can connect you with leading managed security service providers (MSSPs) and IT security solution suppliers to keep your risk level low and minimize the damage caused by any threats that slip past your defenses with incident response services.
For details, please give us a call at 877-599-3999 or email email@example.com.