Log4Shell Vulnerability

2021-12-16

What has happened?

On the 9th December 2021 a critical zero day vulnerability was publicly disclosed, found in a widely used Java library (a library of ready-made code packages that programmers can use for solving common issues) known as Log4j. Reports state that the vulnerability had initially been reported to Apache in late November1 . Referred to as 'Log4Shell', this vulnerability has left organisations around the world scrambling to resolve this vulnerability. First exploited on servers for the hugely popular game Minecraft2 , the ubiquity of the Log4j library (commonly installed to monitor software usage in cloud and enterprise apps, and commonly incorporated into the world's most popular web server run by Apache1) means that many, many platforms will be affected by this.

 

What is the impact?

The vulnerability, formally designated CVE-2021-44228, has been deemed critical by NIST3.  The wide use of this library, alongside the relative simplicity of the exploit, has resulted in a wave of activity around the world. John Graham-Cumming, CTO of Cloudflare, stated to the Verge that he can only think of two other exploits in the last decade with similar levels of impact4 (specifically Heartbleed, which allowed access to servers which should have been secure, and Shellshock, which allowed bad actors to run code on remote machines). There are reports of Apple iCloud and Steam5 , along with many other household names, being vulnerable to this exploit mechanism. In a tweet on 13th December 20216 , Sophos reported that they had already detected hundreds of thousands of attempts to remotely execute code using this vulnerability, and that searches by other organisations "suggest the vulnerability may have been openly exploited for weeks."

The vulnerability allows bad actors to remotely execute code on a target machine, which could lead to the installation of malicious software (such as that used in ransomware attacks, which can be very costly both in terms of reputation and money for companies), the theft of private data, the complete takeover a machine, as well as other avenues of attack. Many different methods of exploiting this vulnerability are possible, with unconfirmed reports of it being integrated into twitter handles, web forms and even in-game chats (and a theory has even been posed that this could be exploited offline using a maliciously configured QR code).

The ramifications of this vulnerability are not yet clear. Given the length of time that this vulnerability could have been known about within (at the very least) limited portions of the black hat community, and the evidence from multiple sources of thousands upon thousands of attempts at exploiting this, we must consider the fact that over the coming weeks we will begin to learn the true fallout.

 

What can be done?

The NCSC (as well as many other parties) have issued advisories7  to organisations in order to mitigate the potential of this vulnerability. These steps include installing update versions anywhere Log4j is known to be used (and if this is not possible, making changes to the way the code works can mitigate the risks), as well as carrying out searches to find instances where it is used that users are not aware of. Multiple organisations have already taken action (a collated list of statements is being compiled on GitHub8 ), and software and service providers and vendors are being advised to contact their users directly with any advisories and instructions as necessary. 

Furthermore, the potential risk to users of affected organisations should also be considered. Given the possible breadth of this exploit, we should consider an almost inevitable increase in account takeovers, exploitation of personal and financial information alongside phishing and other scams.

 

References

  1. MSN: Log4j vulnerability explained: What Apache security flaw means and how hackers could exploit Java servers
    https://www.msn.com/en-gb/money/technology/log4j-vulnerability-explained-what-apache-security-flaw-means-and-how-hackers-could-exploit-java-servers/ar-AARNVQz
  1. Zero-day in ubiquitous Log4j tool poses a grave threat to the Internet

https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/

  1. CVE-2021-44228 Detail
    https://nvd.nist.gov/vuln/detail/CVE-2021-44228#vulnCurrentDescriptionTitle
  1. ‘Extremely bad’ vulnerability found in widely used logging system
    https://www.theverge.com/2021/12/10/22828303/log4j-library-vulnerability-log4shell-zero-day-exploit
  1. https://news.ycombinator.com/item?id=29499867
  2. https://twitter.com/SophosLabs/status/1470213367142965254?s=20
  1. Alert: Apache Log4j vulnerability (CVE-2021-44228)
    https://www.ncsc.gov.uk/news/apache-log4j-vulnerability
  1. https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592

Related news

Twitter data breach: exposed the data of 5.4 million accounts | White Blue Ocean
Twitter data breach: exposed the data of 5.4 million accounts
2022-09-15

In late July 2022, Twitter confirmed that it had suffered a data breach, after a threat actor appeared in a popular underground forum selling the data of 5.4 million Twitter users. Read more

Read more
SIAE Data Breach
2021-10-21

News of the latest cyberattack comes from Italy, where on the afternoon of the 20th October it was disclosed that SIAE, the Italian Society of Authors and Publishers, was targeted by a ransomware attack. SIAE, which was founded in 1882, is the Italian copyright collecting agency for artists in different areas of the entertainment industry, including television, music, theatre, visual arts and literature, and aims to guarantee that artists receive the right remuneration for their work.

Read more
Ransomware attack results in the shutdown of the Colonial Pipeline
2021-06-15

The cyberattack that at the beginning of May targeted and caused the shutdown of the Colonial Pipeline, the largest fuel pipeline in the US, was a powerful example of the threat posed by the rising number of ransomware attacks, and the detrimental effect they can have not only on businesses but on national critical infrastructure.

Read more

Contacts

Let's talk

Please fill in the form below (fields with * are mandatory) and we will respond to your request as soon as possible!