What is log4j: Untangling the Biggest Cybersecurity Vulnerability in History
Find out why security experts are calling the newly-discovered log4j vulnerability “apocalyptic” — and discover what the vulnerability means for you.
From the SolarWinds hack that came to light in December 2020 to the February 2021 attack on a Florida water treatment plant, there have been a number of high-profile cybersecurity incidents over the past year. On December 9th, whispers of a new vulnerability worse than all those that preceded it began rippling through the cybersecurity community. Within a day software companies the world over were in crisis mode desperately trying to figure out what the vulnerability meant for their products and how they could patch it before hackers could take advantage.
It wasn’t long before words like “apocalyptic” were being thrown around to describe the vulnerability, which is in an extremely common section of Java code called log4j that’s used in millions of systems running everything from Amazon and Google to hospitals and militaries. With that much reach, it’s no surprise that U.S. Cybersecurity and Infrastructure Security Agency director Jen Easterly called log4j “The most serious vulnerability I have seen in my decades-long career.”
But what exactly is the log4j vulnerability and what does it mean for regular businesses and computer users? Read on to get the answers to these and other pressing questions about the biggest cybersecurity vulnerability in history.
What is the log4j Vulnerability and Why is it so Dangerous?
The Apache log4j vulnerability, also called “Log4Shell,” is a vulnerability discovered in the log4j logging framework. Because log4j is an open-source code designed to be used by any application running the incredibly popular Java, it has been used by millions of websites and services around the world. All of these are now at risk due to the vulnerability.
There are three reasons why the log4j vulnerability is particularly dangerous. The first is the ubiquity of log4j. The Java programming language has been a basis for software since the mid-1990s. The vulnerability means that huge swaths of the computer code that forms the basis for modern life is now open to attack. The potential impact cannot be overstated. Cloud storage companies like Amazon, Microsoft, and Google, whose programs are the digital backbone of millions of other applications, are all affected. Software giants like IMB, Salesforce, and Oracle are also seeing the impact.
The second reason for the danger is that the log4j vulnerability is very straightforward to take advantage of. All a bad actor has to do to take over a device or system is to type in a line of bad code. It’s so simple that in the Minecraft video game (where some believe the vulnerability was first identified), all you have to do to take advantage of the vulnerability is type a line of malicious code into the public chat box during the game. And those lines of malicious code are available everywhere, with some Twitter users even changing their names to lines of bad code.
The final reason is that the vulnerability is incredibly powerful. While some vulnerabilities will let bad actors get past parts of a system’s defenses, a single vulnerability typically won’t eliminate the strength of all of a system’s defenses. Not so with log4j. The vulnerability gives threat actors access to the heart of whatever system they get into, bypassing all of the standard defenses software companies put in place to block attacks.
It is for all of these reasons that the log4j vulnerability has been given the highest possible risk rating.
How Are Hackers Responding to the log4j Vulnerability?
Although the log4j vulnerability was present for years, it is unlikely that criminal hackers knew about it before it went public a couple weeks ago. Now that it’s on their radars, though, it should come as no surprise that threat actors are jumping on the opportunity to exploit the vulnerability. Its ease and power make it too good to ignore. Reports show that hackers are trying out dozens of variations of the original exploit to try to get past device and system defenses. There were over 1.8 million attempts to exploit the vulnerability just in the first week after it came to global attention.
While most of the initial hacking has focused on hijacking computers to run bitcoin mining software, we are now seeing the rise of state-backed hackers trying to leverage the vulnerability. On December 15th, there were reports Iranian state-backed hackers tried to break into Israeli government and business targets using the vulnerability.
For more everyday hackers looking to exploit businesses and organizations, log4j also offers new opportunities for ransomware attacks that freeze owners out of their networks. Phishing emails present a particularly simple way for hackers to plant bad code.
Staying Secure in the Face of the log4j Vulnerability
Since the log4j vulnerability came to public attention, computer programmers and security experts have been working around the clock to identify and address the vulnerability in their software. What makes tackling this vulnerability particularly challenging is the fact that so many systems of all shapes and sizes run it. Finding and addressing each and every appearance of log4j code is a Herculean task that has even spawned its own memes.
Even if it’s a challenge, it’s essential that businesses devote the necessary resources to identifying the vulnerability in their systems and addressing it right away, whether that means patching the code or replacing it. Fortunately, the big guys like Google and Amazon are working hard to eliminate the vulnerability in their services — but that doesn’t leave smaller organizations off the hook. It’s important to continue practicing cybersecurity best practices in the face of log4j, including identifying and avoiding social engineering emails — which will likely be on the rise in the coming weeks — ensuring all your applications and software are up to date with the latest upgrades and patches, and making sure you have a multi-layer security posture in place.
If you’re worried about what the log4j vulnerability means for your business and what you can do to stay secure, reach out to the team at Turn-key Technologies, Inc. (TTI). Our experts will work with you to ensure your organization is cyber secure in the face of this and other cyber threats that may arise in the future. Get started today!
By Tony Pugielli