Security experts are already seeing widespread scanning for the Log4j vulnerability (also dubbed ‘Log4Shell’) on internet-connected devices running vulnerable versions of Log4j version 2, which have been under attack since December 1, although the bug became common knowledge on December 9.
So far, Microsoft has seen attackers compromise machines to install coin miners, the Cobalt Strike pen-testing framework to enable credential theft and lateral movement, and exfiltration of data from compromised systems.
LOG4J FLAW COVERAGE - WHAT YOU NEED TO KNOW NOW
Security warning: New zero-day in the Log4j Java library is already being exploited Log4j RCE activity began on December 1 as botnets start using vulnerability
These attacks appear to be opportunistic cyber-criminal activity thanks to its ease of exploitation, but top officials at the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) fear “sophisticated actors” will also pounce on the bug soon.
“This vulnerability is one of the most serious that I’ve seen in my entire career, if not the most serious,” Jen Easterly, director of CISA said in a call shared with CNN. Easterly has spent 20 years in various federal cybersecurity roles.
“We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damage,” she said. The call, with US critical infrastructure owners and operators, was first reported by CyberScoop.
Jay Gazlay of CISA’s vulnerability management office warned that hundreds of millions of devices are likely to be affected.
Log4J is a popular Java library for logging error messages in applications. It’s vulnerable to a critical flaw, tracked as CVE-2021-44228, that lets any remote attacker take control of another device on the internet, if it’s running Log4J versions 2.0 to 2.14.1.
The Apache Software Foundation has released version 2.15.0 to address the flaw, but product vendors still need to apply the fix in their products and then end-user customers need to update their devices once their vendor’s fix becomes available.
The flaw highlights known risks arising from software supply chains when a key piece of software is used within multiple products across multiple vendors and deployed by their customers around the world.
LOG4J FLAW COVERAGE - HOW TO KEEP YOUR COMPANY SAFE
Log4j zero-day flaw: What you need to know and how to protect yourselfLog4j flaw: Attackers are making thousands of attempts to exploit this severe vulnerability
It’s not a simple fix to address all vulnerable devices. As Sans Internet Storm Center notes: “There is no generic ’log4j2’ patch to patch everything. In some cases, vendors including Log4j, need to patch their software to include the new version.”
Rapid7 had a similar warning: “Organizations should be prepared for a continual stream of downstream advisories from third-party software producers who include Log4j among their dependencies.”
SEE: Hackers are turning to this simple technique to install their malware on PCs
Rapid7 itself has been investigating its products’ exposure to the Log4j bug and has deployed server-side fixes for several affected products.
Historically slow uptake of new security patches means attackers will likely have months if not years to find and exploit vulnerable devices, security experts warned this week.
The Log4j bug is internet-wide, prompting advisories from Australia, New Zealand, Canada, the UK, Sweden, Germany, Singapore, and elsewhere. Canada’s Revenue Agency took some services offline on Friday after learning of the flaw, according to CBC.