Log4j attacks: All you need to know about new-found software flaw
Highlights
- A major flaw was found in a computer library called Log4j, a logging tool extensively used by software developers.
- It forms part of the popular Java programming language, which runs on millions of computers and mobile phones.
- Security experts say the full impact of the new-found flaw has yet to come, as end-users are scrambling to put in a fix.
A bombshell hit the internet world recently: a flaw (or bad code) inside a Java-based software known as “Log4j” was discovered. Worse, security experts warned that hackers are now actively scanning the internet for systems that they can hijack through this new-found "hole", also known as "vulnerability".
Security researchers recently began warning about a new vulnerability — tracked as “CVE-2021-44228”.
Much has been said about log4j, dubbed as the “most serious vulnerability” todate, tech magazine Wired reported. Here's a quick Q&A on the subject:
What is Log4j?
Log4j is a programming code written in Java computer language. It was created by Apache Software Foundation volunteers to run on different platforms — including macOS, Windows and Linux.
The flaw was identified on Java library file that is used by every application.
Java is a free, open-source software that creates a built-in “log” or record of activity — sort of a diary — used by software developers to troubleshoot problems or track data within their programs. Its wide use — plus the fact that it is free — have spread the logging library to all corners of the web.
“The flaw was identified on Java library file that is used by every application,” said Akram Khazi, chief executive officer of UAE cybersecurity company RAS Infotech Ltd.
Who uses Log4j?
Among software developers, log4j is an extremely popular tool. Log4j is a useful and popular software development logging package, written in Java programming language. One reason why logging with log4j is important: it’s a reliable, fast and flexible logging framework for programming application interfaces (APIs).
The tool has three main components: loggers, appenders and layouts. Together, they enable developers to do the following:
- Log messages according to message type and level,
- Control at 'runtime' how these messages are formatted; and
- Control where they are reported.
It also provides additional logging capabilities, like log levels (fatal, error, warn, etc), mechanisms to write to different log files and log rolling patterns, among others. This is why log4j is a widely used open-source logging library for Java apps.
It's due to the tool's ubiquity that the damage could be unbelievably extensive. "This library is omnipresent,” Khazi told Gulf News. “This could affect smartphones, the web, and apps."
“Logging is critical in everything we do. Because this library is used by most web services in the world, it means that most web services are vulnerable to attack,” Sergio Caltagirone, vice president of threat intelligence of said cybersecurity firm Dragos explained.
What is the problem with the log4j 'flaw'?
Hacking attempts or attacks had already been detecting using Log4j exploit.
3.7million
A hacking groups have been detected attempting to use the vulnerability to breach government agencies and businesses, according to the cybersecurity company Check Point.
How many hacking attempts had been reported exploiting the vulnerability?
More than 3.7 million hacking attempts had been made to exploit the vulnerability, leading cybersecurity firm Checkpoint reported recently — with more than 46% conducted by known malicious groups.
Some of the hacking events related to the log4j flaw:
- Log4j vulnerability is now used to install Dridex banking malware, according to Bleeping Computer.
- The Belgian Defense Ministry has also confirmed a cyberattack through a Log4j exploit, ZDnet reported.
- Most hacking attempts using Log4j so far have involved attackers trying to install cryptocurrency “mining” software on victims’ computers.
Why is the Log4j flaw the ‘serious’?
Cybersecurity firms warn that ransomware criminals and hackers linked to foreign governments have already attempted to exploit the vulnerability to gain access to computer systems of their targets. US officials say civilian federal agencies are “very likely” utilising products with the embedded vulnerability.
Who is vulnerable? Who could get affected?
The list of potential victims covers nearly about 30% of the world’s web servers, according to cybersecurity firm Cybereason. That means Twitter, Amazon, Microsoft, Apple, IBM, Oracle, Cisco, Google, and one of the world's most popular video games — Minecraft — could be open to attacks. A huge list of tech and industry giants running the popular software code, are theoretically exposed to the vulnerability.
Log4j vulnerability is “omnipresent”, said US Department of Homeland Security Secretary Alejandro Mayorkas, whose department oversees CISA, said recently. “The challenge it presents is its prevalence.”
Following are some of concerns about a worst-case scenario in case of a successful attack:
- Entire e-commerce sites could go down in the run-up or during the Christmas holiday.
- Manufacturers could not be able to ship or receive goods.
- It could mean water utilities with automated and remote management systems are now vulnerable to attacks.
Mark Ostrowski, head of engineering with security firm Checkpoint Research, said the log4j programming code has been downloaded more than 400,000 times — and it’s anyone’s guess how many times it's even been used following those downloads.
When did the attacks start?
On November 24, a group of volunteers under the Apache Software Foundation were alerted of the vulnerability — after a member of Alibaba's cloud security team discovered it.
Early this month, a warning sent shockwaves through the cybersecurity community — after makers of the popular video game Minecraft shared the vulnerability in a blog post.
This alerted gamers. It meant hackers had identified a flaw in their game that could be used to hijack their computers. A “patch” was released to plug the Minecraft vulnerability. But cybersecurity experts quickly discovered that the vulnerability at fault was embedded in the widespread software tool used for more than just Minecraft.
How are hackers exploiting it?
State-backed actors
US officials say they have not yet observed “highly sophisticated attacks” from nation-state actors. “It has largely been low level activities such as crypto-miners,” CISA Executive Assistant Director Eric said Tuesday, “but we do expect that adversaries of all sorts will utilise this vulnerability to achieve their strategic goals.”
In a blog updated on December 17, 2021, Microsoft reported that state-backed hackers from several countries have tried to capitalise on the log4j flaw.
An Iran-linked hacking group known as APT 35 or “Charming Kitty” has attempted to exploit the Log4j vulnerability against seven Israeli targets across the government and business sectors, Checkpoint Research reported.
Ransomware
Threat research teams are now tracking attemps to penetrate victims by ransomware-as-a-service organisations who broker access into vulnerable networks to the highest bidder. Researchers at cybersecurity firm Cybereason have observed hackers attempting to deploy various ransomware variants including:
- Quantam
- Kimsuky
- Muhstik
- Cerber
- Black Sun
- Khonsari
How is Log4j hacking detected?
Only through close monitoring can digital security professionals detecting whether the log4j vulnerability is hacked. This can take weeks — if not months.
Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA) predicts consumers will be grappling with the vulnerability for “a very long time”.
“This is not going to be something that's going to be patched and finished. This is something we're going to be working on, likely, for months, if not years,” she added.
Is there a 'vaccine' against the threat? How can companies and consumers protect themselves?
Some fixes, known as "patches", and technical support have been released widely. The Apache Software Foundation has already posted upgrades to its tool. Moreover, Microsoft has also encouraged customers to contact software application providers to confirm they're using the Java programming language.
CISA recommends that companies examine their internet-facing programs that employ Log4j, respond to alerts connected to these devices and install a firewall with automatic updates. For those unable to immediately patch the vulnerability, Cybereason has released a free "vaccine" to temporarily stave off intruders.
What is the full impact of Log4j vulnerability?
Khazi advised corporates to identify all apps they use and update the patch. Apache has recently released patch, while Microsoft also released an update. "But many developed their applications using this library. Hence they need to update same. So does every vendor who has a software that uses this library.”
With Log4j vulnerability, the full extent of the threat or its impact is yet unknown, said experts.
End users, both corporates and consumers, are advised to remain vigilant for updates on their devices, software and apps.