Skip to main content
close search
site logo

Log4j: What we know (and what's yet to come)

The vulnerability has upended federal officials and the infosec industry, putting hundreds of millions of devices and systems at risk.

Published Dec. 17, 2021
David Jones's headshot
Reporter
Rendered image depicting global networks.
DKosig via Getty Images

Weeks after the infosec community took a sigh of relief from a relatively uneventful Black Friday weekend, the calm was shattered by the discovery of a massive open source software vulnerability that rivals some of the worst security meltdowns of the past two decades. 

A security researcher in China discovered a vulnerability in Log4j, which could allow even the most unsophisticated threat actor to take remote control over millions of consumer gaming, IoT and other devices as well as systems dedicated to the enterprise. 

Major industrial and consumer technology firms in the U.S. have launched internal probes to determine whether their products include Log4j. The relative ease of exploiting the vulnerability opens up much of the industrial world to malicious cyberattacks, data theft and potentially extortion. 

Here's a rundown of what the security industry knows thus far: 

Log4j origins

In late November, during the Thanksgiving holiday weekend in the U.S., Chen Zhaojun, a member of the Alibaba Cloud Security Team discovered the Log4j vulnerability and alerted the Apache Software Foundation. 

Log4j is a Java-based logging utility that is used in hundreds of millions — if not billions — of devices worldwide. The vulnerability, which security researchers have dubbed Log4Shell, allows a threat actor to access a device remotely to gain entry into IT systems without authentication. 

The impact

Log4j is widely used across consumer and enterprise systems, in everything from iCloud, Steam and Minecraft, to Fortinet, IBM, Microsoft, Red Hat, Salesforce, Siemens, and other vendors. Dozens of vendors have already released patches and security updates. 

The vulnerability is also having significant impacts on MSPs, security researchers at Huntress said. IT management tool provider N-able has deployed patches for vulnerable components in its RMM and risk intelligence products. ConnectWise, an automated patch management software, issued updates on its Perch cloud service due to potentially vulnerable third-party components. 

What is considered dangerous about this particular vulnerability is that an attacker does not need sophisticated programming experience or engineering background to exploit the vulnerability. They can simply write a line of code and gain remote access to a device. 

Nature of the threat

After the initial public disclosures of Log4j Dec. 9, security researchers found indications of mass scanning activity by potential threat actors. Early on, initial attack activity was limited to mostly botnet and cryptomining. 

However in the days since, Microsoft has confirmed nation-state activity from threat actors in China, Iran and North Korea, as well as Turkey. Mandiant researchers also saw activity from China and Iran, however they expected other nation-state activity to follow. Researchers at SecurityScorecard say they have seen nation-state activity from Russia, alongside evidence of the Dovorub malware, a toolkit linked to APT28. 

"We expect several state actors are already ramping up," John Hultquist, VP of intelligence analysis at Mandiant. "The reality of hunting spies is you will not see everything. The opportunity is too good for many of them to ignore." 

Initial ransomware attempts have been linked to a new strain called Khonsari, according to Bitdefender. 

Check Point Software identified more than 2.8 million attempts to exploit the vulnerability and more than 46% of those were from known malicious groups. Malicious actors have made attempts on more than 47% of corporate networks worldwide, Check Point said. 

Federal response

The Cybersecurity and Infrastructure Security Agency formed a senior leadership group within the Joint Cyber Defense Collaborative to respond to the Log4j vulnerability, which has been added to CISA's catalog of known exploited vulnerabilities

Log4j is the most serious vulnerability CISA Director Jen Easterly has seen in her career, which spans multiple decades, she told CNBC. CISA has issued detailed guidance to help companies and other organizations mitigate the impact of Log4j. 

The FBI is asking organizations to contact them if they think they have been compromised by Log4j. Organizations can submit complaints through fbi.gov/log4j and the Internet Crime Complaint Center. The FBI or CISA may reach out for additional information. 

Lingering questions

What remains to be seen is what impact this will have on critical infrastructure, private industry and public sector agencies down the road. Threat actors are lining up to take advantage of Log4j, however there is no direct evidence at the time to link recent ransomware and other attacks directly to the vulnerability. 

Additionally, there will likely be a dialogue involving key private sector stakeholders and federal officials about what steps are needed to prevent such a massive software vulnerability from happening again. Will the software bill of materials movement sufficiently protect against the risks involved with flawed applications?

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell