When it rains, it pours.
Earlier this week, a vulnerability was discovered in Apache’s Log4j that caused quite a stir among cybersecurity professionals. One of the main issues being that it is extensively deployed by all types of organizations around the world.
Check Point reports that since the vulnerability’s discovery, it is seeing a “pandemic-like spread” of attacks, with over 800,000 attempts in 72 hours, equating to roughly 100 hacks per minute. The company also says that more than 40% of corporate networks worldwide are coming under attack.
As for how severe a vulnerability this is, Tom Kellermann, a former member of the Obama Administration’s cybersecurity commission and the head of cybersecurity strategy at VMware, discussed with The Hill:
“This is one of the worst vulnerabilities in the history of vulnerabilities.
Think of Apache as being one of the legs, one of the giant supports of a bridge that facilitates the connective tissue between the worlds of applications and computer environments.
If you could poison that support, which is essentially what is going on right now by our adversaries, because you have active scanning and exploitation of this vulnerability occurring, you could essentially destabilize these bridges.”
And the vulnerability is likely going to get worse before it gets better.
After an initial patch was issued, Log4j 2.15.0, security researchers discovered it to be “incomplete in certain non-default configurations,” and a new vulnerability was found, CVE-2021-45046.
According to the vulnerability description, threat actors can leverage this “to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack.”
Apache was quick to respond and has released a second patch, Log4j 2.16.0:
“Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.”
Even with the second patch, there is still a possibility that more will emerge. Casey Ellis, the founder and CTO at Bugcrowd, shares his thoughts on the Log4j risk:
“When a vulnerability is discovered and makes as much noise as Log4Shell, it invariably signals that there are additional vulnerabilities in the same software or fixes for that software and triggers additional research and discovery.
In this case, the initial fix provided was developed in a way that mitigated the exploitable symptom, but didn’t properly address the root cause.”
Ellis continues and praises those who have worked diligently to provide a solution for this ongoing problem:
“This also highlights the dangerous dependency open-source users have on libraries which power large portions of the Internet, but are ultimately written and maintained by unfunded volunteers with limited available time.
A huge shoutout to the log4j maintainers, who I’m sure have had an even busier and more stressful week than those in cybersecurity and are working on fixing and improving log4j’s resilience as quickly as they can.”
Someone once said, “with crisis comes opportunity,” and that certainly holds true to this situation that we are all watching unfold before our very eyes.
John Hultquist, the VP of Intelligence Analysis at Mandiant, spoke with SecurityWeek and discussed the current opportunity presented to malicious state-sponsored actors:
“We have seen Chinese and Iranian state actors leveraging this vulnerability, and we anticipate other state actors are doing so as well, or preparing to. We believe these actors will work quickly to create footholds in desirable networks for follow-on activity, which may last for some time.
In some cases, they will work from a wish list of targets that existed long before this vulnerability was public knowledge. In other cases, desirable targets may be selected after broad targeting.
The Iranian actors who we have associated with this vulnerability are particularly aggressive, having taken part in ransomware operations that may be primarily carried out for disruptive purposes rather than financial gain. They are also tied to more traditional cyber espionage.”
The Log4j vulnerability will certainly be discussed at upcoming SecureWorld conferences, which will be in-person and virtually in 2021. Register today!
When it rains, it pours.