Some cybersecurity experts have called security holes in the open-source logging tool Log4j, used by hundreds of millions of computers and other connected devices across the globe, one of the most serious software vulnerabilities ever found.
After disclosure last month of the vulnerabilities, organizations have scrambled to update the software. The vulnerability allows attackers to compromise computers, steal passwords, extract data, and install malicious software.
Given the ubiquity of the logging tool, there is potential for the so-called Log4Shell bug to be the “worst vulnerability ever,” Risk Based Security wrote in a blog post. The company said that the vulnerability created a “massive attack surface” that’s easy to exploit.
Since the vulnerability disclosure, hackers have continually tried to take advantage, cybersecurity experts said.
“We’ve seen consistent network scans and exploitation attempts for the Log4j vulnerability across our customers,” said David Blanton, principal detection and response analyst at Expel Security. “The majority, if not all, of this activity has originated from infrastructure that has a known reputation as a scanner or for performing similar activity in the past.”
The Log4j code is contained in hundreds of enterprise software packages, appliances, tools, and cloud services, added Bryson Bort, founder and CEO of cybersecurity vendor SCYTHE. “Log4j represents one of the most comprehensive vulnerabilities ever,” he told the Washington Examiner. “Attackers — new and old — are taking advantage, and we’re seeing increasing scanning activity for the vulnerability across the spectrum.”
The Belgian Defense Ministry reported a Log4j-related breach in late December, resulting in it shutting down parts of its network. “Defense agency networks are generally well protected, with committed security teams working tirelessly to keep attackers at bay,” said Inga Goddijn, executive vice president of Risk Based Security. “The fact that a high-value target like a European defense ministry was successfully infiltrated illustrates just how dangerous these vulnerabilities can be.”
The good news is that many companies paid attention to the initial reports of the problem and have been patching their systems, Blanton told the Washington Examiner. Expel Security’s customers haven’t reported breaches.
“However, we did detect or respond to three incidents very early in the attack life cycle that was the result of Log4j exploitation,” he added. “Once we were notified of or detected successful exploitation, we were able to analyze and identify the activity that took place and provide remediation actions before the attack could proceed.”
However, there will “almost certainly” be some breaches related to Log4j in the coming months, added Craig Rowland, founder and CEO of Sandfly Security. “The log4j issue affects a tremendous number of applications, even down to smartwatches people wear,” he told the Washington Examiner. “We’ll be dealing with the problem for some time as many embedded applications affected can’t be easily updated.”
Rowland said that one of the problems is that security researchers have found additional bugs in the Log4j software code since the first vulnerability disclosure. “These new bugs in Log4j have been fixed, but initial efforts to patch now require another update to mitigate the latest findings,” he added.
In addition, patching these bugs can be complicated, he said. Organizations “are patching where they can find affected libraries,” Rowland added. “However, the libraries with problems can sometimes be many layers deep, so it may be some time before anyone can know if all avenues of attack have been patched.”
The process of fixing all the problems will take time, Bort said. “Companies are trying to patch as quickly as they can,” he added. “Unfortunately, it’s going to be a long process, including the challenge of simply identifying the location of all of the vulnerable code. The Log4j vulnerability is embedded in many technologies that companies use regularly.”
