In short, the Apache log4j bug is bad. According to Jen Easterly, the director of America’s Cybersecurity and Infrastructure Security Agency, it’s “one of the most serious” that she’s seen in her “entire career.” In a recent media appearance, Easterly told reporters that federal officials fully expect “the vulnerability to be widely exploited by sophisticated actors,” and her colleague, Jay Gazlay, of CISA’s vulnerability management office, helpfully revealed that the bug likely affects “hundreds of millions of devices.”
While everyday web users can’t do much about this whole situation, it might be helpful to know what’s going on. Here’s a quick rundown on all the horribleness.
The affected program, Apache’s log4j, is a free and open-source logging library that droves of companies use. Logging libraries are implemented by engineers to record how programs run; they allow for code auditing and are a routine mechanism to investigate bugs and other functionality issues. Since log4j is free and widely trusted, companies large and small have been employing it for all kinds of stuff. The irony, of course, is that this bug-checking tool now has a bug.
Security researchers have taken to calling the vulnerability “Log4Shell” since proper exploitation can result in shell access (also called “remote code access”) to a server’s system. Its official designation, meanwhile, is CVE-2021-44228 and it carries a severity rating of 10 on the Common Vulnerability Scoring System scale—apparently the worst you can get. It was first publicly disclosed on Dec. 9, less than a week ago, after initially being spotted by a member of Alibaba’s Cloud Security team, a guy named Chen Zhaojun.
Technically speaking, the bug is a zero-day remote code execution vulnerability, which means that it “allows attackers to download and run scripts on targeted servers, leaving them open to complete remote control,” Bitdefender researchers wrote in a recent break-down of the vulnerability. It’s also fairly easy to exploit—criminals don’t have to do much to cause a whole hell of a lot of trouble.
Due to the ubiquity of log4j, most of the biggest platforms on the internet are tied up with the debacle. There are multiple lists that have been published that purport to show just who is affected and who might be affected though, at this point, a totally comprehensive accounting seems like a quixotic ambition. According to various reports, the afflicted include big names like Apple, Twitter, Amazon, LinkedIn, CloudFlare, and more.
Companies that have definitively confirmed their involvement have frequently reported that droves of their products and services need patching. Cloud computing firm VMWare, for instance, reports that 44 of its products are impacted. Networking giant Cisco says that 35 of its tools are vulnerable. Fortigard, a prominent cybersecurity company, recently revealed that at least a dozen of its products are affected. The list goes on and on.
Amazon is obviously one of the biggest companies on that list. The tech giant has been regularly publishing updates related to its affected products and services (of which there appear to be quite a few), while Apple, meanwhile, recently confirmed that iCloud was affected by the bug and subsequently patched itself up. Other companies are still investigating whether they have been screwed or not, including tech giants like Blackberry, Dell, Huawei, and Citrix, as well as prominent tech firms like SonicWall, McAfee, TrendMicro, Oracle, Qlik, and many, many others.
But the bug also has the potential to reach outside of tech and mess with industries you wouldn’t naturally associate with these kinds of problems. Dragos, which analyzes security as it relates to operational and industrial systems, recently wrote as much:
This cross-cutting vulnerability, which is vendor-agnostic and affects both proprietary and open-source software, will leave a wide swathe of industries exposed to remote exploitation, including electric power, water, food and beverage, manufacturing, transportation, and more.
So, that’s the bad news. The good news? JK, there isn’t any good news. Instead, there’s more bad news: This gaping vulnerability is already seeing mass exploitation attempts by hordes of cybercriminals. Security researchers throughout the internet have begun to publish reports on the activity they’re seeing—and it’s not particularly pretty.
A big part of the problem is that most criminals appear to have found out about the log4j vuln at roughly the same time as everybody else. Thus, exploitation attempts on vulnerable systems and platforms have increased exponentially since last week—as hackers throughout the web rabidly seek to take advantage of this uniquely horrible situation. Cybersecurity firm Check Point recently published data showing that it had observed an explosion of exploit attempts since the initial disclosures about the bug. The report notes:
Early reports on December 10th showed merely thousands of attack attempts, rising to over 40,000 during Saturday, December 11th. Twenty-four hours after the initial outbreak our sensors recorded almost 200,000 attempts of attack across the globe, leveraging this vulnerability. As of the time these lines are written, 72 hours post initial outbreak, the number hit over 800,000 attacks.
Sergio Caltagirone, Vice President of Threat Intelligence at cybersecurity firm Dragos, told Gizmodo that this kind of activity was pretty much par for the course. “It is highly likely and expected that ransomware will take advantage of the log4j vulnerability eventually. Especially as the vulnerable systems are likely critical assets such as servers,” he said, in an email.
Indeed, cybersecurity firm Bitdefender published research Tuesday that appears to show exploit attempts on vulnerable machines by a new family of ransomware known as “Khonsari.” According to the research, Khonsari ransomware hackers have been targeting Microsoft systems, leaving behind ransom notes.
And, while ransomware is one of the chief concerns, other cybersecurity professionals have written about a whole variety of attempted exploits they’re seeing—the likes of which run the gamut from cryptomining and botnet installations, to more reconnaissance-type activity, such as general scans and the deployment of Cobalt-Strike beacons.
In many cases, these attacks seem to be coming fast and furious. “We’re seeing >1,000 attempted exploits per second. And payloads getting scarier. Ransomware payloads started in force in last 24 hours,” tweeted Matthew Prince, CEO of Cloudflare, which is also apparently watching exploitation activity.
Making matters worse, a second vulnerability, dubbed CVE-2021-45046, was discovered this week. Researchers at LunaSec said that previously patched systems could still run afoul of the latest bug and Apache has already released an update to mitigate risks.
If you’re a casual web user, the only thing you can really do at this point is to update your devices and applications when prompted and hope that the platforms you’re relying on are speedy enough to identify the vulnerabilities, conjure up patches, and push out updates. In short: Hang in there, everybody.