IT defenders are advised to take immediate action as the next few days could see a massive upsurge of exploits.

Over the weekend, a software vulnerability has been dubbed as “the biggest threat in the history of modern computing” by a cybersecurity firm.

According to a blog by CrowdStrike, Log4Shell (Log4j2) has set the internet “on fire”, as defenders are scrambling to patch the bug, while malicious actors are looking to exploit it.

Some of the Log4j2 vulnerabilities are spelt out here:

  • Log4j2 is an open-source, Java-based logging framework commonly incorporated into Apache web servers.
  • Between late November and early December 2021, a critical vulnerability (CVE-2021-44228) impacting the Log4j2 utility was reported, resulting in several fixes and code revisions from the vendor. 
  • The Log4j2 library is used in numerous Apache frameworks services, and as of 9 Dec 2021, active exploitation has been identified in the wild. At the time of this writing, CrowdStrike and external sources confirm active and ongoing attempts to exploit CVE-2021-44228. 
  • This vulnerability is being widely exploited in the wild and it is highly advisable to assess the use and impact of log4j and patch as soon as possible. 

According to Jacqueline Jayne, Security Awareness Advocate, KnowBe4: “Log4Shell exploits vulnerabilities within servers to install malware and gain access to organizations. While IT is focusing on patching these vulnerabilities and monitoring their environments, it is just as critical to ensure your employees are aware of the potential outcomes should malware be successfully deployed and cybercriminals gain access to yours or another organisations system.”

According to Jayne, once in a system, cybercriminals can send out phishing emails (malicious emails) to all the contacts in everyone’s email accounts across the entire organization. “What’s more, these emails will come from you and your organization so the chances of the receiver engaging in these emails are extremely high. The same can occur in reverse. While your organization may be completely safe from Log4Shell, it only takes one external organization that one of your employees has had email contact with to fall victim for there to be a high chance that they will receive and engage with a phishing email (that looks completely safe).  The stakes are high so please make sure you communicate to your employees about the potential risks. Cybersecurity Awareness is everyone’s responsibility and if you have been educating your employees on the potential dangers you have already reduced your risk in this situation.”

Brace for more attacks in days to come

Another expert, Principal Research Scientist Paul Ducklin, Sophos, noted: “Since 9 Dec, Sophos has detected hundreds of thousands of attempts to remotely execute code using the Log4Shell vulnerability. Initially, these were Proof-of-Concept exploit tests by security researchers and potential attackers, among others, as well as many online scans for the vulnerability. This was quickly followed by attempts to install coin miners, including the Kinsing miner botnet. The most recent intelligence suggest attackers are trying to exploit the vulnerability to expose the keys used by Amazon Web Service accounts. There are also signs of attackers trying to exploit the vulnerability to install remote access tools in victim networks, possibly Cobalt Strike, a key tool in many ransomware attacks.”

Many software vulnerabilities are limited to a specific product or platform, such as the ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange. “Once defenders know what software is vulnerable, they can check for and patch it. However, Log4Shell is a library that is used by many products. It can therefore be present in the darkest corners of an organization’s infrastructure— for example: any software developed in-house. Finding all systems that are vulnerable because of Log4Shell should be a priority for IT security.”

Over the coming days and weeks, Sophos expects the speed with which attackers are harnessing and using the vulnerability will only intensify and diversify. Once an attacker has secured access to a network, then any infection can follow. The firm recommends that IT defenders do a thorough review of activity on the network to spot and remove any traces of intruders, even if it just looks like nuisance commodity malware.