Thousands of applications, libraries and frameworks use log4j.

Edward Gately, Senior News Editor

December 15, 2021

5 Min Read
Security Vulnerability
Shutterstock

The worst is yet to come from the Log4Shell vulnerability, which already is having a massive effect on the tech industry.

Piazza-Dan_Netwrix.jpg

Netwrix’s Dan Piazza

So says Dan Piazza, technical product manager at Netwrix. Last week, researchers discovered a zero-day exploit in the popular Java logging library log4j. It results in remote code execution (RCE) by logging a certain string.

Exploiting this Log4Shell vulnerability is as simple as getting an application that uses log4j to log a special string, Piazza said. After that, the attacker will have RCE on a completely breached server.

UKG, the parent company of workflow management solutions provider Kronos, has been hit with ransomware. Although the company isn’t confirming it, reports suggest the ransomware attack exploited the Log4shell vulnerability.

“UKG recently became aware of a ransomware incident that has disrupted the Kronos Private Cloud, which houses solutions used by a limited number of our customers,” a UKG spokesperson tells us. “We took immediate action to investigate and mitigate the issue, have alerted our affected customers and informed the authorities, and are working with leading cybersecurity experts. We recognize the seriousness of the issue and have mobilized all available resources to support our customers and are working diligently to restore the affected services.”

Eddy Bobritsky is CEO of Minerva Labs.

Bobritsky-Eddy_Minerva-Labs.jpg

Minerva Labs’ Eddy Bobritsky

“Ransomware attacks are becoming bolder and more sophisticated, using evasive malware techniques to get around regular EDR antivirus solutions,” he said. “As we can see here (UKG), even with quick detection and immediate action, a small ransomware attack can result in damages that can take ‘up to several weeks to restore system availability.’ This is why, despite its difficulty, it is important to start moving toward a prevention approach, rather than a detect and respond one.”

Log4j Used by Thousands

Thousands of applications, libraries and frameworks use log4j, Piazza said. That means the number of potentially impacted organizations is “staggering.”

“And with attackers already scanning the internet to find vulnerable targets, if organizations haven’t already started taking mitigation steps then it may already be too late,” he said.

Armis has detected Log4shell attack attempts in over a third of its clients; moreover, it continues to see new attacks every day. The top three types of the targeted devices are physical servers (42%), virtual servers (27%) and IP cameras (12%).

Armis has also spotted …

… attack attempts to manufacturing devices and attendance systems.

Chris Dobrec is Armis‘ vice president of product marketing.

Dobrec-Chris_Armis.jpg

Armis’ Chris Dobrec

“Threat actors are actively scanning for the vulnerability and we are seeing a higher than normal volume of attempted exploits,” he said. “Exploits can be triggered by sending specially-written code to the vulnerable log4j component, and are small enough to fit into a tweet or chat message. Many examples are currently floating around the internet.”

Massive and Far-Reaching Impact

The impact is “massive and far-reaching” as the log4j library lurks in both obvious and not so obvious places, Dobrec said.

“It is so ubiquitous and used in such a wide array of assets, that it’ll take years to get rid of it and in reality a large long tail of assets some of which will never be patched,” he said. “We will see this continue to intensify. However, it’s the long tail that is really troubling and it will likely take years to get rid of. What about the devices that are already shipped and in the supply chain that are not yet deployed? What happens when IoT devices that contain the vulnerability, currently sitting on your loading docks or in Amazon warehouses, get plugged into your network? You need to be ready and continuously monitor your environment.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered all civilian federal agencies to patch the log4j vulnerability and three others by Dec. 24.

Casey Ellis is founder and CTO of Bugcrowd.

Ellis-Casey_Bugcrowd.jpg

Bugcrowd’s Casey Ellis

“That’s going to be nearly impossible for most organizations,” he said. “They need to find log4j before they can patch it, and many are still stuck on that step. If log4j is found, it’s likely that it is deeply embedded in existing applications and will required regression testing to ensure that a patch doesn’t break anything else. In short, the time pressure is a good thing for activating those who aren’t taking this seriously. But this will be a difficult time frame for many to meet.”

Lull Before the Storm

Sean Gallagher is senior threat researcher at Sophos.

“With the exception of cryptomining, there is a lull before the storm in terms of more nefarious activity from the Log4Shell vulnerability,” he said. “We expect adversaries are likely grabbing as much access to whatever they can get right now with the view to monetize and/or capitalize on it later on.”

The most immediate priority for defenders is to reduce exposure by patching and mitigating all corners of their infrastructure, and investigating exposed and potentially compromised systems, Gallagher said. This vulnerability can be everywhere.

John Bambenek is principal threat hunter at Netenrich.

“Often rushing patches to fix vulnerabilities means that the fix may not be complete, as the case is here,” he said. “The solution is to disable JNDI functionality entirely (which is the default behavior in the latest version). At least a dozen groups are using these vulnerabilities. So immediate action should be taken to either patch, remove JNDI, or take it out of the classpath (preferably all of the above).”

Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn.

Read more about:

MSPsChannel Research

About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like