By Mark Lanterman
A recently discovered vulnerability is being described by some observers as the worst of the last decade, if not the worst ever. Startlingly, its presence has already been widely documented, even appearing in the very popular game Minecraft. As described in a December article in The Guardian, “The flaw, dubbed ‘Log4Shell’… was uncovered in an open-source logging tool, Log4j, that is ubiquitous in cloud servers and enterprise software used across the industry and the government. Unless it is fixed, it grants criminals, spies and programming novices alike, easy access to internal networks where they can loot valuable data, plant malware, erase crucial information and much more.”1 Simply put, this vulnerability gives cyberattackers the opportunity to access almost anything they want.
Cybersecurity experts have been quick to acknowledge the immense danger this vulnerability poses for almost all organizations. There are many types of attacks that can be facilitated via this route, such as the installation of malware and ransomware attacks, making it an easy-to-use tool for cybercriminals. A recent article in the Washington Post described the scariness of this situation quite well: Imagine that a common lock, used by millions of people, is found to have a problem rendering it useless. It may be easy to replace the locks in a single building, but imagine trying to locate and fix every affected door.2 Software vulnerabilities are often easy to overlook—and zero-day attacks are especially tricky since the people most educated on their usage and characteristics are often the hackers themselves. Patching will be a critical remediation step, but so too will be putting in the time and effort required to locate impacted devices, sites, applications, and services.
The staggering number of applications and systems that are vulnerable to this type of attack includes everything from online games to cloud services. Protecting servers and quickly applying available patches will help in counteracting the threat as efficiently as possible—but given the sheer amount of software in use that could be affected, it is likely that this will be an ongoing cause for concern. Companies such as Microsoft and IBM continue to release updates and patches in the hopes of mitigation and lessening the dependance on Log4j.3 Unfortunately, just as engineers and technology experts are attempting to remediate the problem, hackers are trying to bypass defenses and continue to make use of the vulnerability for as long as possible. As in previous largescale attacks, it is very possible that hackers have been installing “back doors” to be exploited later, which will further hamper mitigation efforts and ensure that the impact of this vulnerability is felt for years to come.
Organizations should do what they can to patch their systems, stay aware of the nature of the threat, and promote best cybersecurity practices to counteract potential risks. As part of remediation efforts, security experts are also suggesting that organizations follow up with any third-party vendors to assess their individual risk levels and degrees of vulnerability. This attack demonstrates the impact of third-party risk and the value of establishing a cybersecurity action plan that extends beyond your own firm or organization. It is important to understand how any third party that has access to your data and assets is responding to, and securing themselves against, the vulnerability. This step will also provide a clear picture of how cybersecurity is prioritized within these companies.
It is undeniable that this discovery presents a serious threat to any organization, firm, corporation, or agency. The potential number of affected servers, applications, websites, devices, and systems is astounding. While any attack may be the “worst ever” for your organization, and investing in proactive measures is essential on any day of the week, the emergence of this vulnerability may pose new challenges. Like any zero-day threat, vulnerabilities may exist at any given time for which we are unprepared. These threats may materialize at the most inopportune moments and may seem tailored to compromise what is weakest in our organization’s structure. Despite the fact this particular vulnerability was only recently discovered, it was a problem for years. The nature of our always-changing technological landscape may prevent us from having truly “perfect” security, but we can learn to incorporate the unexpected into our understanding of cybersecurity and our approach to security culture.
Mark Lanterman is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 matters. He is a member of the MN Lawyers Professional Responsibility Board. mlanterman@compforensics.com
Notes
! https://www.theguardian.com/technology/2021/dec/10/software-flaw-most-critical-vulnerability-log-4-shell
2 https://www.washingtonpost.com/technology/2021/12/20/log4j-hack-vulnerability-java/
3 https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/