Photo of Oliver Pinson-Roxburgh

Oliver Pinson-Roxburgh

CEO and Co-Founder

30th December 2021

In December 2021, a critical vulnerability found in a Java-based software shook-up the internet and had businesses on red alert by prompting urgent action to prevent cyber attacks. It was reported that over 3.7 million attempts had been made by hackers to exploit the vulnerability, with over 48% of corporate networks worldwide.

We explain what the headline-hitting Log4j vulnerability is, what can be done to prevent your businesses from being impacted, and how to keep IT systems protected.

What is Log4j and Log4Shell?

Apache Log4j, developed by Apache Software Foundation, is an open-source logging library used in Java which supports developers and operations teams by allowing them to log errors whilst developing applications and fixing faults. The Log4j library allows users to see a record of actions taken within the application. This is a critical component of writing applications as Log4j generates logs about the state of the application that it would not normally expose.

Log4Shell is the name of the zero-day software vulnerability (identified as CVE-2021-44228) found within the Apache Log4j utility which affected millions of systems worldwide.

Why was the Log4j vulnerability big news?

When it was announced that the Log4j vulnerability had been discovered, it was alarming for many reasons. Log4j is ubiquitous, shown by the fact that big tech giants such as Apple, Microsoft, Amazon, IBM, and Google all integrate it within their software. Which makes it an enticing vulnerability for hackers and ransomware gangs to seek vulnerable hosts to exploit.

Ransomware is one of the biggest threats businesses face and with a rise in such attacks, 27% of all cybercrime in 2020 were ransomware attacks, Lindy Cameron, CEO of NCSC stated that “Ransomware presents the most immediate danger to UK businesses”. Therefore those who aren’t putting detect and response measures in place risk serious financial and reputational consquences.

How dangerous is the Log4j vulnerability?

If you consider that Log4j is a logging module found within Java which has a community of over 9 million users, it’s safe to say the omnipresence of the vulnerability in millions of applications means it is very dangerous. Jen Easterly, the Director of US Cybersecurity and Infrastructure Security (CISA), said that: “The log4j vulnerability is the most serious vulnerability I have seen in my decades-long career.” Because of Log4Shell’s potential of widespread damage and the possibility of even inexperienced hackers being able to exploit it, the Common Vulnerability Scoring System rated the Log4j vulnerability a “10.0 Critical”, the highest score they give.

Log4Shell is insidious and difficult to detect. Many organizations don’t even realise they’ve been compromised by the exploit, which is why it had the cybersecurity industry scrambling to create an effective response plan for the vulnerability. Even when the initial run of patches were released to update the affected applications, flaws were found within these patches, deeming them ineffective against Log4Shell. Monitoring for such threats is made a little bit easier when you know an environment really well and can easily identify unusual behaviour. However, businesses that don’t monitor their network will find it difficult to identify threats. The average time of threat detection has been averaged at 180+ days for businesses not monitoring their networks for cyber threats, or at least not monitoring them sufficiently well.

The Log4j library also has the ability to communicate with other sources and internal directory services. Hackers can feed malicious commands through the library and execute dangerous code, which could lead to threat actors taking control of their targeted systems and weaponizing unpatched servers. Furthermore, other consequences of the exploit include the theft of sensitive data, ransomware attacks, or sending malevolent content to other users through the affected server.

Dangers of Log4j further afield

As long as the Log4j vulnerability exists, hackers will look to discover new ways of leveraging the exploit, further emphasising why organizations and security teams need to stay alert. There is evidence of the Log4j vulnerability being exploited by nation states, for example with hacker groups modifying and adding the vulnerability to malware toolkits. Microsoft also reported that Iranian threat actors PHOSPHORUS had been actively deploying ransomware by making modifications to the Log4j exploit.

We believe nation state hacker groups will also target IT teams specifically by attempting ‘inside out’ attacks. These attacks would see hackers reconfigure the Log4j exploit to construct phishing emails which persuade IT personnel to visit compromised servers hosting the exploit code, hacking the server from the inside out as opposed to a traditional outside in attack. Phishing remains the leading cybersecurity attack form in today's threat landscape, meaning hackers leveraging the Log4j vulnerability within phishing campaigns is extremely likely. This proves the necessity of conducting cyber security awareness training for staff in order to give businesses a greater chance of not becoming victims to a phishing attack.

How could Log4j vulnerabilities impact businesses?

Due to how easily the Log4j vulnerability can be exploited, even by novice hackers, the threat poses many risks to businesses. Data can be compromised, systems manipulated and credentials stolen then leaked. What’s more, because of the difficulty in detecting Log4Shell, it becomes a challenge for IT teams and cybersecurity vendors to eradicate the threat. Our own penetration testers found that attacks can be dissected into different parts which are reassembled back by the program during the exploitation of the vulnerability. This allows more flexibility for the attacker and makes Log4Shell harder to detect in some cases.

The Log4j vulnerability demonstrated that patching alone is not a sufficient remedy for businesses to safeguard their software and applications. Why? Because Log4j is used by so many applications therefore it would take a long time to patch every application. In addition, some applications are no longer patchable such as legacy applications which are no longer covered by software updates. This is not forgetting that you might not know your system or application is vulnerable to Log4j unless the vendor has tested for it and/or you know what you are doing yourself to find out.

Minimizing or restricting access controls to users can also limit the Log4j vulnerability from impacting businesses. Restricting access and carefully defining outbound connections will provide better safeguards against the threat of systems being breached and manipulated. Implementing multi-factor authentication to prevent hackers from leveraging leaked credentials can also provide much-needed protection against the exploit. These are all reasons why we recommend a comprehensive overview of the cybersecurity measures businesses have in place to ensure they safeguard as much of their network, infrastructure and workforce as possible to mitigate hackers.

How can Defense.com™ help?

There are several things businesses can do to minimize the impact of the Log4j vulnerability breaching and corrupting IT systems. We advocate adopting a defense-in-depth strategy, which involves protecting the physical, technological, and administrative aspects of your businesses network. There are however additional components to a defense-in-depth strategy including integrating perimeter defenses (firewalls, intrusion detection and prevention systems), and workstation defenses (anti-virus software and multi-factor authentication).

As well as a defense-in-depth strategy, Defense.com™ is a step further for helping your businesses mitigate the severity of the Log4j vulnerability. Our expert advice for businesses concerned is to follow and adopt the following security practices that are included within Defense.com™:

Log Monitoring

Tools which identify unusual activity or odd traffic patterns within a network, such as multiple admin login attempts, which could be an indicator of a brute force attack. Log monitoring will quickly detect, diagnose, and take necessary action to remediate any threats which may be caused by the exposed Log4j vulnerability.

Vulnerability Scanning (VA Scans)

Regular scanning of known vulnerabilities can be detected early with VA scans, giving businesses time to secure their network and software by patching and securing any discovered security weaknesses. VA scans, along with penetration tests, are considered best security practice and are recommended to strengthen a business’s security posture.

Penetration Testing

Penetration tests will quickly help you understand your attack surface, identifying areas of exposure, allowing you to remediate any weaknesses before being targeted. Penetration tests are one of the most comprehensive forms of identifying security flaws within an organization, and provide detailed threat monitoring and reporting.

Asset Tracker

Businesses can identify and manage all operating systems and devices used within the organization with an asset tracker. Building an inventory of your assets will help define your attack surface and security posture. An asset tracker will alert you when new threats directly linked to your operating systems and hardware are detected. Faster remediation is made possible by aligning assets to cyber threats, which makes it a fast and reliable detection tool, without the the need to analyze and translate complex data.

Consultancy

Consultancy helps businesses understand the best ways to protect themselves from the continuing threat of cybercrime. Whether it's advice on how to improve your security posture or on achieving compliance, our team of expert consultants help businesses effectively implement the best security measures to strengthen their cyber resilience against common cyber threats.

Cybersecurity

Training is a crucial element of implementing best security practises within organizations. Without knowledge of common attack vectors and tactics deployed by cybercriminals, employees remain easy targets for hackers looking to breach systems and steal sensitive data. Your staff are your best line of defense, meaning training can empower them to be vigilant against the evolving threat landscape.

Summary

The simplicity and ubiquitous nature of the Log4j vulnerability proves that cyberattacks don’t need to be highly sophisticated to be considered dangerous. Hackers are still targeting low hanging fruit as the exploits are easier to execute and have a higher chance of success and a ROI. In many cases businesses won’t even be aware that their environments have been compromised because the Log4j module is an internal feature that when exploited, is not visible in the application. Businesses would see the results of the hack, but not the exploitation of the hack itself.

Remember

It’s more critical than ever before to not lose sight of new and existing applications where the Log4j vulnerability may exist.

Conduct the appropriate and regular security checks to monitor systems and applications which may be affected.

Businesses should assess, isolate and update any potentially affected assets where the Log4j exploit is present.