Photo of Oliver Pinson-Roxburgh

Oliver Pinson-Roxburgh

CEO and Co-Founder

30th December 2021

In December 2021, a critical vulnerability found in a Java-based software shook-up the internet and had businesses on red alert by prompting urgent action to prevent cyber attacks. It was reported that over 3.7 million attempts had been made by hackers to exploit the vulnerability, with over 48% of corporate networks worldwide.

We explain what the headline-hitting Log4j vulnerability is, what can be done to prevent your businesses from being impacted, and how to keep IT systems protected.

What is Log4j and Log4Shell?

Apache Log4j, developed by Apache Software Foundation, is an open-source logging library used in Java which supports developers when writing new applications. The Log4j library allows users to see a record of actions taken within the application. This is a critical component for writing applications, as Log4j generates records about the state of the application and events taking place within it.

Log4Shell is the name of the zero-day software vulnerability (identified as CVE-2021-44228) found within the Apache Log4j utility which affected millions of systems worldwide.

A common example of Log4j is the error message ‘404 Not Found.’ Whenever you click on a web link which throws out the 404 message, it is an indicator that an incorrect URL was written during development.

Image of 404 error page

Why was the Log4j vulnerability big news?

When it was announced that the Log4j vulnerability had been discovered, it was alarming for many reasons. Log4j is ubiquitous, shown by the fact that big tech giants such as Apple, Microsoft, Amazon, IBM, and Google all integrate it within their software. Which makes it an enticing vulnerabilty for hackers and ransomware gangs to pursue as part of their malicious attacks.

Ransomware is one of the biggest threats businesses face and with a rise in such attacks, 27% of all cybercrime in 2020 were ransomware attacks, Lindy Cameron, CEO of NCSC stated that “Ransomware presents the most immediate danger to UK businesses”. Therefore those who aren’t putting detect and response measures in place risk serious financial and reputational consquences.

How dangerous is the Log4j vulnerability?

If you consider that Log4j is a logging module found within Java which has a community of over 9 million users, it’s safe to say the omnipresence of the vulnerability means it is very dangerous. Jen Easterly, the Director of US Cybersecurity and Infrastructure Security (CISA), said that: “The log4j vulnerability is the most serious vulnerability I have seen in my decades-long career.” Because of Log4Shell’s potential of widespread damage and the possibility of even inexperienced hackers being able to exploit it, the Common Vulnerability Scoring System rated the Log4j vulnerability a “10.0 Critical”, the highest score they give.

Log4Shell is insidious and many organizations don’t even realise they’ve been compromised by the exploit. Which is why it had the cyber security industry scrambling to create an effective response plan for the vulnerability. Even when the initial run of patches were released to update the affected applications, flaws were found within these patches. Subsequently deeming them ineffective against it.

The Log4j library also has the ability to communicate with other sources and internal directory services. Hackers can feed malicious commands through the library and execute dangerous code, which could lead to threat actors taking control of their targeted systems and weaponizing unpatched servers. Furthermore, other consequences of the exploit include the theft of sensitive data, ransomware attacks, or sending malevolent content to other users through the affected server.

Dangers of Log4j further afield

As long as the Log4j vulnerability exists, hackers will look to discover new ways of leveraging the exploit, further emphasising why organizations and security teams need to stay alert. There is an acute possibility of the Log4j vulnerability being exploited by nation states, for example with hacker groups modifying and adding the vulnerability to malware toolkits. Microsoft also reported that Iranian threat actors PHOSPHORUS had been actively deploying ransomware by making modifications to the Log4j vulnerability.

We believe nation state hacker groups will also target IT teams specifically by deploying ‘inside out’ attacks. These attacks would see hackers reconfigure the Log4j exploit to construct phishing emails which pursuade IT personnel to visit compromised servers. Phishing remains the leading cybersecurity attack form in today's threat landscape, meaning hackers leveraging the Log4j vulnerability within phishing campaigns is extremely likely. This proves the necessity of conducting cyber security awareness training for staff in order to give businesses a greater chance of become victim to a phishing attack.

How could Log4j vulnerabilities impact businesses?

Due to how easily the Log4j vulnerability can be exploited, even by novice hackers, the threat poses many risks to businesses. Data can be compromised, systems manipulated and credentials stolen then leaked. What’s more, because of the difficulty in detecting Log4Shell, it becomes a challenge for IT teams and cybersecurity vendors to eradicate the threat. Our own penetration testers found that attacks can be dissected into different parts which are reassembled back by the program during the exploitation of the vulnerability. This allows more flexibility for the attacker and makes Log4Shell harder to detect in some cases.

The Log4j vulnerability demonstrated that patching alone is not a sufficient remedy for businesses to safeguard their software and applications. Which is why we recommend a comprehensive overview of the cybersecurity measures businesses have in place to ensure they safeguard as much of their network, infrastructure and workforce as possible to mitigate hackers.

How can Defense.com™ help?

There are several things businesses can do to minimize the impact of the Log4j vulnerability breaching and corrupting IT systems. We advocate adopting a defense-in-depth strategy, which involves protecting the physical, technological, and administrative aspects of your businesses network. There are however additional components to a defense-in-depth strategy including integrating perimeter defenses (firewalls, intrusion detection and prevention systems), and workstation defenses (anti-virus software and multi-factor authentication).

As well as a defense-in-depth strategy, Defense.com™ is a step further for helping your businesses mitigate the severity of the Log4j vulnerability. Our expert advice for businesses concerned is to follow and adopt the following security practices that are included within Defense.com™:

  • Log Monitoring

    Tools which identify unusual activity or odd traffic patterns within a network, such as multiple admin login attempts, which could be an indicator of a brute force attack. Log monitoring will quickly detect, diagnose, and take necessary action to remediate any threats which may be caused by the exposed Log4j vulnerability.

  • Vulnerability Scanning (VA Scans)

    Regular scanning of known vulnerabilities can be detected early with VA scans, giving businesses time to secure their network and software by patching and securing any discovered security weaknesses. VA scans, along with penetration tests, are considered best security practice and are recommended to strengthen a business’s security posture.

  • Penetration Testing

    Penetration tests will quickly help you understand your attack surface, identifying areas of exposure, allowing you to remediate any weaknesses before being targeted. Penetration tests are one of the most comprehensive forms of identifying security flaws within an organization, and provide detailed threat monitoring and reporting.

  • Asset Tracker

    Businesses can identify and manage all operating systems and devices used within the organization with an asset tracker. Building an inventory of your assets will help define your attack surface and security posture. An asset tracker will alert you when new threats directly linked to your operating systems and hardware are detected. Faster remediation is made possible by aligning assets to cyber threats, which makes it a fast and reliable detection tool, without the the need to analyze and translate complex data.

  • Consultancy

    Consultancy helps businesses understand the best ways to protect themselves from the continuing threat of cybercrime. Whether it's advice on how to improve your security posture or on achieving compliance, our team of expert consultants help businesses effectively implement the best security measures to strengthen their cyber resilience against common cyber threats.

  • Cybersecurity Awareness Training

    Training is a crucial element of implementing best security practises within organizations. Without knowledge of common attack vectors and tactics deployed by cybercriminals, employees remain easy targets for hackers looking to breach systems and steal sensitive data. Your staff are your best line of defense, meaning training can empower them to be vigilant against the evolving threat landscape.

Summary

You may think that the higher level of sophistication behind a cyberattack, the more perilous it could prove to be, but it’s quite the opposite when you consider the simplicity and ubiquitous nature of the Log4j vulnerability. Many organizations won't even be aware that their environments have been compromised by the Log4Shell exploit, thanks to the deceptiveness of the vulnerability. With the threat still present, and its growing use within nation state hacker groups, it’s of critical importance that businesses know how to assess, isolate and update any potentially affected assets where the Log4j exploit is present.

Affordable SMB cybersecurity with Defense.com

Try all these security quick wins and more with Defense.com™. Start a free trial today!