On November 24, 2021, Chen Zhaojun of the Alibaba Cloud Security Team discovered the critical software vulnerability Log4Shell in the open-source Java logging utility, Log4J. Log4J comes as components in Java archive (JAR) files that software developers easily insert into their software projects without writing extra code. The security community also knows Log4Shell by its Common Vulnerabilities and Exposures (CVE) ID Number, CVE 2021-44228. The Apache Software Foundation, which supports Log4J, has given the Log4Shell vulnerability a critical severity rating of 10, which is its highest rating.
Log4Shell is severe partly because the Log4J utility is commonplace, appearing in multitudes of software. "Java is undisputedly the most common language for enterprise software applications developed over the last 10-15 years. Logging is a core application requirement, and Log4J is the standard choice for logging," explains Lahane.
Log4Shell is as trivial for cybercriminals to abuse as it is ubiquitous. A look at how Log4Shell compares with other vulnerabilities puts it into perspective. "Log4Shell is easier to exploit than OpenSSL Heartbleed, and vulnerable components are significantly more widely distributed than Apache Struts—two other highly-dangerous vulnerabilities from the last decade," says Lahane.
To locate and leverage Log4Shell, attackers scan networks for vulnerable log4j components. Once they locate the vulnerability, they send a malicious command string to the server using any protocol (TCP, HTTP, or others) that allows them to do so.
Bogus Log4J lookup commands in the malicious command strings lead Log4J to connect to malicious servers to execute remote, malicious Java code. The potential damage from Log4Shell attacks is severe; Remote Code Execution attacks like these enable an attacker to trigger malware such as worms over the Internet.
"It's important to remember that threat actors can use the same open-source scanners to detect the vulnerability that security analysts use. Many remote scanners are currently available on open-source sites like GitHub," says Karen Walsh, CEO of content marketing firm Allegro Solutions.
Log4Shell is also difficult for organizations to mitigate. An enterprise may not know whether its software uses Log4J. If the software has a dependency on a vulnerable Log4J component, it's more of a direct relationship, and it's not so difficult to find it.
However, if the software has transitive dependencies on Log4J, meaning the software has dependencies on other software that has dependencies, then somewhere down the line, the software depends on Log4J. It's very trying to find the vulnerability, since an organization's exposure to Log4Shell may lie deep inside of other software.
Cybercriminals wasted no time ramping up attacks using Log4Shell. According to a Check Point blog, the Check Point cybersecurity firm saw 4.3 million attempts to exploit the vulnerability as of December 20, 2021; criminal hackers used the Log4Shell vulnerability in attacks on 48% of corporate networks globally.
Meanwhile, hundreds of organizations across multiple industries have published advisories that their software relies on vulnerable Log4J components. IBM, Microsoft, Apple, Amazon, Cisco, Google, Oracle, RedHat, and VMware are among the afflicted technology companies. Cybersecurity companies including CyberArk, ForgeRock, Okta, Ping Identity, Fortinet, SonicWall, and Sophos have acknowledged their exposure, too.
While there are many attacks such as cryptojacking and ransomware using Log4Shell, something more menacing is waiting to reveal itself. "The most sophisticated attackers use an initial exploit such as Log4Shell to gain a foothold in the target business, then go silent. Sophisticated attacks typically proceed slowly and deliberately, often over many months," says Lahane.
APT (Advance Persistent Threat) groups initiate stealthy, sophisticated attacks leveraging vulnerabilities such as Log4Shell to enter enterprise networks. They achieve long dwell times inside an organization while remaining undetected. Cybercriminals use the unauthorized control of trusted administrative accounts to move laterally within the network.
Regarding the sophistication of the attacks, Log4Shell may rival the Wannacry Ransomware of 2017. "Wannacry, although damaging, affected only Windows operating systems. Log4J is more difficult to address given the mission-critical systems that use it," says Paul Zimski, vice president of product for IT operations cloud firm Automox.
As for the aftermath, organizations can expect the effects of Log4Shell to hang around for some time. Responding to the Log4Shell vulnerability places a significant strain on already-strapped IT and security groups. "Log4J creates dramatic increases in operational complexity for IT teams, making them less efficient than they were yesterday, and that ultimately makes their organizations less secure in both the short and long term," says Zimski.
There are still more risks from Log4Shell. "The longest-term risk is the billions of appliances and devices that use Java in their core software," says Lahane. "These are the hardest to locate and fix, and many such devices are out of support, so the vendor has little incentive to provide a fix, and users are unaware that they are vulnerable."
According to Lahane, these attacks include cryptojacking (when a hacker uses a victim's computing power to generate cryptocurrency) using TVs and consumer devices, and command and control (C&C) orchestrations across routers, load balancers, and network hardware.
David Geer is a journalist who focuses on issues related to cybersecurity. He writes from Cleveland, OH, USA.