Menu

LinkedIn
Facebook
Twitter
YouTube
Instagram

What the heck is Log4j and why is it a threat to all of us?

What the heck is Log4j and why is it a threat to all of us?

"Not another cybersecurity attack?!"

(First, let me preface this blog by stating that as of today, December 22, 2021, no CMS Imaging systems have been impacted by Log4j malware.)

Yes, last week, it became evident that researchers had identified another large-scale cybersecurity issue. This attack was a malware insertion on a Java program named Apache Log4j. Log4j is a free tool used by many software programs to log information in places like your hospital network, personal cloud storage, and, unfortunately, medical equipment and software. The attack itself is being called Log4Shell, and it is set to become the most extensive and worst cybersecurity attack in history.


Most software today is developed using a mixture of frameworks. (Please note that the following example is overly simplified and probably will cause a software developer's head to explode, but I will use it for ease of understanding.) For example, if you want to write a piece of software to access a personal picture vault, you might first use a Single Sign-On framework such as Okta or Jumpcloud to sign in to your vault. Then once inside your picture vault, you'd like to be able to store and access your pictures; you might use Storage Access Framework for Android or Photokit for Apple, depending on your platform. If you want to share an image, you would use an image-sharing framework such as XMPP or CoCam. Lastly, if you want to know when you last signed in or if your friend opened the image you shared, you would use a logging framework such as Log4j to track and record all operations of your software.

Security professionals believe hackers have been exploiting the bug since the beginning of December. Still, the general public only became aware of the attack last week because the frequency and depth of the attacks increased dramatically last week. Companies such as Microsoft, Google Cloud, Apple iCloud, Amazon Web Services, and Cisco have all found exploitations in some of their servers. A string of code logged by a server opens it to hackers to exploit with ransomware or any other type of malware. One way that bad actors can insert this code string is by sending an email with the code embedded in the headers or attaching it to the account username. The scariest part of this attack is that the recipient did not have to open the email, but the email simply had to be delivered. Other ways to carry out this attack would be to trigger a log message on a database. Again this is a lot more complicated in practice, but for simplification, searching from a website's search bar using the malicious code as the text will generate a 404 error (that darned 'page not found' error), which will, in turn, log that 404 error onto the website's database. If you are evil and have bad intent, and the website uses the exploited version of Log4j, you have just hacked that server.

Think about Log4Shell as a key to the front door of your server. Once inside, they can virtually lock the doors from the inside by changing the passwords to your servers, downloading credentials, or installing cryptocurrency mining bots. As they have the keys to the castle, they can also download all information stored on these servers, such as Personal Health Information or PHI. While most large tech companies have started applying fixes to prevent further incursion and removing the code string from servers, many smaller companies do not have the resources to move as quickly. So far, the Log4j exploit has seen mostly cryptocurrency miners and a few instances of ransomware. But most disturbingly, there is evidence that hacking groups working on behalf of particular nation-states are targetting other national governments and infrastructure.

The next phase of this nightmare will be bad actors setting up automated processes to search for vulnerable systems and then inserting the malware into the system using any of a number of ways. Once they have exploited a particular server, they can infect it with malware, or worse, sell that access to even worse entities. These entities may monitor and download information to be used as a hostage until the vulnerability is fixed and do so indefinitely.

As you can imagine, the Apache Software Foundation has already created a patch to close the loop on this vulnerability. Also, the vulnerability did not exploit any Log4j version below 2.0. But the damage is still over. To stop this hack, security engineers need to inventory all of the software and servers that a business or government entity may use, identify those using Log4j, and then patch each incidence. Think about all of the passwords you have accumulated in your lifetime, then acknowledge that each password is tied to a unique piece of software or server. Because Log4j is open-sourced and free, there is no way to estimate how many programs use it as their logging framework.

Unfortunately, we will continue to see new and different ways to exploit to Log4Shell in the future, and according to Sean Gallagher, a senior threat researcher at cybersecurity company Sophos, "It's going to be around as long as the internet."

So let's keep our fingers crossed that Log4Shell does not play the role of the Grinch before this holiday season and into 2021.

Category



Date



Author