On December 9th, 2021, reports surfaced about a new zero-day vulnerability, termed Log4j (Log4Shell), impacting Minecraft servers. Now, almost one week later, it is clear that countless millions of devices are at risk, and Log4j may rank among the worst vulnerabilities yet seen.
Since we became aware of Log4j late last week, Morphisec has investigated this emerging threat. We now agree that it poses a significant risk to networks everywhere. Here is a quick rundown of what you need to know about Log4j and what to do about it.
What is the Log4j Vulnerability: A Critical Vulnerability in a Widely Used Apache Library
The Log4j exploit allows threat actors to take over compromised web-facing servers by feeding them a malicious text string. It exists within Log4j, an open-source Apache library for logging errors and events in Java-based applications. Third-party logging solutions like Log4j are a common way for software developers to log data within an application without building a custom solution.
In the case of Minecraft, where the Log4 Shell exploit first surfaced last week, this malicious string is entered through the chatbox. In other examples, text entered into the username box on web applications, like Apple iCloud, can also start the compromise.
The Log4J vulnerability is triggered by attackers inserting a JNDI lookup in a header field (likely to be logged) linking to a malicious server. After Log4j logs this string, the server is queried and gives directory information leading to the download and execution of a malicious java data class. This means cybercriminals can both extract private keys and, depending on the level of defenses in place, download and run malware directly on impacted servers.
Ridiculously Widespread and Incredibly Dangerous
Log4j is an extremely popular Apache library used by millions of Java programs and applications. As a result, the actual number of internet-facing applications exposed to the Log4j vulnerability is almost impossible to quantify. Researchers have noted that the vulnerability is likely to impact products and services provided by tech giants such as Apple, Amazon, Steam, Tesla, and Twitter.
According to a statement from the director of the US Cybersecurity and Infrastructure Security Agency, Jen Easterly, "This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use." Easterly's agency has described Log4j as "critical," a statement echoed by equivalent agencies globally, such as Germany's national cybersecurity agency (BSI). Enterprise software developer Redhat has graded Log4j with a 9.8 CVSS score, while the NIST has given it a 10 - the highest possible.
Due to a newly available Log4j patch covering it, fixing Log4 Shell is technically simple. However, finding and patching the vast numbers of servers and third-party applications which use Log4j will be an immense task for countless impacted organizations. With many legacy programs approaching end of life, in some cases, finding and applying patches may be almost impossible.
Many widely used frameworks such as enterprise search platform Apache Solr and database platform Apache Druid use Log4j. This makes the likelihood that any organization hosts a compromised application or server incredibly high. Even for C-based servers that are theoretically safe, a connected online form written in Java could lead to a compromise.
Growing Threat Actor Activity
As cloud providers and vendors struggle to find and remove vulnerabilities, threat actors are rushing to find Log4Shell vulnerabilities across the web. Reports from security vendor Greynoise show that exploitation is currently happening at more than 100 unique nodes while several unique IPs are frantically scanning the web for exploitable servers.
Log4 Shell has already been used to implement crypto miners and increase botnet numbers. Although most of the activity observed so far appears to be low-level threats and exploitations, as the volume of Log4j exploiting increases, higher-level threats such as ransomware deployment will follow. Because the exploit allows threat actors to read server environment variables, credentials such as AWS keys are highly vulnerable right now. Reports from Microsoft point to the vulnerability being used for data exfiltration and credential theft.
What Organizations Need to Do Right Now to Stop Log4jShell
Log4j is a critical threat, and no organization should assume it is safe. Therefore, determining exposure to it and fixing vulnerabilities needs to be every security team's highest priority task right now. This means searching the entire IT state regardless of whether servers are using Windows, Linux, or Mac for any Java code and determining if it uses the Log4j library. Wherever you find Log4j, you need to update it to the latest 2.17 version patch.
Organizations also need to look for and apply vendor patches as soon as possible. However, with such a variety of potential vectors for attacks using this exploit and the time requirement that patching will have, it’s also critical to have solutions in place to mitigate any emergent threats from the Log4j exploit. With threat actors increasingly deploying difficult-to-detect reverse HTTP backdoors such as Cobalt strike to deliver malware payloads, server defense needs to be reinforced with solutions that don't rely on detectable signatures. Because it obscures the attack paths that these kinds of threats take, a server protection solution such as Morphisec Keep offers organizations an immediate defensive response to the Log4j exploit.