What does “zero-day” mean?
The term “zero-day,” sometimes written as “0-day,” is used to describe a software security flaw that exists in a product that is already in circulation. To put it plainly, it means that the developers have “zero days” to fix the issue because it is already possible for bad actors to use it to their advantage.
A zero-day attack refers to the use of a zero-day vulnerability to damage, steal, cripple or otherwise disrupt a system for unauthorized or criminal intent.
What is the Log4Shell zero-day vulnerability?
The Log4Shell vulnerability is a flaw discovered in Apache’s Log4J logging tool. When properly exploited, this flaw can allow an unauthorized user to take control of a server, install malware, run bots, set the stage for ransomware attacks, utilize resources to mine for cryptocurrency or snoop into the data present to steal valuable information.
In summary, Log4Shell essentially gives hackers a blank check when it comes to how they may wish to exploit their targeted system.
Why is Log4Shell so dangerous?
While newly discovered, Log4Shell is already causing tremendous stress and concern among organizations all over the world, with some researchers confident that it may be the single largest, most critical vulnerability in modern computing.
Apache itself ranked the exploit as a 10 out of 10 on its scale of severity, and the CEO of cybersecurity firm Tenable, Amit Yoran, has described Log4Shell as “the single biggest, most critical vulnerability of the last decade.”
Log4Shell’s severity is twofold: Apache’s Log4J product is ubiquitous, present in potentially millions of apps across both private and government sectors. Because it is a foundational piece of software, there are almost no systems that aren’t at risk. IT administrators all over the world are scrambling to patch the vulnerability in a race against thousands of efforts by criminals to take advantage of it.
Secondly, it is remarkably easy for hackers to use the flaw. Criminals can access a web server without the use of a password and with little of the savvy usually associated with breaches that allow this degree of control.
How was the Log4Shell vulnerability found?
On December 9th, a tweet was posted by Chen Zhaojun of the Alibaba Cloud Security team that described the vulnerability. Believed to only be present in Minecraft, Log4Shell was used to essentially create pranks within the game. However, it was soon discovered that the flaw was actually present in every single instance of the LogJ tool.
How are organizations reacting to Log4Shell?
It is believed that the Log4Shell exploit had been in circulation among hackers prior to its official discovery for at least a number of days. However, since becoming public, efforts to utilize the flaw have exploded, resulting in a nightmare scenario for security professionals who have found themselves working extensively to fortify their networks against hackers.
Apache has released a patch for LogJ and, naturally, is urging all users to update their systems immediately.
In some cases, administrators have opted to simply take their systems offline in pre-emptive efforts to avoid catastrophic intrusion into their data. The government of Quebec, Canada, feeling that the inconvenience of shutting down their websites in order to allow IT professionals to fix the vulnerability outweighs the risk associated with allowing the possibility of it being used, did just that.
Their websites are being combed over by developers who are working to patch each instance of the flaw before allowing public access to the sites to resume.
The US’s Cybersecurity and Infrastructure Security Agency (CISA) has released a statement regarding the exploit, its severity and the importance of communicating the importance of installing Apache’s update:
“This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use. End users will be reliant on their vendors, and the vendor community must immediately identify, mitigate, and patch the wide array of products using this software. Vendors should also be communicating with their customers to ensure end users know that their product contains this vulnerability and should prioritize software updates.”
CISA is urging administrators to take the following steps with regard to the Log4Shell exploit:
- Enumerate any external facing devices that have log4j installed.
- Make sure that your security operations center is actioning every single alert on the devices that fall into the category above.
- Install a web application firewall (WAF) with rules that automatically update so that your SOC is able to concentrate on fewer alerts.
What can we expect now?
As with all software vulnerabilities, organizations and companies all over the world will have to patch their systems to ensure continued security. A great number of breaches are already taking place, with threat actors installing malware and digging into compromised systems.
While some of these instances will be caught immediately, recent history has shown us that network vulnerabilities can have effects that last for months and even years after patches are released.
Vulnerabilities that were discovered to be exploitable within Microsoft Exchange Server in January of 2021, for example, continue to plague organizations in spite of the company quickly providing updates that fixed the highly publicized flaw.
In many cases, administrators simply never patch or update their systems due to ignorance or budget constraints. Because Log4Shell is both new and highly exploitable, we can expect to feel the effects of the flaw for months to come, as those that are slow to update find themselves targeted and those that did not update soon enough discover damage that had remained hidden or fall victim to newer iterations of the attack.
At this point in time, security experts do not even fully understand the entirety of the flaw’s implications and the ways in which it may be weaponized. Many expect that Log4Shell will likely remain headline cybersecurity news well into 2022 and beyond unless security teams bolster their defenses significantly.
Some cybersecurity researchers have already noted that hackers are further weaponizing the flaw with more than 60 Log4Shell mutations developed in 24 hours.
- The Log4Shell 0-day, four days on: What is it and how bad is it really? By Dan Goodin, 13 Dec 2021, Ars Technica
- What is Log4Shell, and why are we panicking about it? By Alex Scroxton, 13 Dec 2021, Computer Weekly
- Hackers start pushing malware in worldwide Log4Shell attacks by Lawrence Abrams, 12 Dec 2021, Bleeping Computer
- Recently uncovered software flaw ‘most critical vulnerability of the last decade’ Associated Press, 10 Dec 2021, The Guardian
- What’s the Deal with the Log4Shell Security Nightmare? By Nicholas Weaver, 10 Dec 2021, Lawfare
- Quebec government shutting down websites as a ‘preventive’ measure by Virginie Ann and Clara Descurninges, 12 Dec 2021, Montreal Gazette
- Statement from CISA Director Easterly on “Log4j” Vulnerability 11 Dec, 2021, CISA
- Zero-Day Exploits & Zero-Day Attacks Kapersky
- Zero-Day Exploits & Zero-Day Attacks Kapersky Kapersky
- Experts: Log4j Bug Could Be Exploited for “Years” By Phil Muncaster, 14 Dec 2021, InfoSecurity
Log4Shell Is Spawning Even Nastier Mutations By Lisa Vaas, 13 Dec 2021, ThreatPost