Last Friday, we published a blog on the latest significant vulnerability, CVE-2021-44228, which involves a flaw in the Log4j program that causes arbitrary code execution. In case you missed it, the fun part here is that attackers could introduce malicious code in many different ways. As Rob put it on our recent podcast, the coder’s imagination is the limit here.
What’s new when talking about Log4j
Since Friday, among other interesting bits, we’ve learned there is a spirited debate about the pronunciation of Log4j. A debate has gone back-and-forth between “Log Four Jay” or “Log Forge” on Twitter. We’re going to remain Switzerland in this debate and use either one. This is a safe space, so pronounce it with the version that works for you in your head.
Besides pronunciation woes, the attacks have gone more widespread as more adversaries adopt the exploit. Consequently, the opinions of many researchers and other respected security voices have gone from worse to dire as we begin to discover how many systems are potentially affected. There have been numerous reports of ransomware, coin miners, Cobalt Strike beacons, and other attacks hitting from every direction; these are already on top of the thousands of IP addresses scanning the internet.
Tim Starks from the CyberScoop reported several key comments from CISA leaders: Jen Easterley stated that it’s probably the worst she’s ever seen. At the same time, Jay Gasley asserted that it likely affects hundreds of millions of devices. As we’ve stated before, there’s probably a host of dependencies involved, including updating Java or other server applications, making updating a little more complicated than straightforward.
This isn’t the only Log4j vulnerability at the moment
To make things even more interesting, Apache researchers discovered that certain conditions with the newest versions of Log4j resulted in a potential denial of service (DoS), tracked now as a separate vulnerability: CVE-2021-45046. In this latest update, Apache found that versions from the 2.0 beta through 2.15 (the newest version as of 10 December 2021) could be affected by malicious input to create a DoS condition. While the vulnerability has a 3.7 CVSS (not the 10.0 that -44228 has), the recommendation has been to knock out two birds with one stone by updating to version 2.16, as detailed by Apache here.
What are the bad guys up to?
So far, The Register has the best “hot take” on adversaries out there, using the under-appreciated word “miscreant” in their latest reporting.
As we saw during the great Exchange meltdown earlier this year and in other previous significant announced vulnerabilities, expect to see the race on between attackers and defenders. The earliest shots were likely more of the target-of-opportunity variety, typically from botnet scans and coin miners. They have since developed into at least one fully-fledged ransomware attack and activity from one Trojan family so far. Check Point seems to have the scariest quotable data, stating that they’ve observed 60+ versions of the original exploit variant to date, with over 1.2 MILLION (emphasis ours) exploit attempts observed on just their own customer deployments across all continents and most industries.
Here at Digital Shadows, we’ve already seen chatter on several top-tier Dark Web sites as forum users work out different attack methods amongst each other. They’ve mirrored and reposted proofs-of-concept online, and there’s evidence some users are working out how to bypass web application firewalls (WAF), which Acunetix has stated will not protect against exploits anyway.
This will probably be happening for a while
One of the more common thoughts on this is given the nearly half-million known downloads of Log4j, the sheer number of systems using Apache services or Java, and the likely large amounts of shadow IT or other unknown/undiscovered assets out there–coupled with overwork, lack of resources, or sheer avarice–spells long-term disaster for everyone out there. There will likely be other criminal groups who seize this opportunity and get the splashy headlines; meanwhile, there are likely some nation-states or similarly advanced actors who prefer a quieter approach and are already in the network somewhere. The tl;dr is we’re going to be feeling this for a while.
Again, our kudos goes out to the IT support teams, and admins expecting a quiet last few weeks of 2021 and rose to the challenge. Also, a toast to the defenders who were expecting much of the same, many of them already veterans of previous vulnerabilities like this. As they say in Battlestar Galactica, this has happened once and will happen again. Hopefully, this was a big enough wake-up call to get more people into software bills of material (as our own Rick Holland hopes) or just better asset and configuration management in general.
In any case, as one Redditor put it, “on the second Pandemic Christmas, Minecraft gave to me, a Log4j vulnerability.” Let’s hope this is it for now.