Welcome to our 2-part series on the Log4j vulnerability, where we’ll bring you up to speed and help clear up some of the mystery around the latest vehicle of the internet’s dark actors that analysts are calling the “biggest cyberbreach in history.”
In two different parts, we’ll share with you:
- Part 1 – Log4j Vulnerability – What you need to know (this post)
- Part 2 – Log4shell – How Nexon dealt with log4shell (coming soon)
Be sure to come back to this page as we will update the links above as we post the articles.
Part 1 – What you need to know
- What is Log4j?
- What is Log4shell?
- What is Zero-day (or 0day)?
- What is Open-Source?
- How Does the Log4j Exploit Affect You (or Your Organisation)?
- Examples in the Wild
- What Next?
What is Log4j?
Log4j is a Java-based, open-source software library used for logging created by The Apache Software Foundation. (ref1)
The key word here is open-source (more on that below): Log4j is made available freely and readily for any and all to use in the development of software applications, including those applications that are internet-facing.
What this means is that the Log4j code flaw is globally wide-spread, and “is estimated to be present in 100+ million instances.” (ref2)
Screenshot from Apache.org
What is Log4shell?
Log4shell is the name that the cybersecurity community is now using for the primary Log4j Zero-Day code flaw (and the resulting attacks and vulnerabilities) that was brought to light 9 December 2021 (NVD entry code: CVE-2021-44228). (ref3)
The primary vulnerability was rated a 10 out of 10 on the CVSS (or Common Vulnerability Scoring System) due to the gravity of potential impact it could have if the flaw were to be leveraged by dark actors.
What is Zero-Day or 0day?
A zero-day vulnerability means that when the vulnerability is found/reported, the code is already out in the wider world, and the developers have 0 days to provide a fix for the flaw. (ref4)
What is “open source” and why does it matter?
Open source means that the design or structure of something is publicly available (ref5), meaning that people can share and modify it at will, as individuals, groups, or organisations. No discrimination is made between the individual and a corporate entity.
The fact that Log4j is open source (ref6) isn’t necessarily the piece of the puzzle that is troubling, but rather how open-source code is used and disseminated in coding. It’s important to note that not only is Log4j itself – as a project and piece of software – open source, but so is the language that it is coded in: Java.
Open-source code is there to be used, adapted, and “forked” at will by the community – this is how we learn and innovate and find new ways to make things work, because any one problem can have multiple ways to be solved. What that means is that an organisation might release a version one month, and 30 different developers could download and use that version and add their own code to it. Then, they have effectively made their own version. This isn’t inherently bad – this is literally what it’s there for.
However, this poses the problem that when an issue arises with an open-source piece of software, it’s not simply as easy as just updating that one “piece” of code in the software. As developers use open-source code within their applications, it can be as much part of the framework of the application as a single part in a car – but how much manoeuvring does it take to get that one part replaced? Sometimes, like a windscreen wiper, it’s a non-issue. But others, like a windscreen with rain sense and lane-assist sensors, those take a bit more finessing to rectify.
And in the case of the Log4j flaw? It’s a doozy – because it is everywhere, and it is deep in the foundations of the applications it is in.
Why should you care?
Or… How does this affect you or your organisation?
Logging is a fundamental feature of most applications (ref7) so there’s a good chance that your organisation likely has multiple instances of this software library in current use. Think of every time that you get a 404-error webpage or look at your user activity in online systems or anytime you make changes to a Word or Excel document – that error page or those activity items were created by a piece of software like Log4j.
DISCLAIMER: Please note that not all applications use Log4j for their logging functionality. Some organisations and developers shy away from using open-source code in their applications. This enables them to avoid incidents like what we are seeing right now, among other things. That is not a better way or the “right” way, it is simply a different way to do it.
To get a simple picture of the gravity of Log4shell:
- Multiply each application in use in your organisation…
- By how many devices your organisation owns or manages… (including audio visual devices, servers, phones, etc)
- By how many users in your organisation…
- By how many BYO devices that they also use… (especially in the current environment of remote/hybrid working)
- By how many actions they each take (including those “actions” that are in the background or invisible) per day in each application…
And that’s just a glimpse of the potential vulnerabilities you may be facing. And we’ve not even factored the amount of TIME spent in each application into that picture…
Examples in the wild
- Despite acting on advisories released on 11 Dec within 48 hours, a ransomware attack was launched on Vietnamese Fintech firm ONUS. ONUS held their ground and refused to pay the ransom, which resulted in over 2 million customer records being released online on Christmas Day. Fintech firm hit by Log4j hack refuses to pay $5 million ransom | BleepingComputer.com
- Belgium’s Defense Ministry was effectively crippled for days as they quarantined their network following an attack. Citing security reasons, the Ministry did not disclose the source of the attack. Defence victim of serious cyber attack | The Standard.be
- A new strain of crypto-locking malware called Night Sky was launched without pause beginning 27 Dec. The most notable attacks so far have on been organisations with on-premises installs of VMware Horizon and VMWare Horizon Agent. Night Sky ransomware uses Log4j bug to hack VMware Horizon servers | BleepingComputer.com
- Dark actor gang Prophet Spider – well known for their access brokering – has been linked to attacks, again through VMware Horizon servers, as brought to light by Blackberry researchers. Access broker found exploiting Log4j vulnerability in VMware | ARNNet.com.au
As you can see, the ramifications of this flaw in the wide-spread software application are only just beginning to be seen. Experts are saying that this will likely prove to be the greatest cybersecurity breach in history, and that as dark actors continue to mount their attacks, we will see it played out across all aspects of our day – both professionally and personally.
Stay tuned for the second half of our Log4j “mini-series”, around Nexon’s response to the threat, and what’s been done to mitigate the risk this flaw is presenting to organisations.
If you are unsure if your organisation has adequate measures in place to mitigate the immense threat that the Log4shell hack presents, don’t waste any time and reach out to start a conversation with our security experts.
1 – Log4j | Apache
2 – Log4j Zero-Day Vulnerability Response | CISecurity.org
3 – NVD – CVE-2021-44228
4 – Zero-Day Exploits & Zero-Day Attacks | Kaspersky
5 – What is open source software? | Opensource.com
6 – What is open-source software? | BusinessInsider.com.au
7 – What is Log4j? A cybersecurity expert explains the latest internet vulnerability, how bad it is and what’s at stake | TheConversation.com