It may well be the most severe cybersecurity vulnerability you never heard of. Iranian hacking groups have already begun deploying it, gamers playing Minecraft have taken over computers with just a single line of code typed in the in-game chat, and the United States Federal Trade Commission has threatened to “pursue” companies that don’t patch it.
The Log4j zero-day vulnerability revealed in November demands immediate action from governments, software developers, enterprises that use affected software, and a good section of end-users. It allows hackers “remote code execution”—the ability to run any code they want on the affected system. In theory, hackers exploiting this could do anything: From injecting ransomware into an affected system (encrypting your hard drive and demanding a ransom to decrypt it) to hacking a Minecraft server to their own advantage to planting a bug to track and collect sensitive data.
On Monday, US Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly told reporters the log4j vulnerability was the worst she had ever seen. Considering that we are just two years into the aftermath of the SolarWinds hack, such a statement suggests it is time to pay attention.
What is Log4j?
Log4j is a logging utility for Java-based applications. Software applications often need to “log” what happens in them, which means listing down data encompassing everything from the user’s IP address to their browser and what they use the program to do. Since log4j was distributed under the Apache Software Licence, it is open source and is a popular library for Java apps.
On November 24, a zero-day vulnerability (one that has been disclosed but not patched) was announced. Dubbed log4j shell, it sent shockwaves through the cybersecurity community.
From your smart fridge to your PC to your Android device, this vulnerability could affect you and many devices you own. And while Apache has released an official patch, it remains up to millions of end-users to deploy it.
How many apps use it? It is difficult to say. Early estimates figure that hundreds of millions of devices could be affected, out of the around three billion devices that run Java worldwide.
THE WEEK spoke to cybersecurity expert Nandakishore Harikumar about the exploit, what it means for you and your company, and what kind of action you can take to address such threats.
What kind of people should be worried about this? What users and what devices could be affected?
Many software use logs for development and security purposes. Log4j is a part of this logging process.
Hence, it is highly possible that the vulnerability could affect millions and millions of victims. Individuals as well as organisations are affected by this. It was a zero-day vulnerability which would help attackers to enter compromised systems and remotely steal data.
Log4j is part of our daily use of systems and devices used by individuals. The best thing you can do to protect is to make sure your all devices, systems and software are as up to date as possible and look for the next upcoming update.
The same is applicable with organisations too. Larger enterprises may have an advantage as they have a team dedicated to managing security. But it could be a major cause of concern for small scale and medium size industries.
Some examples of services and websites that use log4j include Apple’s iCloud, and Twitter. Since it is a [popular] open-source Java library, anyone using Java could be affected. Even Minecraft was affected.
When you track cybersecurity threats, how often do vulnerabilities like this appear?
It is a common phenomenon. But its vastness is what is the major problem. Log4j is widely used in logging library process texts and could affect any firm using Java. It is widely used in many cloud infrastructures too.
But if you look, we could see similar types of vulnerabilities affecting platforms like Wordpress as well. A recent report by Risk Based Securities said there were over 10,000 vulnerabilities relating to Wordpress in 2021 alone.
Vulnerabilities happen but their extent and the time needed to patch them varies from case to case.
Can this vulnerability be patched centrally or does it require every single software making use of log4j to update itself?
It depends on how you manage your systems. Some organisations use patch managers which will surely help them to monitor and identify unpatched systems. But SMEs may have to do it manually based on their IT policies.
The Cybersecurity and Infrastructure Security Agency has made a tool to scan for log4j remote code execution vulnerabilities, available here.
What does this mean in the Indian context where many computers run older and sometimes pirated software?
In the Indian context, the situation is so dangerous. We mainly have an SME market which has yet to step into a more secure culture and is more vulnerable. We need to step up our security practices and start using genuine software. There is a trend even among techies to use pirated software. In that case, patching or updating to the new version will be very hard.
We have seen everything from well-funded Indian startups to larger enterprises becoming victims of data breaches as well as to ransomware attacks. There are already reports that cyber criminals have been using the log4J vulnerability as part of their ransomware attack on organisations.
Why was such a vulnerability disclosed if almost anybody can exploit it?
I believe disclosure is always done to ensure that systems and processes are put in place to avoid further damage. Also, this will help cyber security teams to be ready with preparedness. [The field of] vulnerability intelligence itself is there to update cyber security teams and researchers [on such threats].
In 2020, we saw a similar large-scale threat with the SolarWinds, which appeared to have infected systems for a long time. Are we likely to see further aftershocks of that?
Yes, as we grow digitally, we will have seen this. We do not have a system that is 100 percent secure. Only continuous monitoring, detection and responding can lead us to build secure systems. Even so, we see incidents like SolarWinds.
These incidents help organisations to be prepared for the future. But it is high time that Indian organisations step up their security-risk management game. Being a nation that depends a lot on outsourcing as well as on the digital economy, we need to enhance our security practices and bring it into our organisation culture.
For companies, for end users and for the government: What is the smart policy response?
Five points:
1. Emerging Exploit Techniques can be managed to an extent by using web application firewall (WAF) rules—enterprise guidelines that can protect companies against specific cyberattack threats.
2. Threat Intelligence along with vendor risk monitoring (keeping track of the software vulnerabilities due to third party vendors) is a must.
3. Asset visibility is another key factor. Security Operation Centre (SOC) operations need to be streamlined and awareness needs to be increased about the happenings. While smaller companies may not be able to afford running SOCs, they can stand to improve their awareness of threats and start building up cybersecurity best-practices.
4. Threat hunting and vulnerability intelligence will aid in detecting exploits
5. Asset monitoring of first party assets (that your enterprise makes) and third party software (which have come from outside—like a cloud infrastructure from an outside vendor). Patch management also plays a major role in countering these cyber threats.
Nandakishore Harikumar is founder and CEO of Technisanct, a Bengaluru-based cybersecurity startup that researches digital risk monitoring and risk posturing using AI. He has been widely cited for his research into the Deep Web and the Dark Web.