1. Comment
December 20, 2021

Security teams scramble to identify Log4j threat to organizations

By GlobalData Thematic Research

Although the highest profile cyberattack of 2021 was probably the ransomware attack on the Colonial Pipeline, it is the latest Log4Shell and Log4j vulnerability that is causing the biggest cyber concern for organizations.

The UK’s National Cyber Security Centre (NCSC) has described it as potentially the most severe computer vulnerability in years. The background to the vulnerability is that Log4j is a Java library for logging error messages in enterprise applications, which includes custom applications, networks, and many cloud computing services. Log4Shell, a zero-day vulnerability in the logging library, allows attackers to remotely execute code and gain access to machines.

The challenges organizations are facing are finding out what services use that Log4j component; identifying which of these services the organization uses; and finding out if these services are vulnerable.

Severity

Those that have encountered the Log4Shell vulnerability are explicit about its threat. Jen Easterly, director of the US cybersecurity and infrastructure agency CISA, has described it as “one of the most serious that I’ve seen in my entire career, if not the most serious”.

More sophisticated attackers have now started exploiting the bug. They include state-sponsored hackers – typically from China, Iran, and North Korea – who have started testing, exploiting, and using the Log4Shell vulnerability to deploy malware, including ransomware.  Microsoft has highlighted a new family of ransomware, Khonsari, that has been used in attacks on non-Microsoft hosted Minecraft servers by exploiting the vulnerability in Apache Log4j.

The problem for security professionals is to understand whether the Log4j code is part of their applications and therefore becomes a potential risk. As with most open-source software, it is built-in further down the supply chain.

The Apache Software Foundation (ASF) recently revealed a new bug in the Java-based open-source logging library, prompting the creation of a new fix.

NCSC Log4j warning

The NCSC has said the Log4j issue has the potential to cause severe impact to many organizations. Although most attacks to date have been automated and exploratory, it suggests that if ransomware is delivered by exploiting this issue, vulnerable computers may be ransomed.

The centre warned that if organizations do not have robust internal network cyber resilience, this could spread through the organization and cause a variety of business impacts including business operations disruption, the need to disclose where personal data was affected, costs associated with incident response and recovery, and reputational damage.

The NCSC added that managing this latest risk will require strong leadership, with senior managers working in concert with technical teams to initially understand their organization’s exposure, and then to take appropriate actions. These will be specific to organizations, so working with and supporting local subject matter experts is essential.

Key questions for IT teams

The extent of the Log4j threat has prompted the NCSC to pose a series of questions boards should ask of their security teams, including:

  • Who is leading on our response?
  • What is our plan?
  • How will we know if we’re being attacked, and can we respond?
  • What percentage of visibility of our software/servers do we have?
  • How are we addressing shadow IT/appliances?
  • Are our key providers covering themselves?
  • Does anyone in our organization develop Java code? And
  • When did we last check our business continuity plans (BCP) and crisis response?

The NCSC believes remediating the Log4j issue is likely to take weeks, or even months for larger organizations, with a risk of burnout for defenders if they are not supported by executive leadership.

A difficult year in cybersecurity may be ending. But the threats aren’t stopping.