Although the highest profile cyberattack of 2021 was probably the ransomware attack on the Colonial Pipeline, it is the latest Log4Shell and Log4j vulnerability that is causing the biggest cyber concern for organizations.

The UK’s National Cyber Security Centre (NCSC) has described it as potentially the most severe computer vulnerability in years. The background to the vulnerability is that Log4j is a Java library for logging error messages in enterprise applications, which includes custom applications, networks, and many cloud computing services. Log4Shell, a zero-day vulnerability in the logging library, allows attackers to remotely execute code and gain access to machines.

The challenges organizations are facing are finding out what services use that Log4j component; identifying which of these services the organization uses; and finding out if these services are vulnerable.

Severity

Those that have encountered the Log4Shell vulnerability are explicit about its threat. Jen Easterly, director of the US cybersecurity and infrastructure agency CISA, has described it as “one of the most serious that I’ve seen in my entire career, if not the most serious”.

More sophisticated attackers have now started exploiting the bug. They include state-sponsored hackers – typically from China, Iran, and North Korea – who have started testing, exploiting, and using the Log4Shell vulnerability to deploy malware, including ransomware.  Microsoft has highlighted a new family of ransomware, Khonsari, that has been used in attacks on non-Microsoft hosted Minecraft servers by exploiting the vulnerability in Apache Log4j.

The problem for security professionals is to understand whether the Log4j code is part of their applications and therefore becomes a potential risk. As with most open-source software, it is built-in further down the supply chain.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Verdict.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

The Apache Software Foundation (ASF) recently revealed a new bug in the Java-based open-source logging library, prompting the creation of a new fix.

NCSC Log4j warning

The NCSC has said the Log4j issue has the potential to cause severe impact to many organizations. Although most attacks to date have been automated and exploratory, it suggests that if ransomware is delivered by exploiting this issue, vulnerable computers may be ransomed.

The centre warned that if organizations do not have robust internal network cyber resilience, this could spread through the organization and cause a variety of business impacts including business operations disruption, the need to disclose where personal data was affected, costs associated with incident response and recovery, and reputational damage.

The NCSC added that managing this latest risk will require strong leadership, with senior managers working in concert with technical teams to initially understand their organization’s exposure, and then to take appropriate actions. These will be specific to organizations, so working with and supporting local subject matter experts is essential.

Key questions for IT teams

The extent of the Log4j threat has prompted the NCSC to pose a series of questions boards should ask of their security teams, including:

• Who is leading on our response?
• What is our plan?
• How will we know if we’re being attacked, and can we respond?
• What percentage of visibility of our software/servers do we have?
• How are we addressing shadow IT/appliances?
• Are our key providers covering themselves?
• Does anyone in our organization develop Java code? And
• When did we last check our business continuity plans (BCP) and crisis response?

The NCSC believes remediating the Log4j issue is likely to take weeks, or even months for larger organizations, with a risk of burnout for defenders if they are not supported by executive leadership.

A difficult year in cybersecurity may be ending. But the threats aren’t stopping.