Security teams across the globe have been scrambling to address a dangerous new zero-day vulnerability in a popular Apache logging system currently being exploited in the wild.
Dubbed "Log4Shell," the bug is found in the Log4j Java-based logging product and can lead to relatively straightforward remote code execution which would allow attackers to deploy malware on a targeted server.
The exploit is dangerous for two reasons: Log4j is used by applications and platforms found all over the internet, including Minecraft, Apple iCloud, Tesla, Cloudflare and Elasticsearch. Second, it’s relatively easy to exploit, by forcing a vulnerable application to log a particular string of characters.
That could be done in a variety of ways as apps log many different types of events. According to one researcher, Minecraft servers were exploited simply by typing a short message into the chat box.
Sophos has posted a detailed write-up of the underlying improper input validation flaw: CVE-2021-44228.
The impact of this discovery could dominate the work of cybersecurity professionals over the coming weeks.
According to Sophos senior threat researcher, Sean Gallagher, Log4Shell has already been exploited to install coin miners, expose AWS keys, and install remote access tools including Cobalt Strike in victim environments.
“Log4Shell is a library that is used by many products. It can therefore be present in the darkest corners of an organization’s infrastructure, for example any software developed in-house. Finding all systems that are vulnerable because of Log4Shell should be a priority for IT security,” he added.
“Sophos expects the speed with which attackers are harnessing and using the vulnerability will only intensify and diversify over the coming days and weeks. Once an attacker has secured access to a network, then any infection can follow. Therefore, alongside the software update already released by Apache in Log4j 2.15.0, IT security teams need to do a thorough review of activity on the network to spot and remove any traces of intruders, even if it just looks like nuisance commodity malware.”
Check Point claimed to have already blocked 400,000 exploit attempts for customers from late Friday to Sunday.
Bugcrowd founder, Casey Ellis, described the incident as a “worst case scenario.”
“The combination of Log4j's ubiquitous use in software and platforms, the many, many paths available to exploit the vulnerability, the dependencies that will make patching this vulnerability without breaking other things difficult, and the fact that the exploit itself fits into a tweet. It's going to be a long weekend for a lot of people,” he added.
“The immediate action to stop what you're doing as a software shop and enumerate where log4j exists and might exist in your environment and products. It's the kind of software that can quite easily be there without making its presence obvious, so we expect the tail of exploitability on this vulnerability to be quite long.”