Hundreds of thousands of attempts to exploit the vulnerability are under way.
In many cases, updating IT systems and patching security vulnerabilities is a quiet matter that business leaders may be little concerned with other than knowing that they have approved a budget for the IT team to get it done. That quiet approach is sometimes unsettled when a breaking news story emerges of another company that suffered a cyberattack or a data breach due to a vulnerability in some software they were using. Reading such a story should immediately prompt a few questions, the most important of which are, “Is my company using that software? And, if so, have we applied the patch?”
The case of the Log4Shell vulnerability should prompt even more of these unsettling questions. For starters, this vulnerability involves a piece of code – the Apache Log4j 2 library – that is used worldwide and could easily be present in the software your company uses, even without your IT staff explicitly knowing. In that sense, it is unlike almost any other vulnerability IT security teams typically deal with. Furthermore, taking advantage of the weakness present in this code is both rather trivial for attackers and dangerous for your business.
Sitting behind the comfort of their computer screens somewhere far away (or not) and armed with a little bit of knowledge of the Java programming language, cybercriminals can scan the internet and send malicious packets to compromise any one of your systems exposed to the internet with a vulnerable version of this code library running on it.
If your system processes such a malicious packet, the game may be almost over because the attacker has now made one of your systems attempt to reach out to a malicious website and download malware that could take complete control over that system. In the same way, an attacker already in your network could just as easily maneuver to other systems, using the same attack approach.
So far, ESET detection systems have seen attackers attempting to deliver malware such as coin miners, the Tsunami and Mirai trojans , as well as the Meterpreter penetration testing tool. It’s likely a matter of time before attacks will intensify and advanced threat actors will target the vulnerability in droves.
The time to audit and update is now
The Log4Shell vulnerability has precipitated a worldwide response in which companies are making a complete audit of all the software they use and/or develop for the presence of vulnerable versions of the Log4j 2 library. With hundreds of thousands of attack attempts being detected and blocked by ESET’s systems alone, there is no time to lose in this search.
Business leaders need to approach their IT staff to ensure that a complete search of all software assets from A to Z is underway, based on a prioritized list. Many software development companies have already audited their products and posted customer advisories on whether these are affected and, if so, what mitigations customers should put in place. Your IT team needs to search for those advisories at once. ESET’s customer advisory is here.
Critically, once vulnerable versions of the Log4j library are found, IT teams should update to the latest version of the library, which is currently 2.16.0. IT admins can follow the mitigation tips shared here.
written by Rene Holt, ESET