The cyber security world was thrown into turmoil last week with the Log4j vulnerability discovery. However, as expected, patches and updates have started flying around to contain the threat.
Software vendors might have identified the applications that are vulnerable and released patches or fixes, but the possibility of serious hacks persists.
Researchers have uncovered how attackers take advantage of the Log4j vulnerability to install malicious code on machines that are set up to be vulnerable. These types of machines are called honeypot servers and are used to study threats.
Highlighting the severity of the threat, Cloudflare’s CEO promised to offer firewall protection to all their customers, including those that didn’t pay for it. Cloudflare provides security for websites and networks.
However, the extent of the damage caused by hackers has yet to be quantified because many victims do not even know yet that they have been compromised. Even those who have detected are reluctant to come forward with the information.
What is not in doubt is the scale of the vulnerability. The list of the affected software, which has been compiled by the Cybersecurity and Infrastructure Security Agency, includes more than 500 entries. This list covers only enterprise packages, meaning it would be much longer with consumer-focused applications accounted for.
The list includes software from stalwarts like Microsoft, Amazon, and IBM. While this is alarming, the greater risk comes from packages that are not even in the spotlight. The software forms the basis on which many other companies build their entire business! This complicates the process of tracking the vulnerabilities and issuing fixes.
One of the reasons for the usually large number of potential targets is that the Java programing language is used so widely in enterprise-level software, which commonly uses the Log4j.
Jeremy Katz, a co-founder of a company that assists other firms to manage open-source software dependencies, said, “I ran queries in our database to see every customer who was using Log4j in any of their applications. And the answer was: every single one of them that has any applications written in Java.”
Echoing the same thought, Cloudflare CTO, John Graham-Cumming, said, “Java has been around for so many years, and it’s so heavily used within companies, particularly large ones. This is a big moment for people who manage software within companies, and they will be running through updates and mitigations as fast as they can.”
Cloudflare has been able to patch its firewall blocking HTTP requests that contain strings characteristic of the code Log4j attackers use. The company is joined by ExpressVPN which has quickly updated its VPN rules. Peter Membrey, the chief architect of ExpressVPN, said, “If a customer gets infected, we’ve already seen scanners as a malicious payload, so they might start scanning the internet and infect other people. We wanted to put a cap on that, not just for our customers’ sake but for everyone else’s sake — a bit like with Covid and vaccines.”
However, it is easier for the two companies mentioned above to patch their software because the changes are made on their own servers and do not require much action from the end-users. Other software might take longer to patch.
Despite quick fixes and patches, there is another risk posed by the Log4j vulnerability. This danger is summed up by Daniel Clayton, who is VP at Bitdefender, “Sophisticated attackers will exploit the vulnerability, establish a persistence mechanism, and then go dark. In two years’ time, we will hear about big breaches and then subsequently learn that they were breached two years ago.”
If this proves true, we have not heard the last of the Log4j vulnerability.