Security teams from a vast number of companies around the world are against the clock to fix a vulnerability called Log4Shell, which has the potential to allow hackers to compromise millions of devices on the Internet. When exploited, the vulnerability allows remote code execution on vulnerable servers, giving an attacker the ability to import malware, meaning malicious content, that completely compromises companies’ systems.
This vulnerability is found in Apache Log4j, one of the most popular Java systems, which is a library that manages open source log files used by applications and services on the Internet. Registration is a process in which applications maintain a list of the operations they have performed.
Exploitation of this vulnerability was first detected on websites that host Minecraft video game servers, which have discovered that attackers can activate the vulnerability through chat messages.
According to Check Point Research, which has been tracking the evolution of vulnerability and its impact, more than 46% of attack attempts were perpetrated by known malicious groups. In Europe, as of December 13, more than 40% of corporate networks had already been impacted by vulnerability – a percentage above the global estimate. In Portugal, 43% of corporate networks suffered an attempt of malicious exploitation.
More than 100 hacks per minute were identified related to the vulnerability in Log4j, in addition to being documented more than 846,000 attacks in the 72 hours after the initial outbreak and more than 60 new variants of the original vulnerability in less than 24 hours.
So far, 820 thousand attempts to allocate the vulnerability have been avoided, through protection issued by Check Point Software.
Embedded in almost all known services and applications, such as Twitter, Amazon, Microsoft, Minecraft, among others, Log4j is used in a vast number of companies worldwide, allowing logging in several widely known applications.
According to Nelson Escravana, director of cybersecurity at INOV – Institute of Systems and Computer Engineering Innovation, this vulnerability was introduced in 2013, when a user asked for the introduction of “a little strange feature” in Log4j. This is possible because this logging system is a collaborative and open project, in which programmers and users ask for features.
In this case, the functionality consisted in “being able to indicate in a log line where the system will look for more information to add to that operations record”.
“This is very bad security practice, because we are allowing something that is controlled by the user to determine what code is going to run on these servers. This means that vulnerable systems can be tricked into executing code that is on a malicious server”, explains the cybersecurity specialist.
Thus, “attackers, the only thing they have to do is make any malicious code available on an Internet server and then send a message, that is, cause an operation in the system that they want to attack, whose message that is recorded in the log has the address of that code”. This means that with this type of attack you can remotely execute code “which is one of the most critical types of vulnerabilities”, he adds.
In many cases it is not even necessary to have credentials to access the vulnerable system, it is only necessary to perform any operation that the attacker knows is recorded in the log file.
“This allows the attacker to execute the code they understand on the target system and, from there, can take control of the system”, he reiterates.
In Nelson Escravana’s point of view, this situation can be especially very critical: “First, because of the ease of carrying out an attack, as there are no major restrictions on what the attacker can do. And then, because of the great dissemination that this technology has, since practically all applications that were written in the Java programming language in the last 20 years are vulnerable. In other words, the impact is very wide”, he explains.
To mitigate this problem, there are several measures that can be taken, points out the cybersecurity director at INOV. Since these attacks happen via the Web, the first of the solutions can be a technology called Web Application Firewall (WAF) that “filters external requests and manages to detect these attacks and prevent them”. The second and most recommended is to update that library to a version that is no longer vulnerable.
“It’s a relatively simple process, which doesn’t need to change the entire system, you may only have some problems when it comes to finding the right version to update, if the system is very old”, he says.
The third and most drastic is to turn off the logging functionality entirely, taking into account that it is not essential for the functioning of most programs. However, in this case, many things are lost, such as the registration of transactions which, in some cases, may be mandatory for business or legal reasons. Therefore, this solution may not be possible for all companies.
Lastly, it is also possible to change the application to prevent it from executing remote codes. “But this is a much more time-consuming and expensive solution to implement from the point of view of human resources because you have to redo the code”, he points out.
– .
