The Log4j marathon: where are we and what comes next?

On 6 December 2021, news broke of the Apache Log4j vulnerability. It gives attackers control of log messages, opens up the ability to execute arbitrary code loaded from LDAP servers and can be used to shut down servers, as demonstrated by John Hammond with Minecraft.

 

After the bug was discovered by Alibaba Cloud security engineer Chen Zhaojun, Apache worked with Java to prepare patches. However, best-laid plans weren’t enough.

 

Many companies go into a code freeze during holiday periods, meaning they stop allowing patches or updates. The timing of this announcement came as many companies were locked down, with IT staff heading off on holiday.

 

In addition, Java’s status as an open source code means it is installed in three billion devices around the world, even those outside of the traditional tech stack such as patient update systems, smart cars and gaming platforms.

 

While open source is a fantastic source of innovation, once a piece of code gains popularity it becomes a bigger target for threat actors. As this code is open source, liability does not lie with the creators of Log4j – it lies with the user or company using it. Oracle could very easily have bought the code and had a team of experts maintaining it through constant patching, but it did not.

 

What it means for Apache

 

We’ve seen vulnerabilities like this hit others before – it’s one of the leading reasons Adobe Flash was shut down. The tech was ubiquitous and full of holes, which delivered vast opportunities for bad actors to exploit it. Eventually, the onslaught of attacks got so much it was easier to simply stop running the code.

 

However, it’s unlikely this is what will happen to Apache. While the news agenda has been littered with companies impacted by the vulnerability, it hasn’t yet caused any big data breaches. We may see more stories trickle out over the coming year or two as companies continue downloading the old vulnerable version of Log4j at alarming rates, but patches are in place for the updated code and replacements are being built.

 

As technology is constantly evolving, the more likely result over time is that a better product will emerge that replaces Log4j. This vulnerability won’t be Apache’s downfall, but it may well be one of the straws to break the camel’s back.

 

The impact on businesses

 

When any piece of ubiquitous code is attacked, it opens up huge portions of the internet to face the same. When the Log4j vulnerability was identified, 60 per cent of the internet was scanned by attackers looking for systems affected by the vulnerability – and that percentage is likely much higher now. Large businesses with vast resources have generally been able to patch quickly and effectively. However, smaller companies with limited teams and resources could run into trouble if they don’t have good security hygiene practices in place.

 

A recent survey from Wakefield Research suggests current security strategies fall short, particularly when it comes to reacting at speed. Only 26 per cent of organisations can respond to a critical vulnerability by installing patches or shutting down a vulnerable solution in a day. Two in five, 39 per cent, take up to three days, with one in four organisations taking up to a week to respond.

 

Maintaining security, and indeed the role of a security leader, is much more complex today than it was even just 10 years ago. Each year the number and type of attacks increase, as well as how attackers attempt to breach. This was exacerbated when working from home became the norm – most workers do not have the same network security in place at home as they do in an office. Everyone is a potential victim.

 

For smaller companies with limited budgets, ensuring safety across multiple devices and locations is a big challenge – not to mention mitigating high-impact risks such as the Log4j vulnerability. For this reason, a one-size-fits-all approach to security based on compliance and not risk is not an effective defence strategy.

 

Shifting security strategies

 

While Log4j is prevalent, it’s also a small piece of code with one main function. Patching quickly or even replacing with a different piece of code is a simple fix, but the impact this vulnerability had on businesses demonstrates yet again the fragility of the internet. For this reason, it’s essential businesses continuously monitor their networks, analysing shifts in behaviour to pinpoint potential threats before they evolve into an attack like ransomware. But this is just one part of a good cybersecurity strategy.

 

Security strategies need to go beyond technology, shifting to risk-based rather than compliance-based to deliver a more holistic approach. This means looking at a business’ systems and processes to identify actual risks and how to mitigate them.

 

As operations continue to shift to the cloud, without the proper security processes in place businesses are making themselves vulnerable to attack. You cannot rest on your laurels and hope that you won’t be next just because you ticked your security boxes. Knowing where and how criminals may attack is the best way to protect yourself.

---

To find out how you can keep your network safe, visit extrahop.com

---

by Jamie Moles, Senior Technical Marketing Manager at ExtraHop