The gargantuan crisis spurred by log4j isn’t over yet — not even close. Over the past week, new vulnerabilities have been discovered in the unfortunate Apache logging library (whose ubiquitous vulnerability is dubbed “Log4Shell” in the infosec world) but, according to experts, there’s no need to outright panic. Here’s a quick look at the latest developments and how security professionals are responding.
Software patching isn’t always a super straightforward process, and nowhere has this been more evident than in the log4j fiasco. Over the past week, Apache has issued several patches, but with each successive patch, additional problems have cropped up.
On Friday, Apache issued its third patch, version 2.17.0, intended to fix a newly discovered vulnerability which would have allowed for Denial of Service attacks (that new flaw is being tracked officially as CVE-2021-45105).
The previous patch, 2.16.0, had been released after 2.15.0 — the original patch — had failed to mitigate a remote attack exploit that, in some cases, could have allowed for the thieving of data. In other words, the patch that was meant to fix the original vulnerability had its own vulnerability and the patch to fix that patch also had issues. Good stuff.
All that said, these newer security flaws aren’t as severe as the original and shouldn’t be something to lose too much sleep about, according to some experts.
Log4j hype check: the new CVE-2021-45046:
– only applies in certain *non-default* configurations
– remote code execution has been demonstrated on *macOS* – not reproducible in other test environments
– no exploitation seen in wild
Not many orgs will be hosting webapps on MacOS.
— Kevin Beaumont (@GossiTheDog) December 17, 2021
It’s the original vulnerability, CVE-2021-44228, which — if left unpatched — is still the stuff of cybersecurity nightmares.
Is There a Log4j Worm?
Another colourful episode in this saga was a recent debate among security professionals as to whether log4j had given birth to a worm or not.
On Sunday, a security researcher, Germán Fernández, claimed he had spotted a worm — a malicious, self-propagating program — that was affecting devices that hadn’t patched the log4j vulnerability. VX Underground, a large online repository of malware samples and related academia, shared the researcher’s findings: “Security researcher @1ZRR4H has identified the first Log4J worm. It is a self-propagating Mirai bot. We have aggregated the sample,” VX’s account tweeted. Greg Linares, another security researcher, said it looked as if the malicious program was mainly targeting unpatched Huawei routers.
However, other experts quickly threw cold water on some of these claims — pointing out that the program didn’t appear to be all that functional and might not even technically qualify as a worm. “I’ve reverse engineered this supposed log4j worm and it doesn’t work at all,” tweeted Marcus Hutchins, a prominent cybersecurity researcher. “There’s also several bugs in the code that mean even if they did fix the core failure, it would still be completely ineffective.”
But just imagine how many more clicks reporters will get for calling it a worm! Please keep your attention on what’s actually important (sensationalism of course). https://t.co/wIRinIXViV
— Jake Williams (@MalwareJake) December 20, 2021
Security experts have similarly sparred over how severe a worm might be within the context of log4j. Tom Kellermann, VMware’s head of cybersecurity strategy, recently told ZDnet that a worm could be potentially “weaponised” by a hostile foreign power or intelligence service — the end result of which could be pretty bad.
Exploit Attempts Continue to Multiply
Meanwhile, an explosion of exploitation attempts aimed at log4j continues to reveal new strategies of attack.
On Monday, Belgium’s defence ministry revealed that it had been forced to shut down parts of its network after a hacker group exploited log4j to gain entry to its systems. While not much else has been revealed about the incident, it’s one of the most visible examples yet of the Apache bug being used to cause real-world damage. It’s definitely not going to be the last.
Indeed, recent reports show financially motivated crime groups joining the fray — including banking trojans. In addition to this, ransomware gangs, nation-state cyber-espionage activity, and crypto-mining have also all been spotted. Initial access brokers — cybercriminals that hack devices and computer networks with the intention of turning around and selling that access to other criminals (mostly ransomware hackers) — have been plundering log4j-vulnerable systems. Microsoft’s security team published research last week that showed that “multiple tracked activity groups acting as access brokers have begun using the vulnerability to gain initial access to target networks.”
In short: The fun continues! We’ll continue to track the broader shifts of this whole crisis as it unfolds.
Editor’s Note: Release dates within this article are based in the U.S., but will be updated with local Australian dates as soon as we know more.