Log4Shell Day 0, Four Days Later: What Is It And How Bad Is It Really?

Log4Shell Day 0, Four Days Later: What Is It And How Bad Is It Really?

Log4Shell is the name given to a critical zero-day vulnerability that emerged Thursday when it was exploited in the wild in remote code compromises against Minecraft servers. The source of the vulnerability was Log4J, a logging utility used by thousands, if not millions, of applications, including those used by nearly every business on the planet. The Minecraft Servers were the proverbial canary at the coal mine.

In the four days since then, it’s clear that Log4Shell is as serious a threat as I claimed, and the list of affected cloud services reads like a who’s who of the biggest names on the internet. Threat analysts and researchers are still assessing the damage so far and the outlook for the next few weeks and months. This is what you need to know for now.

What is Log4J and what makes Log4Shell so important? Log4J is an open source Java-based logging tool available from Apache. It has the ability to search the web using the Directory interface and Java names to obtain services from Lightweight Directory Access Protocol. The bottom line: Log4j will interpret a log message as a URL, fetch it, and even run whatever executable payload it contains with all the privileges of the main program. Exploits are triggered within text using the $ {} syntax, allowing them to be embedded in browser user agents or other commonly logged attributes.

Here’s what exploits look like, as Juniper Networks researchers illustrate:

Juniper Networks

The vulnerability, tracked as CVE-2021-44228, has a severity rating of 10 out of 10. Day zero has at least been exploited. nine days before it surfaced.

Researchers from Cisco’s Talos security team said they observed exploits as of December 2.

What has happened since Log4Shell appeared last Thursday? Almost immediately, the Greynoise security company active scan detected trying to identify vulnerable servers. Researchers report seeing this critical and easy-to-exploit vulnerability that is used to install crypto mining malware, harden Linux botnetsand filtering configurations, environmental variables, and other potentially sensitive data from vulnerable servers.

What is the prognosis? At best, major brokerages, banks, and merchants will spend huge sums in overtime costs to pay large numbers of already overworked IT employees to clean up this mess over the holidays. You don’t want to think about the worst case scenario, other than remembering the Equifax breach in 2017 and the resulting compromise of 143 million US consumer data that followed when that company failed to patch an equally devastating vulnerability.

It sounds bad. That I have to do? Yes it is. If you are an end user, there is not much you can do other than harass the services you use and ask what they are doing to keep the data you entrust safe. The most useful thing cloud services can do is update Log4J. But for large companies, it is often not that simple. Dozens of security companies have published guides. The tips from Microsoft and Sophos are here Y here.


Leave a Reply

Your email address will not be published. Required fields are marked *