The huge crisis triggered by log4j is not over yet – not even close. Over the past week, new vulnerabilities have been uncovered in the hapless Apache logbook library (whose ubiquitous vulnerability is called “Log4Shell” in the world of infosec), but, according to experts, there is no need to panic. Here’s a brief overview of the latest developments and how security experts are responding.
Software patch not always super simple process, and nowhere was it more obvious than in the log4j fiasco. Over the past week, Apache has betrayed several patches, but with each subsequent patch additional problems arose.
On Friday, Apache released its third patch, version 2.17.0, with a view to correcting the newly discovered vulnerability that would allow denial-of-service attacks (this new flaw is officially monitored as CVE-2021-45105).
Previous patch, 2.16.0, was released after 2.15.0—The original patch — failed to mitigate the exploitation of a remote attack that could, in some cases, allow data theft. In other words, a patch that was supposed to fix the original vulnerability had his own vulnerability and patch to fix that the patch also had problems. Good thing.
All that said, these newer security flaws are not as serious as the original ones and should not be something to sleep on too much, according to some experts.
This is the original vulnerability, CVE-2021-44228, which – if not patched – is still a matter of cybersecurity nightmares.
Is there a Log4j worm?
Another colorful episode in this saga was recent debate among security experts on whether log4j gave birth to worms or not.
On Sunday, security researcher Germán Fernández, claimed to have spotted a worm—A malicious program that spread itself that affected devices that did not patch the log4j vulnerability. VX Underground, a large online repository of malware samples and related academic circles, shared the researcher’s findings: “Security researcher @ 1ZRR4H identified the first Log4J worm. It is a Mirai bot that reproduces itself. We collected a sample ”, VX’s account tweeted. Greg Linares, another security researcher, said to look as if the malware was mostly targeting unpatched Huawei routers.
However, other experts were quick to throw cold water at some of these claims—emphasizing that the program didn’t look so functional and might not even technically qualify as a worm. “I did a reverse engineering of this alleged log4j worm and it doesn’t work at all,” tweeted Marcus Hutchins, a prominent cybersecurity researcher. “There are also a few bugs in the code that mean that even if they fix a kernel failure, it would still be completely ineffective.”
Security experts have similar to sparring about how serious the worm might be in the context of log4j. Tom Kellermann, VMware’s head of cyber security strategy, recently told ZDnet that the worm could be potentially “armed” by a hostile foreign force or intelligence service – whose end result could be pretty bad.
Attempts to exploit continue to multiply
Meanwhile, the explosion of log4j-targeted exploitation attempts continues to reveal new attack strategies.
The Belgian Ministry of Defense on Monday discovered that she was forced to shut down parts of her network after a hacker group used log4j to break into their systems. Although much more has not been revealed about the incident, it is one of the most visible examples so far of the Apache bug being used to inflict damage in the real world. It certainly won’t be the last.
Indeed, recent reports show financially motivated criminal groups joining the fight – including banking Trojans. In addition, ransomware gangs, nation-state cyber espionage activities, and cryptocurrency mining were also observed. Brokers for initial access—Cyber-criminals who hack devices and computer networks with the intent to turn around and sell that approach to other criminals (mostly ransomware hackers) —they loot vulnerable log4j systems. Microsoft Security Team published research last week which showed that “more monitored groups of activities acting as access brokers have started using the vulnerability to gain initial access to targeted networks.”
In short: The fun continues! We will continue to monitor the wider shifts of this whole crisis as it unfolds.