Last weekend, system administrators and IT security experts spent sleepless nights over Log4Shell, a vulnerability in the open-source Apache logging library Log4j 2. The vulnerability is said to expose various popular applications and services to attacks.
The flaw was first identified last Thursday, and little has happened since to brighten the prognosis. In fact, security experts now fear that that Log4Shell will wreak substantial havoc on internet users over the next few years.
What exactly is Log4Shell?
In cybersecurity lingo, a vulnerability is a flaw that hackers can exploit to obtain unauthorised access to a computer system. Once that’s done, a cyberattack can harm the system through various means — install malware, run malicious code, or steal data, to name just a few.
A zero-day vulnerability is one that has been spotted, but for which a patch has been created. A zero-day exploit is one that uses a zero-day vulnerability to hack into a system or device.
Log4Shell is the latest of zero-day vulnerabilities to challenge the tech world. It was flagged last Thursday when hackers used it in remote-code compromises against the servers of Minecraft, a gaming platform. Experts said the source of the vulnerability is Log4J, which is a logging utility that millions of apps, enterprises and government agencies use. Logging is what allows developers to view the activities of an app.
Also read: Crypto lobbies push hard for recognition as draft bill heads to Cabinet
The official name of Log4Shell is CVE-2021-44228, where CVE represents its unique number.
How much damage can it cause?
Log4j is so ubiquitous that the vulnerability could have a global, all-consuming impact.
Cisco and Cloudflare researchers said hackers have been exploiting Log4Shell since early December. However, the hackers scaled up their attacks after Apache’s disclosure last Thursday. Microsoft said that till date, hackers have used the vulnerability to install cryptominers, steal data and system credentials, and dig deeper into compromised networks.
Apart from Microsoft, Apple, Google, CISCO, Netapp, CloudFare, Amazon and other tech giants use the open-source Apache Log4j library. The vulnerability allows hackers to launch remote code execution (RCE) attacks, which would allow them to completely take over a system. They can introduce a ‘snippet’ in what appear to be harmless ways, such as sending it in an email or setting it up as a username.
What are the tech majors doing about it?
Microsoft, Google Cloud, IBM, Cisco and Amazon Web Services, among others, have identified Log4Shell-related issues with some of their services. There has been a scramble to issue fixes and support customers on the way forward.
Smaller tech organisations may find it a lot more difficult to address the problem, say experts. Considering the scale of Log4j use, it is feared that for years to come, issues created by the vulnerability will crop up.
Hackers will likely find more ways to exploit the flaw. For instance, they may develop a worm that spreads automatically from one vulnerable device to another.
As for end-users, it’s an arduous path ahead. Major brokerages, financial organisation and other businesses may have to spends huge sums of money — and considerable time — to undo the problems caused by the vulnerability, say security professionals.