Microtech Plus

The Next Wave of Log4J Attacks Will Be Brutal

So far, the vanguard of Log4j hacking has primarily comprised cryptominers, malware that leeches resources off of an affected system to mine cryptocurrency. (These were extremely popular a few years ago, before everyone realized that the real money’s in ransomware.) Some nation-state spies have dabbled as well, according to recent reports from Microsoft and others. What’s seemingly missing is the extortion, the ransomware, the disruptive attacks that have defined so much of the past two years or so. This won’t be the case for long. 

“It is by far the single biggest, most critical vulnerability ever.”

AMIT YORAN, TENABLE

Hype is endemic in the world of cybersecurity, as is the spread of fear, uncertainty, and doubt. Lots of software has flaws; they can’t all be so bad. By all accounts, though, the Log4j vulnerability—also known as Log4Shell—lives up to the hype for a host of reasons. First is the ubiquity of Log4j itself. As a logging framework, it helps developers keep track of whatever goes on inside their apps. Because it’s open source and reliable, plugging in Log4j instead of building your own logging library from scratch has become standard practice. Moreover, so much of modern software is cobbled together from various vendors and products that it may be difficult, if not impossible, for many potential victims to even know the full extent of their exposure. If your code’s innermost Matryoshka doll runs Log4j, good luck finding it.

But wait, there’s more! Log4Shell is also relatively trivial to exploit. Just send a malicious piece of code and wait for it to get logged. Once that happens, congratulations; you can now remotely run whatever code you want on the affected server. (Caveats: This is the short version. It’s a little more complicated in practice. Also, Log4j versions prior to 2.0 appear unaffected, although there’s some debate there.)

It’s that combination of severity, simplicity, and pervasiveness that has the security community rattled. “It is by far the single biggest, most critical vulnerability ever,” says Amit Yoran, CEO of cybersecurity firm Tenable and founding director of US-CERT, the organization responsible for coordinating public-private response to digital threats.

So far, though, that calamity seems slow to manifest. Hackers are absolutely targeting Log4j; security firm Check Point has seen over 1.8 million attempts to exploit the vulnerability since Friday, according to spokesperson Ekram Ahmed. At some points, they’ve seen over 100 attempts per minute. And state-sponsored groups from China and Iran have been spotted using Log4Shell to establish footholds in various targets. Still, for now, cryptominers reign.ADVERTISEMENT

“Miners are usually the first to jump on these things because they’re the lowest-risk form of cybercrime,” says Sean Gallagher, senior threat researcher at cybersecurity company Sophos. “They don’t require a whole lot of hacking beyond getting in, they don’t require a whole lot of hands-on keyboard skills to deploy. They’re generally packaged and ready to go; all they need is a vulnerability to get in with.” 

ADVERTISEMENT

Placing cryptominers can also be a largely automated process; just set up a command-and-control server to scan for vulnerable systems, and drop the malware in when you find it. They also require bulk infections to generate enough cryptocurrency to make the endeavor worth it, which is why they take such an indiscriminate approach. And that’s what you’ve seen in phase one of the Log4Shell fallout.

Phase two is almost certainly underway. That’s when the so-called access brokers get to work, selling their Log4j footholds to cybercriminals in search of easy entry. Ransomware gangs and other crooks, meanwhile, are either customers in that market or hard at work developing their own exploits. More sophisticated actors are taking measure of what systems they’re in, what defenses they encounter, and what’s worth pursuing further. Log4j gets you into a system, but you still need a strategy for once you’re there. 

“Weaponizing this vulnerability, or any vulnerability, for ransomware or espionage takes more planning,” says Nicholas Luedtke, principal analyst at security firm Mandiant. “You have to figure out where you landed, what permissions you have, and then begin to conduct your post-exploitation activities. That may require escalating privileges, establishing command-and-control, etc.”

While much of this foundational work has likely already been undertaken, it might be a while before its impacts are fully known. Early indications are worrisome, though. “We’re also already seeing it leveraged for ransomware attacks, which, again, should be a major alarm bell,” says Yoran. “We’ve also seen reports of attackers using Log4Shell to destroy systems without even looking to collect ransom, a fairly unusual behavior.”

Still other threat actors, particularly those focused on espionage, may be biding their time so as not to give away their position. Log4j provides a footbridge over the moat; once you’ve crossed it, you don’t care if someone burns it down behind you. In fact, that might be preferable. An organization that thinks its Log4Shell problem is solved may let down its guard.

“Honestly, the biggest threat here is that people have already gotten access and are just sitting on it, and even if you remediate the problem somebody’s already in the network,” says Gallagher. 

Big organizations, the Fortune 500 types, likely have the resources to plug their Log4Shell holes in the coming weeks and months. But even they’ll have to wait for third-party vendors to provide fixes. And whole constellations of companies and organizations lack the capacity or personnel even to know how exposed they are, much less patch those points of exposure. To say nothing of the vast swaths of the internet that no one’s looking after at all. The next wave of Log4Shell is coming. And then the next, and the next, and the next, and the next.

“It’s going to be around,” says Gallagher, “as long as the internet.”