The critical vulnerability discovered in Log4j on Friday affects thousands of organizations, including many big names. Hackers are already eagerly exploiting the bug.
On Friday, security researchers announced a vulnerability in Apache Log4j. Log4j is an open-source tool used to maintain logs. Many internet services, large and small, use Log4j to populate their logs. The vulnerability is critical and allows attackers to remotely execute their own code on systems relying on Log4j with little effort.
Everyone Vulnerable
Log4Shell, as the vulnerability is known, practically affects most systems running on Java. The logging service and consequently the bug are integrated into the popular frameworks Apache Struts2, Apache Druid, and Apache Flink. The ubiquity of Log4j combined with the severity of the bug makes it one of the most serious vulnerabilities ever, on par with Heartbleed or Shellshock.
The impact of the bug should therefore not be underestimated. Log4Shell affects thousands of services worldwide. Big names like Apple, Amazon, Cloudflare, IBM, Twitter, Tesla, and Steam use the affected version of Log4j. This implies they rely on additional security to prevent exploitation. Cloudflare has already communicated that it has rolled out updates and detected no exploitation.
Active Exploitation
Log4Shell has been actively exploited by hackers in the wild for several days. They can leverage the bug simply by adding a few lines of code via the browser when visiting the portal site of an affected service. Attackers use Log4Shell as a backdoor to install cryptominers, among other things, or to expand their botnet.
read also
Apple, Amazon, and Twitter vulnerable to actively exploited Log4Shell bug, is your company too?
Netlab 360 has already reported that attackers are exploiting the bug to deploy malware for the Mirai and Muhstik botnets. Microsoft, on the other hand, knows that hackers are injecting their own versions of Cobalt Strike. The Kinsing cryptobotnet is also eagerly exploiting the opening provided by Log4j.
Update
Apache has since introduced Log4j 1.15.0. This version is supposed to fix the vulnerability. If your organization runs websites or services built on Java, whether or not via one of the Apache frameworks, there’s a high chance that Log4j and thus the vulnerability are present. It goes without saying that it’s essential to update systems as quickly as possible. Log4Shell can be exploited in numerous ways, not only to expand botnets or mine cryptocurrencies, but also to steal data or deploy ransomware.
read also