Weeks after the infosec community took a sigh of relief from a relatively uneventful Black Friday weekend, the calm was shattered by the discovery of a massive open source software vulnerability that rivals some of the worst security meltdowns of the past two decades.
A security researcher in China discovered a vulnerability in Log4j, which could allow even the most unsophisticated threat actor to take remote control over millions of consumer gaming, IoT and other devices as well as systems dedicated to the enterprise.
Major industrial and consumer technology firms in the U.S. have launched internal probes to determine whether their products include Log4j. The relative ease of exploiting the vulnerability opens up much of the industrial world to malicious cyberattacks, data theft and potentially extortion.
Here's a rundown of what the security industry knows thus far:
In late November, during the Thanksgiving holiday weekend in the U.S., Chen Zhaojun, a member of the Alibaba Cloud Security Team discovered the Log4j vulnerability and alerted the Apache Software Foundation.
Log4j is a Java-based logging utility that is used in hundreds of millions — if not billions — of devices worldwide. The vulnerability, which security researchers have dubbed Log4Shell, allows a threat actor to access a device remotely to gain entry into IT systems without authentication.
Log4j is widely used across consumer and enterprise systems, in everything from iCloud, Steam and Minecraft, to Fortinet, IBM, Microsoft, Red Hat, Salesforce, Siemens, and other vendors. Dozens of vendors have already released patches and security updates.
The vulnerability is also having significant impacts on MSPs, security researchers at Huntress said. IT management tool provider N-able has deployed patches for vulnerable components in its RMM and risk intelligence products. ConnectWise, an automated patch management software, issued updates on its Perch cloud service due to potentially vulnerable third-party components.
What is considered dangerous about this particular vulnerability is that an attacker does not need sophisticated programming experience or engineering background to exploit the vulnerability. They can simply write a line of code and gain remote access to a device.
Nature of the threat
After the initial public disclosures of Log4j Dec. 9, security researchers found indications of mass scanning activity by potential threat actors. Early on, initial attack activity was limited to mostly botnet and cryptomining.
However in the days since, Microsoft has confirmed nation-state activity from threat actors in China, Iran and North Korea, as well as Turkey. Mandiant researchers also saw activity from China and Iran, however they expected other nation-state activity to follow. Researchers at SecurityScorecard say they have seen nation-state activity from Russia, alongside evidence of the Dovorub malware, a toolkit linked to APT28.
"We expect several state actors are already ramping up," John Hultquist, VP of intelligence analysis at Mandiant. "The reality of hunting spies is you will not see everything. The opportunity is too good for many of them to ignore."
Initial ransomware attempts have been linked to a new strain called Khonsari, according to Bitdefender.
Check Point Software identified more than 2.8 million attempts to exploit the vulnerability and more than 46% of those were from known malicious groups. Malicious actors have made attempts on more than 47% of corporate networks worldwide, Check Point said.
The Cybersecurity and Infrastructure Security Agency formed a senior leadership group within the Joint Cyber Defense Collaborative to respond to the Log4j vulnerability, which has been added to CISA's catalog of known exploited vulnerabilities.
Log4j is the most serious vulnerability CISA Director Jen Easterly has seen in her career, which spans multiple decades, she told CNBC. CISA has issued detailed guidance to help companies and other organizations mitigate the impact of Log4j.
The FBI is asking organizations to contact them if they think they have been compromised by Log4j. Organizations can submit complaints through fbi.gov/log4j and the Internet Crime Complaint Center. The FBI or CISA may reach out for additional information.
What remains to be seen is what impact this will have on critical infrastructure, private industry and public sector agencies down the road. Threat actors are lining up to take advantage of Log4j, however there is no direct evidence at the time to link recent ransomware and other attacks directly to the vulnerability.
Additionally, there will likely be a dialogue involving key private sector stakeholders and federal officials about what steps are needed to prevent such a massive software vulnerability from happening again. Will the software bill of materials movement sufficiently protect against the risks involved with flawed applications?