Log4j vulnerabilities pile up as companies try to patch

Photo: PATRICK HERTZOG/AFP (Getty Images)

The gigantic crisis caused by log4j is not over – not even close. Over the past week, new vulnerabilities have been discovered in the unfortunate Apache log library (the ubiquitous vulnerability of which has been dubbed “Log4Shell” in the infosec world), but experts say there’s no reason to panic. Here’s a quick look at the latest developments and how security professionals are responding.

New vulnerabilities

Software Patching is not always a super simple process, and nowhere has this been more apparent than in the log4j fiasco. In the past week, Apache has released several patches, but with each subsequent patch new issues have surfaced.

On Friday Apache released its third patch, version 2.17.0, intended to fix a newly discovered vulnerability that would have allowed Denial of Service attacks (that new flaw is officially tracked as CVE-2021-45105).

the previous patch, 2.16.0, was released after 2.15.0—the original patch—did not limit a remote attack exploit that, in some cases, could have caused data stealing. In other words, the patch that was intended to fix the original vulnerability had his own vulnerability and the patch to fix that patch also had issues. Good stuff.

G/O Media may receive a commission

That said, these newer security flaws aren’t as serious as the original and shouldn’t be something to worry about too much, according to some experts.

It’s the original vulnerability, CVE-2021-44228, which — if not patched — is still the stuff of cybersecurity nightmares.

Is there a Log4j worm?

Another colorful installment in this saga was a recent debate among security professionals as to whether log4j had given birth to a worm or not.

On Sunday, a security researcher, Germán Fernández, claimed that he… saw a worm— a malicious, self-propagating program — that affected devices that had not patched the log4j vulnerability. VX Underground, a major online repository of malware samples and related academia, shared the researcher’s findings: “Security researcher @1ZRR4H has identified the first Log4J worm. It’s a self-reproducing Mirai bot. We collected the sample’, the account of VX tweeted. Greg Linares, another security researcher, said it looked like as if the malicious program was mainly targeting unpatched Huawei routers.

However, other experts were quick to throw cold water on some of these claims:indicate that the program didn’t seem as functional and might not even qualify technically as a worm. “I reverse engineered this alleged log4j worm and it doesn’t work at all,” tweeted Marcus Hutchins, a leading cybersecurity researcher. “There are also several bugs in the code that mean that even if they fixed the core flaw, it would still be completely ineffective.”

Security experts have sparred in the same way about how serious a worm can be in the context of log4j. Tom Kellermann, VMware’s head of cybersecurity strategy, recently told ZDnet that a worm could potentially be “armed” by a hostile foreign power or intelligence agency, the end result of which could be pretty bad.

Exploit attempts keep multiplying

Meanwhile, an explosion of exploitation attempts targeting log4j continues to reveal new attack strategies.

On Monday, the Belgian Ministry of Defence revealed that it was forced to shut down parts of its network after a hacker group abused log4j to gain access to its systems. While not much else has been revealed about the incident, it is one of the most visible examples to date of the Apache bug being used to do real damage. It certainly won’t be the last.

Indeed, recent reports show that financially motivated crime groups are joining the fray, including banking Trojans. In addition, ransomware gangs, national cyber espionage activities and crypto mining have also been reported. Initial Entry Brokers—cyber criminals who hack into devices and computer networks with the intent to flip that access and sell it to other criminals (usually ransomware hackers) — have looted log4j vulnerable systems. The Microsoft Security Team published research it was revealed last week that “multiple monitored activity groups acting as access brokers have started using the vulnerability to gain initial access to target networks.”

In short: the fun continues! We will continue to monitor the broader shifts of this entire crisis as it unfolds.

Stay tuned for more such real estate news and updates at zavalinka.in

Leave a Comment