Nightmare before Christmas: What to know about the Log4j vulnerability
A vulnerability living inside a Java-based software known as "Log4j" shook the internet this week.
The list of potential victims encompasses nearly a third of all web servers in the world, according to cybersecurity firm Cybereason. Twitter, Amazon, Microsoft, Apple, IBM, Oracle, Cisco, Google, and one of the world's most popular video games, Minecraft count themselves among the slew of tech and industry giants running the popular software code that U.S. officials estimate have left hundreds of millions of devices exposed.
By Friday, more than 3,700,000 hacking attempts had been made to exploit the vulnerability, according to leading cybersecurity firm Checkpoint, with more than 46% conducted by known malicious groups.
Jen Easterly, head of the Cybersecurity and Infrastructure Security Agency (CISA), called it "the most serious flaw" she has seen in her decades-long career.
Cybersecurity firms now warn that ransomware criminals and hackers linked to foreign governments have already attempted to exploit the vulnerability to gain access to targets' computer systems.
U.S. officials say civilian federal agencies are "very likely" utilizing products with the embedded vulnerability.
Here's what you should know:
What is Log4j?
Log4j is a programming code written in Java computer language and created by volunteers within the Apache Software Foundation to run across a handful of platforms: Apple's macOS, Windows and Linux. The free, open-source software creates a built-in "log" or record of activity — like a diary — that software developers can use to troubleshoot problems or track data within their programs. Its and utility and the fact that it is free have spread the "logging library" to all corners of the internet, according to cybersecurity experts.
"Logging is critical in everything we do. Because this library is used by most web services in the world, it means that most web services are vulnerable to attack," said Sergio Caltagirone, vice president of threat intelligence of top cybersecurity firm Dragos said.
According to cybersecurity researchers, the flaw leaves a laundry list of critical infrastructure functions like power, energy, food, communications, critical manufacturing and water ripe for a possible intrusion.
DHS Secretary Alejandro Mayorkas, whose department oversees CISA, called Log4j "omnipresent," during a cybersecurity panel, Thursday. "The challenge it presents is its prevalence," Mayorkas said.
"This could mean entire e-commerce sites go down during the Christmas holiday. It could mean that entire manufacturers could not be able to ship or receive goods," Caltagirone added. "It could mean water utilities with automated and remote management systems are now vulnerable to attacks."
"This piece of code that's been found to be vulnerable exists literally across the globe," said Mark Ostrowski, head of engineering with security firm Checkpoint Research. "It's embedded in video games that our kids play and infrastructure like cloud products."
Ostrowski noted that the Log4j programming code has been downloaded more than 400,000 times. "That's a big number, and who knows how many times it's even been used as part of those downloads?"
When did the attack start?
Apache Software Foundation's group of volunteers were alerted on November 24 of the vulnerability, after a member of Alibaba's cloud security team discovered it.
But late last week, an unusual warning sent shockwaves through the cybersecurity community staff after makers of the sandbox video game Minecraft shared the vulnerability in a blog post, alerting gamers that hackers had identified a flaw in their game that could use to infiltrate their computers. The staff also released a patch, but cybersecurity experts quickly discovered that the vulnerability at fault was embedded in the widespread software tool used for more than just virtual worldbuilding.
How are hackers exploiting it?
U.S. officials say they have not yet observed "highly sophisticated attacks" from nation-state actors.
"It has largely been low level activities such as crypto-miners," CISA Executive Assistant Director Eric said Tuesday, "but we do expect that adversaries of all sorts will utilize this vulnerability to achieve their strategic goals."
Microsoft updated its blog Tuesday to report that state-backed hackers from China, Iran, North Korea and Turkey have tried to capitalize on the Log4j flaw.
A known Iranian hacking group known as APT 35 or "Charming Kitty" has attempted to exploit the Log4j vulnerability against seven Israeli targets across the government and business sectors, Checkpoint Research reported, Wednesday.
Threat research teams have begun tracking efforts to infiltrate targets by ransomware-as-a-service organizations who broker access into vulnerable networks to the highest bidder. Researchers at cybersecurity firm Cybereason have observed hackers attempting to deploy various ransomware variants including Quantam, Kimsuky, Muhstik, Cerber, Black Sun and Khonsari.
DHS Secretary Mayorkas was quick to point out, Thursday, that the threat increases over time as new criminal actors take advantage of the flaw. "When a vulnerability has been exposed and others can jump in on the exploitation of that vulnerability, it can really multiply the harm," Mayorkas said.
Cybersecurity pros and U.S. officials remain concerned about the ease of gaining initial access to a victim's network, allowing criminal actors to infiltrate a network. Detecting whether the Log4j vulnerability is hacked will require weeks, if not months, of attentive monitoring.
CISA's director predicts consumers will be grappling with the vulnerability for "a very long time."
"This is not going to be something that's going to be patched and finished," Easterly said Thursday. "This is something we're going to be working on, likely, for months, if not years."
What can companies and consumers do to protect themselves?
Some fixes known as "patches" and technical support have been released widely. The Apache software foundation has posted upgrades to its tool this week, and Microsoft has encouraged customers to contact software application providers to confirm they're using the Java programming language.
CISA recommends that companies examine their internet-facing programs that employ Log4j, respond to alerts connected to these devices and install a firewall with automatic updates.
For those unable to immediately patch the vulnerability, Cybereason has released a free "vaccine" to temporarily stave off intruders.
As companies scramble to patch vulnerabilities, consumers should remain on the lookout for updates on their devices, software and apps.
How is the U.S. government responding?
Deputy National Security Advisor Anne Neuberger said Thursday that a "small number of government systems," have been affected by the Log4j vulnerability, with that number expected to grow in the coming days.
"My view is we are going to see widespread exploitation by all manner of threat actors, and likely impacts on both public and private infrastructure. We're doing everything we can with our partners to get ahead of that," Director of the Cybersecurity and Infrastructure Security Agency (CISA) Jen Easterly said in an interview with CNBC, Thursday.
"These are products that are used by every major organization around the world," Goldstein told reporters Tuesday, referring to the Log4j library. "And so, it is likely the case that federal agencies are indeed utilizing some of these products that have the embedded vulnerable library."
U.S. officials said that no civilian federal agencies had been compromised as of Thursday night, but noted that visibility into network systems remains an ongoing challenge.
On Friday, CISA ordered federal civilian agencies to immediately fix or "patch" vulnerable systems. The new memo replaced a previous mandate requiring federal agencies patch by December 24th, a deadline many cybersecurity experts worried was too late.
The agency spearheading the U.S. government response has also published a growing catalogue of potentially impacted products to crowdsource affected software products and eliminate misinformation spreading online.
How does this hack compare to Solarwinds?
While both attacks came around the holiday season and have garnered a lot of attention, they differ in sophistication and scope.
"With SolarWinds, we had a targeted supply chain attack by a highly sophisticated, specific adversary intended to compromise specific organizations to achieve popular objectives," Goldstein explained. "What we have here is an extremely widespread, easy to exploit and potentially highly damaging vulnerability that certainly could be utilized by adversaries to cause real harm."
"From a magnitude perspective, the [Log4j vulnerability] is astronomical compared to SolarWinds," Ostrowski told CBS News. "It's not just a software package that corporations are using. It is a software code that us as consumers – you and I – use every day. It's an open-source piece of code that everybody has access to."
What's next?
On Thursday, the White House sent a letter to CEOs warning them of the increased risks of cybersecurity attacks during the holidays, a time of year when business operations often rely on skeleton staffing.
Cybersecurity experts remained concerned that malicious actors will exploit the vulnerability to target less-resourced small and medium sized businesses, schools and hospitals including victims that may not be aware of the risk.
"What we learn today versus what we knew 24 hours ago are much different. That's how quickly this is evolving," Ostrowski said. "So our doomsday is thinking about, 'What's next week going to look like?'"
The vulnerability has also sparked a debate around regulation of open-source code, widely available for use among the masses. Some experts now advocate for a "Software Bill of Materials" that lets consumers know what sort of software lives inside their products and applications, like a nutrition facts label does for food.
"As the amount of damage grows from cybersecurity vulnerabilities, exposures and hacks, the more important it is that we treat software like we treat food," said Caltagirone. "People are able to say, 'I'm allergic to peanuts? Does this have nuts in it?' Now we need to be able to say, 'This log4j vulnerability came out. Do I have this in my environment?'"
Dan Patterson contributed to this report.