Security teams around the globe are scrambling to fix Log4Shell, a critical security flaw in Log4j, an open source logging software that’s found practically everywhere from online games to enterprise software and cloud datacenters. Its ubiquity has put the internet on high alert as attackers ramp up their efforts to target vulnerable systems.
Log4Shell is a zero-day vulnerability — named as such since affected organizations have zero days to patch their systems — that allows attackers to remotely run code on vulnerable servers running Log4j, which developers use to keep a record of what’s happening inside an application as it runs. The vulnerability is tracked as CVE-2021-44228 and was given the maximum 10.0 severity rating, meaning attackers can remotely take full control of a vulnerable system over the internet without any interaction from the victim — and it doesn’t require much skill to pull it off.
Initial reports said exploitation of Log4Shell first began last Thursday, with Minecraft outed as Log4Shell’s first big-name victim. But security researchers at Cisco Talos and Cloudflare say they found evidence that Log4Shell was first exploited two weeks earlier. Talos said it first observed attacker activity related to the flaw on December 2, while Cloudflare said it observed a successful exploit a day earlier on December 1.
“Earliest evidence we’ve found so far of #Log4j exploit is 2021-12-01 04:36:50 UTC,” Matthew Prince, Cloudflare co-founder and CEO, tweeted. “That suggests it was in the wild at least 9 days before [it was] publicly disclosed. However, don’t see evidence of mass exploitation until after public disclosure.”
Since the news of Log4Shell first broke, the growing number of victims suggests thousands of big-name companies and services are likely affected by the flaw. According to a GitHub list that’s being regularly updated, Apple, Amazon, Baidu, Google, IBM, Tesla, Twitter, and Steam are among the organizations impacted. Separately, VMware released an advisory to warn customers that many of its products are affected, and Cisco has confirmed that some of its products are impacted by the flaw.
Many of these companies have been quick to act. Cloudflare tells TechCrunch that it has updated systems to prevent attacks and saw no evidence of exploitation, Microsoft said it had issued a software update for Minecraft users, and Valve has confirmed that it “immediately reviewed” its services and concluded that there are no risks to Steam associated.
Apple — whose iCloud service was vulnerable — reportedly patched its cloud service, but did not respond to our request for comment. Researchers found that iCloud’s web interface was vulnerable on December 9 and December 10, but that the exploit no longer worked on December 11.
The Apache Software Foundation, which maintains the Log4j software, released an emergency security patch, as well as mitigation steps for those unable to update immediately. There are also a number of third-party mitigations available; Huntress Labs has created a free Log4Shell scanner that companies can use to assess their own systems, and Cybereason has released a Log4Shell “vaccine” that is available on GitHub on free.
How bad is the flaw?
As the number of companies and services impacted by Log4Shell grows, as does the number of attacks exploiting the vulnerability. In a blog post over the weekend, Microsoft said it has “observed activities including installing coin miners, Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems.”
Security firm Kryptos Logic also said on Sunday that it detected more than 10,000 different IP addresses probing the internet, which is 100-times the number of systems that were probing for Log4Shell on Friday.
Cado Security has also seen an increase in active exploitation. Speaking to TechCrunch, the company said that on December 11, there were a number of Mirai botnet activities exploiting Log4Shell, as well as Mushtik activity from a number of IP ranges. The company said it believes that, based on the typical chain of events for exploits, “there is a very strong likelihood of targeted ransomware attacks stemming from Log4Shell.”
Given the wide-ranging nature of Log4Shell, and the likelihood that ransomware will follow, this is likely the calm before the storm. Patching or mitigating the vulnerability should be at the top of every security team’s priority list.