Log4Shell and Log4j Explained: What it is, why it matters and how CloudCover® protects against it

January 5, 2022
9

Written By Robert Demopoulos

The Log4Shell vulnerability has been called the most severe cybersecurity threat in the history of the internet. We dive into what Log4Shell is, what it means and how our CyberSafety CC/B1 Platform™ keeps networks safe against current and future Log4Shell attacks.

Last month, the collective internet awoke to their house on fire, metaphorically speaking. A critical software vulnerability known as Log4Shell had been discovered, affecting virtually every major technology vendor — and every company that utilizes it.

In the days following the discovery, hackers launched more than 840,000 attacks on companies around the globe, prompting Jen Easterly, the director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), to call it “one of the most serious I’ve seen in my entire career, if not the most serious” (Murray, 2021).

This isn’t the last we’ll hear of Log4Shell, and the next round of attacks might be even more ruthless. Below, we break down what the vulnerability is, why you should care and how our CloudCover CC/B1 Platform™ has kept our customers’ network security protected:

What is Log4Shell and Log4j?

Log4Shell is a zero-day software vulnerability found in Apache’s Log4j, a popular Java library that’s embedded into countless applications and used to log activity. Through Log4Shell, attackers can remotely access vulnerable servers, gaining a foothold in an organization and taking control of its infrastructure with a single malicious code injection.

The Log4Shell vulnerability has existed since 2013 and went unnoticed until November 2021, when it was (re)discovered by a security researcher at Chinese e-commerce company Alibaba. A few weeks later, Minecraft, a popular video game, reported an attack on their host servers. It was first thought the vulnerability might be limited to the Minecraft platform before experts quickly realized it would impact any software using Log4j.

What threat does the Log4Shell vulnerability pose?

A big one. The hype around Log4Shell is real for two reasons:

  1. The Log4j library is pervasive. Given a list of the top 10 technology vendors affected by the vulnerability — Amazon Web Services, Broadcom, Cisco, ConnectWise, Fortinet, HCL, IBM, N-able, Okta, and VMware — you’d be hard-pressed to identify a company that isn’t using one of them (Novinson, 2021). Log4j is a reliable open-source library, and many companies utilize the library instead of building their own.
  2. The library is easy to exploit. All it takes is a single piece of harmful code to do damage. When that code gets logged, an attacker has access to a company’s server and can infiltrate it with more ransomware.

For these reasons, the initial Log4Shell vulnerability and attacks are just the beginning, with the real damage on the way.

How does CloudCover’s CC/B1 protect against Log4Shell?

Back in 2013, utilizing our advanced automated intelligence (AI)/machine learning (ML)-based algorithms, CloudCover, within our CC/B1 Platform, identified a Log4Shell signature that looked at a company’s network traffic — specifically at TCP port numbers and command and control sequences. CC/B1 determined whether or not an attempt has/had been made to exploit the vulnerability and we blocked that attempt in real time. To date, we confidently say that none of our customers have been affected by the Log4Shell vulnerability.

This one-two punch of risk awareness and risk control means that you (we) know whether you’ve been affected by Log4Shell — since the CC/B1 Platform has already stopped the threats, you no longer have to hunt for them.

What can organizations do to mitigate the fallout from Log4Shell?

First, the good news. The Log4Shell vulnerability is being remediated, with patch management software for companies using the affected platforms and programs. The vulnerability itself doesn’t migrate or mutate, so it won’t actually evolve. Yet, if it could morph, we would be able to recognize its (yet unknown) signature, attempting to cause damage, and instantaneously neutralize it in near real time.

However, risks still abound, and we suggest the following steps:

  • Upgrade or patch to the latest version of the Log4j module, Log4j2. More information is available on Apache’s logging services website.
  • Disable the “log4j2.formatMsgNoLookups” communications functionality. This is what allowed the vulnerability to happen in the first place. Turn this off by setting the JVM parameter to “true.”
  • Utilize CISA’s tool to scan internal networks and test IP addresses. Let’s say there’s a laptop or a router that someone’s using outside your organization’s network. The CC/B1 Platform wouldn’t protect that computer. This tool doesn’t guarantee that you’ll catch every attack, but it’s a great start.

What’s the best way to protect against the Log4Shell vulnerability? Making the shift to the new era of CyberSafety — being real-time aware of your network security threats before the attack happens, stopping those attacks with CC/B1’s deep inspection immediately and transferring the risk of those attacks through real-time cybersecurity network insurance.

Our CC/B1 Platform can assist with your CyberSafety shift. Request a demo today by heading to cloudcover.cc/request-a-demo or sending an email to [email protected].

References:

Novinson, Michael (December 13, 2021). “10 Technology Vendors Affected By The Log4j Vulnerability.” CRN. https://www.crn.com/slide-shows/security/10-technology-vendors-affected-by-the-log4j-vulnerability

Murphy, Hannah (December 14, 2021). “Hackers launch over 84,000 attacks through Log4j flaw.” Ars Technica. https://arstechnica.com/information-technology/2021/12/hackers-launch-over-840000-attacks-through-log4j-flaw/

Related Posts