On December 9, 2021, cybersecurity and tech teams around the world went on red alert for an infected piece of the hugely popular logging tool, Apache Log4j. Used in everything from cloud storage to TVs, Log4j serves as the backbone for a majority of our devices and day-to-day processes. As word spread about the incident, governments and organizations scrambled to determine which of their systems were affected, how bad it truly was, and how quickly they could resolve it. Unfortunately, this cyber event ended up being worse than anyone had thought.
“The log4j vulnerability is the most serious vulnerability I have seen in my decades-long career,” said Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency.1
What started as a relatively simple warning (from a video game or a researcher, depending on your source) quickly turned into one of the worst cyber crises of the past decade. Together, let’s take a look at the impact the Log4j vulnerability had on the world at large and how it continues to affect the cybersecurity industry.
What is Log4j?
Apache Log4j is an open-source logging tool for the #1 programming language in the world, Java.2 By nature, open-source platforms are free, publicly-accessible tools that developers can use however they please to supplement any code they’ve written themselves. There are dozens of open-source logging tools available for use across the Internet, but Log4j is one of the most common and effective.
Essentially, Log4j’s main purpose is to create a log of activity on a device, copying down everything that happens on a program as it runs.3
"You want to think about it like a modular component that's used in many, many different kinds of software. And its job is ... just basically recording things that happened and writing them to another computer somewhere else," said Andrew Morris, founder and CEO of cyber-intelligence firm GreyNoise.3
To picture the full breadth of its applications, Log4j is used in a full suite of Apache projects (Splunk, Struts2, Solr, Druid, Flink, etc.) and wherever the Java language is used as well. That includes cloud storage services like Google, Apple, and Microsoft; software vendors like IBM, Oracle, and Salesforce; and Internet devices like computers, TVs, and phones.1 As they state on their website, “With millions of developers running more than 51 billion Java Virtual Machines worldwide, Java continues to be the development platform of choice for enterprises and developers.”2
An unfortunate discovery
There are two accounts of how the Log4j vulnerability was first recognized. According to one report, the popular video game Minecraft released a message to its players advising them to update with a patch for a system glitch. Others believe that before Minecraft brought this to the public eye, a researcher working for the Chinese tech firm Alibaba independently discovered the bug and informed the Apache Software Foundation, an all-volunteer corporation that develops and maintains the open-source Log4j software.1
However it became known, news of the critical zero-day Log4j vulnerability CVE-2021-44228 spread quickly and urgently. This vulnerability gave full access to any program running a version of Log4j to whomever entered a piece of malicious code into its logging system. This would allow almost anyone, from anywhere in the world, to extract data, deploy malware, and otherwise completely control the device on which Log4j was running.
While the Apache team scrambled to create and issue a patch for the vulnerability, hackers seized the opportunity to launch thousands of attacks on various companies. They began posting their ‘proof of concept’ exploits on the dark web to encourage more cybercriminals to join in on the frenzy as well. The first attempt to exploit the vulnerability was recorded nine minutes after it was publicised. After 12 hours, it had been used in 40,000 attempted cyberattacks. After 72 hours, there had been 830,000 attempted attacks.4
Luckily, Apache was able to release a patch within the same day (2.15.0); but once it was discovered that patch had a vulnerability on it as well, they had to rebound and create versions 2.16.0 and 2.17.0 soon after. In the meantime, organizations like the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) issued official warnings to all companies that they must install the latest Apache update immediately to mitigate the damage.5
Unfortunately for many companies, resolving the issue was, and continues to be, extremely labor and time-intensive. Since Log4j is ingrained in so many devices and functions, it’s hard to determine exactly what it’s being used for and where the source is. Additionally, installing the patch is primarily in the hands of software vendors, because it is their services that carry the Log4j vulnerability and need to be updated. In the first days and weeks following the announcement, organizations were largely dependent on those vendors to inform them of the crisis, issue the patches, and ensure they were thoroughly implemented.
Cybersecurity and IT teams are continuing to seek out and patch the issues wherever they can and as quickly as they can. In an effort to expedite the process and ensure no one is left with the original compromised software, CISA gave federal civilian agencies a Dec. 24 deadline to install the patch, and the Federal Trade Commission (FTC) has now urged all U.S. organizations to follow suit immediately or risk punitive action.1,5 Security experts remain on high alert for any other exploits or mentions thereof.
What does this mean for cybersecurity experts?
The Log4j vulnerability has taught us a lot about our digital infrastructure, the way in which we handle crises, and the general public’s understanding of cybersecurity. While some might argue this is an opportunity to rethink the prevalence and ease of open-source tools like Log4j, others believe that it’s up to the organizations that use those tools to be held accountable for their security.4 Either way, there clearly needs to be a change in the system that produces a majority of our digital world but is maintained by a group of volunteers.3
In the short term, we’ll need to continue updating our software and remain vigilant for signs of unusual activity. Longer term, organizations will need to invest in updating their cybersecurity risk management more frequently and diligently. That includes keeping a registry of software assets, conducting regular security tests, and hiring highly-trained professionals who can handle small and large-scale defense strategies.
Move to the frontlines of cybercrime
A colossal hacking event like this creates many takeaways for cybersecurity professionals, but perhaps most important is the fact that their work is more crucial and in-demand than ever before. Even as cybersecurity improves, criminals are devising new ways to breach those protections. To successfully meet the threat of ongoing attacks, Marquette University offers courses that include detailed training and up-to-the-minute cybersecurity protocols and procedures.
No matter your skill level, we’d love to welcome you to the online Master in Computer and Information Science program to help combat the growing risk of hacks and other forms of cybercrime.
- Retrieved on January 26, 2022 from washingtonpost.com/technology/2021/12/20/log4j-hack-vulnerability-java/
- Retrieved on January 26, 2022, from oracle.com/java/
- Retrieved on January 26, 2022, from npr.org/2021/12/14/1064123144/companies-scramble-to-defend-against-newly-discovered-log4j-digital-flaw
- Retrieved on January 26, 2022, from techmonitor.ai/technology/cybersecurity/log4j-vulnerability-what-happened-this-week-what-comes-next
- Retrieved on January 26, 2022, from csoonline.com/article/3645431/the-apache-log4j-vulnerabilities-a-timeline.html