A week ago, the internet experienced a seismic event. Thanks to a vulnerability in Log4j, a popular open source library, multitudes of servers around the world were suddenly exposed to relatively simple attacks. The first wave of hacking is well underway. But it’s what comes next that should worry you.
So far, the vanguard of Log4j hacking has primarily comprised cryptominers, malware that leeches resources off of an affected system to mine cryptocurrency. (These were extremely popular a few years ago, before everyone realized that the real money’s in ransomware.) Some nation-state spies have dabbled as well, according to recent reports from Microsoft and others. What’s seemingly missing is the extortion, the ransomware, the disruptive attacks that have defined so much of the past two years or so. This won’t be the case for long.
Hype is endemic in the world of cybersecurity, as is the spread of fear, uncertainty, and doubt. Lots of software has flaws; they can’t all be so bad. By all accounts, though, the Log4j vulnerability—also known as Log4Shell—lives up to the hype for a host of reasons. First is the ubiquity of Log4j itself. As a logging framework, it helps developers keep track of whatever goes on inside their apps. Because it’s open source and reliable, plugging in Log4j instead of building your own logging library from scratch has become standard practice. Moreover, so much of modern software is cobbled together from various vendors and products that it may be difficult, if not impossible, for many potential victims to even know the full extent of their exposure. If your code’s innermost Matryoshka doll runs Log4j, good luck finding it.
But wait, there’s more! Log4Shell is also relatively trivial to exploit. Just send a malicious piece of code and wait for it to get logged. Once that happens, congratulations; you can now remotely run whatever code you want on the affected server. (Caveats: This is the short version. It’s a little more complicated in practice. Also, Log4j versions prior to 2.0 appear unaffected, although there’s some debate there.)
It’s that combination of severity, simplicity, and pervasiveness that has the security community rattled. “It is by far the single biggest, most critical vulnerability ever,” says Amit Yoran, CEO of cybersecurity firm Tenable and founding director of US-CERT, the organization responsible for coordinating public-private response to digital threats.
So far, though, that calamity seems slow to manifest. Hackers are absolutely targeting Log4j; security firm Check Point has seen over 1.8 million attempts to exploit the vulnerability since Friday, according to spokesperson Ekram Ahmed. At some points, they’ve seen over 100 attempts per minute. And state-sponsored groups from China and Iran have been spotted using Log4Shell to establish footholds in various targets. Still, for now, cryptominers reign.
“Miners are usually the first to jump on these things because they’re the lowest-risk form of cybercrime,” says Sean Gallagher, senior threat researcher at cybersecurity company Sophos. “They don’t require a whole lot of hacking beyond getting in, they don’t require a whole lot of hands-on keyboard skills to deploy. They’re generally packaged and ready to go; all they need is a vulnerability to get in with.”