Could a recently discovered bug in a widely used software put your business at risk? According to cybersecurity experts, the answer is a resounding yes. The detection of this flaw two weeks ago in the extensively used utility known as Log4j, sent shockwaves through the tech world and put many businesses, especially those with internet-facing networks on high alert. The exploitation of this flaw could see hackers log into a company’s servers and take control of anything from consumer data and web servers to industrial control systems.
According to Jen Easterly, a top U.S cybersecurity chief, this flaw is “one of the most serious I’ve seen in my entire career, if not the most serious”, adding that, “The Log4j flaw is more serious than other cybersecurity flaws because of its ubiquity, simplicity and complexity.” Others, like professor Justin Cappos of NYU, calls it a “very, very serious issue that may affect different pieces of software” and the CEO of Verimatrix, a cybersecurity company, refers to the flaw as a “nightmare”.
What in the world is Log4j?
If you aren’t in the bustling world of tech, it’s not unlikely that this is your first encounter with Log4j. Simply put, Log4j is an open-source software (it’s free and readily available for download from the internet) written in Java programming language that creates an entry (log) of all activities in an app or website, that software developers use to troubleshoot problems and track data. It was created and is maintained by volunteers from the Apache Software Foundation and runs most of the major programs we have today. Companies like Twitter, Amazon, Google, Cisco, IBM, Apple and a slew of others use log4j actively, which according to Cybereason puts over a third of all internet users at risk.
The main issue arising from the vulnerability of Log4j is just how widely used it is. According to Bitdefender, it powers everything from webcams to car navigation systems and medical devices. It is also so small, that in some cases it goes undocumented, which presents another challenge– it can’t be said definitively which software is safe or susceptible. Log4j is often hidden under layers of other software, so it’s not as easy as saying, “Product X is vulnerable so I’ll avoid it.” As of now, many vendors are scrambling to find out if their products are affected. But a spokesperson at Dragos, an industrial cybersecurity firm, is doubtful that many will escape the reach of this vulnerability. “I think we won’t see a single major software vendor in the world not have a problem with this.”
Just how bad is it?
Since the vulnerability was made public, there have been multiple reports of cybersecurity crime across the globe; Checkpoint estimates that they have thwarted over 4.3 million attempts at exploiting the vulnerability at the time of writing of this blog.
According to Microsoft’s threat intelligence team, the majority of attacks so far have been related to scanning attempts, meaning that the hackers test whether potential victims are susceptible to attack. Initially, cryptocurrency mining malware was installed on devices of unsuspecting users to mine digital currency discreetly. But that quickly evolved into more sinister activities that threatened companies, even whole governments. Last week for instance, Belgium’s defence ministry had to shut down a sizable part of its network after hackers exploited the vulnerability. Microsoft also reports that countries like Turkey, China, Iran and North Korea have been looking for means to use the flaw to their advantage.
For businesses, the situation is just as dire. One cybersecurity company reported that it took just a few days for nearly half of all corporate networks to be targeted. Some of the most dangerous threats that have been reported so far are the use of tools like Cobalt Strike that is used to steal user data and passwords and ransomware like Khonsari that attacks a company’s network and demands ransom in exchange for removal of the bug. And now that we’re well into December, experts say that the situation might be more severe due to the Christmas rush; websites failing, credit card theft, etc.
Speaking to Yahoo! Finance, a professor from Stanford explained that if a network has the Log4j vulnerability, it gives hackers leeway to run any code on the victims’ machines. “Once the hacker is in control, they can steal emails, destroy files and install ransomware. The hacker can also take control of the generator that your computer is connected to or the telephone switch or your chemical plant, etc.”
What can you do?
We’ve painted a picture of just how bleak things are and are going to be for a while —many experts call this issue a long term problem. It is therefore necessary that you take the right measures to keep your business and your clients secure.
Although Log4j is one of the most severe forms of exploitable flaws to have been encountered recently, it is far from being the first or the last. In fact, during the height of the pandemic last year, the rates of cybercrime increased exponentially, statistics show. So even if by some chance you are unaffected by the Log4j issue, an airtight cybersecurity cover for your business is always a necessity.
- Always have a cybersecurity expert on hand
The reach of Log4j goes deep, in a way that a lay person may not be able to fully comprehend. You need an expert to identify whether the software you’re running is vulnerable (Log4j also runs on bespoke software, so it won’t be present in lists of affected software), then help you take the required steps. In the time since the flaw was discovered, Apache has come out with several patches that your expert can help you install and run to keep you safe from the vulnerability.
- Update your software regularly
Some companies don’t keep up to date with their cybersecurity and are therefore usually late in updating patches when they’re released. Applying patches is important because vendors are always working to reduce flaws, bugs and other errors that may significantly impact your user experience. But before you make any updates, you should evaluate the dependence of your activities on the current software and the risk to legacy computer systems. To be safe, consult your cybersecurity expert.
- Enumerate devices running Log4j
CISA advises companies with internet-facing programs that rely on Log4j to keep a record of all their devices, monitor and quickly address any alerts that may show up. They also advise companies to install firewalls with automatic updates.
Cybersecurity threats crop up instantaneously, and often without any warning. And as we’ve witnessed with the Log4j flaw, as with other vulnerabilities in the past, hackers waste no time in taking action to exploit them. To err on the side of safety, ensure you’ve entrusted the safety of your business to the hands of a capable cybersecurity expert.
Not sure how to start protecting your business from hackers? Browse through profiles of hundreds of cybersecurity experts listed on Ureed.com and make the step towards a safer, more secure future.