Log4Shell is a software vulnerability in Apache Log4j, a popular Java library used for logging error messages in applications. The vulnerability discovered in Log4j allows a remote attacker to take control of a device on the internet if that device is running a certain version of Log4j. It has been assigned a CVSS score of 10 out of 10. It’s one of the worst vulnerabilities in recent history, if not all time.
Log4Shell is considered a zero-day vulnerability because hackers knew about and exploited it before experts did. Security researchers believe hackers have exploited Log4j since December 1. The first attacks were reported around December 9th. Security firm Kryptos Logic said they detected more than 10,000 different IP addresses probing the internet for Log4Shell.
What impact does Log4Shell have on me?
Many companies use the Log4j library in their applications and infrastructure. A lot of network-enabled storage and smart home devices also use the library. Some companies may use Log4j but not even be aware of it. If you don’t know if you use the library you need to engage IT, professionals, or security experts, to help you. You do not want to leave systems unpatched and connected to the internet.
According to GitHub, Apple, Amazon, Google, IBM, Tesla, Twitter, and Steam are all impacted. VMWare and Cisco also notified their customers that their systems were impacted. Most of these companies have been quick to patch systems.
Given the wide-ranging nature of Log4Shell, and the likelihood that ransomware will follow, this is likely the calm before the storm. Sophisticated attackers are patient. They will infiltrate a network quietly and wait. Often creating a backdoor into an exploited server that they can exploit and scan for through a network for valuable information.
What should we do?
Some things you can do to help protect your company from Log4Shell.
- Know where Log4j is in your environment – Monitor any systems that are running Log4j. Review any logs and server activity for irregular activity. Any unusual activity should be investigated.
- Patch and update hardware ASAP – Identify systems that are vulnerable and get them patched as quickly as you can. Prioritize systems that are connected to the internet. If they can’t be patched immediately they should be disconnected from the internet until they can be patched.
- Stay up-to-date – Stay informed of the most recent updates and any changes to the current situation.
- Make sure your backup is working – In situations like these you may have to rely on your backup. Make sure your backups are running and working properly. You don’t want to find out your backup wasn’t running when you need it most.
- Update Anti-virus and endpoint security – It’s a common belief that ransomware is coming. We may also see an increase in other viruses or trojans. You need to have a plan in place for verifying your AV software is updated.