A huge number of cyberattacks are exploiting a dangerous flaw called log4shell in the log4j software. One top U.S. cybersecurity official was quoted in Cyberscoop saying that is one of the most serious attacks of her career, “if not the most serious.” Here’s what makes it so bad—and how it affects you.
What Is Log4j?
The log4j bug (also called the log4shell vulnerability and known by the number CVE-2021-44228) is a weakness in some of the most widely used web server software, Apache. The bug is found in the open-source log4j library, a collection of pre-set commands programmers use to speed up their work and keep them from having to repeat complicated code.
Libraries are the bedrock of many, if not most, programs as they’re great timesavers. Instead of needing to write out a whole block of code time and time again for certain tasks, you just write a few commands which tell the program that they need to grab something from a library. Think of them like shortcuts you can put in your code.
However, if something goes wrong, like in library log4j, that means that all programs that use that library are affected. That would be serious in and of itself, but Apache runs on a lot of servers, and we do mean a lot. W3Techs estimates that 31.5 percent of websites use Apache and BuiltWith claims to know of more than 52 million sites that use it.
How the Log4j Flaw Works
That’s potentially a lot of servers that have this flaw, but it gets worse: How the log4j bug works is that you can replace a single string of text (a line of code) which makes it load data from another computer on the internet.
A halfway decent hacker can feed the log4j library a line of code that tells a server to pick up data from another server, owned by the hacker. This data could be anything, from a script that gathers data on the devices connected to the server—like browser fingerprinting, but worse—or even take control of the server in question.
The only limit is the hacker’s inventiveness, skill barely comes into it as it’s so easy. So far, according to Microsoft, hackers’ activities have included crypto mining, data theft and hijacking servers.
This flaw is a zero-day, which means it was discovered and exploited before a patch to fix it was available.
We recommend the Malwarebytes blog’s take on log4j if you’re interested in reading a few more technical details.
Log4j’s Security Impact
The impact of this flaw is massive: one-third of the world’s servers are possibly affected, including those of major corporations like Microsoft as well as Apple’s iCloud and its 850 million users. Also affected are gaming platform Steam’s servers. Even Amazon has servers running on Apache.
It’s not just the corporate bottom line that could be hurt, either: there are plenty of smaller companies that run Apache on their servers. The damage a hacker could do to a system is bad enough for a multi-billion company, but a small one could be wiped out completely.
Also, because the flaw was so widely publicized in an effort to get everybody patching it, it has become something of a feeding frenzy. Besides the usual crypto miners trying to enslave new networks to speed up their operations, Russian and Chinese hackers are joining the fun as well, according to several experts quoted in the Financial Times (our apologies for the paywall).
All anybody can do now is to make patches that fix the flaw and implement them. However, experts are already saying that it will take years to fully patch all affected systems. Not only do cybersecurity professionals need to find out which systems have suffered from the flaw, checks need to be made to see whether the system has been breached and, if so, what the hackers did.
Even after patching, there’s a possibility that whatever the hackers left behind is still doing its job, meaning servers will need to be purged and reinstalled. It’s going to be a huge job and not one that can be done in a day.
How Does Log4j Affect You?
All the above might sound like what can only be described as a cyber-apocalypse, but so far we’ve only talked about businesses, not about individuals. That’s what most coverage has focused on. However, there’s a risk for regular people, too, even if they don’t run a server.
As we mentioned, hackers have stolen data from some servers. If the company in question secured the data properly, that shouldn’t be too much of a problem, because the attackers would still need to decrypt the files, not an easy task. However, if people’s data was saved improperly, then they made a hacker’s day.
The data in question could be anything, really, like usernames, passwords, or even your address and internet activity—credit card information is usually encrypted, thankfully. Though it’s too early to tell now how bad it will be, it looks like very few people will be able to avoid log4j’s fallout.