As tech companies rush to fix the Log4j vulnerability or Log4Shell issue (CVE-2021-45046), experts are saying that it could allow for the exfiltration of sensitive data in some circumstances. In simple terms, the vulnerability could allow for data theft or unauthorised removal of the data from a device by cybercriminals.
The flaw allows any hacker or cybercriminal to control and execute ‘arbitrary code’ and gain access to a computer system by inputting a string of code into the library.
The issue was highlighted by researchers at Alibaba first, with Microsoft’s Minecraft soon issuing a statement confirming they were impacted as well. According to researchers, the flaw impacts most enterprises and web services from Apple’s iCloud to Google Cloud products, etc. Researchers have said that exploits for this flaw already exist and are being used for crypto-mining scams already.
According to cybersecurity firm Praetorian, the vulnerability can allow for data theft and they have passed technical details of the issue to the Apache Foundation, which maintains the Log4j library. The firm is recommending that all customers on Log4j versions 2.15.0 and below need to upgrade to 2.16.0 as quickly as possible.
The cybersecurity company has not shared the technical details stating “it would only make things difficult” and has only released a video showing the data exfiltration.
Meanwhile, other firms state that exploits based on Log4j continue to grow. Kevin Reed, CEO of Singapore-based cybersecurity firm Acronis CISO said, “The whole Internet is being scanned at the moment – at least two botnets are searching for unpatched vulnerability, we’ll be seeing more in the coming days. Before Friday, we detected exploitation attempts in single digits – but over the weekend we saw 300 times growth globally. Hard to say which of those are targeted exploitations – likely can’t be traced by anyone at the moment.”
Comparing the vulnerability to EternalBlue used by WannaCry ransomware, Candid Wuest, Acronis VP of Cyber Protection Research added that “the Log4shell vulnerability in Log4j is definitely in the top-5 most severe vulnerabilities of the last decade, one that allows for remote code execution (RCE),” and that it will take longer to patch since it is “not just one vulnerable software that can be updated, but rather a library that’s included in many applications, resulting in many different updates that need to be installed.”
He added that the attacks will lead to a spike in new data breaches. “With software such as VMWare, WebEx and PulseSecure VPN being affected, it can result in downtime and disruption while mitigations are made. As the vulnerability has been exploited for days already, the security teams need to analyze if they were compromised and if any backdoor has been installed by attackers,” he added.