At the beginning of December, a security hole was discovered in the Java-based Log4j logging feature, affecting millions of businesses, government agencies, and cloud services using this popular Apache library. Many cybersecurity experts assess the vulnerability, named Log4Shell, as one of the most critical vulnerabilities of the decade.
According to our lead consultant Ronnie Jaanhold this is a critical vulnerability that can be used to do a lot of harm. “It’s as if you were sitting in an anthill wearing a wetsuit, unaware that you actually have several tiny holes in your wetsuit. You think you’re protected and as long as the ants haven’t found a hole, you’re fine. But as soon as one ant discovers one of the holes and communicates it to the others, they start crawling in one after the other,” he explains.
To date, Google, Amazon, LinkedIn, Apple, Tesla, Twitter, and many other well-known enterprises have suffered damage because of the Log4Shell security vulnerability. According to Microsoft, cybercriminals are using Log4Shell for malicious crypto mining, identity, and bank detail theft, as well as ransomware installation.
All Java-based services using Apache Log4j 2 versions 2.0 to 2.14.1 are affected. Log4j 2 has been integrated into many popular frameworks, including Apache Struts 2, Solr, Druid, Flink and Swift, Tomcat.
Log4j is used by almost all the Internet services or applications we are familiar with, such as Twitter, Amazon, Microsoft and many others. Its GitHub project has 400,000 downloads.
“Nobody foresaw such a security hole. Prompt response is all the more important now. All companies and institutions whose systems are affected should be engaged in mapping and patching the vulnerability. Denying the risk could lead to the worst-case scenario, i.e. a sudden shutdown of business activity.
Through this hole, access could be gained to your corporate infrastructure. From there on, it’s a piece of cake for an attacker, business as usual – encryption, ransomware, erasing data, and so on,” explains Jaanhold.
There are probably a lot of similar security holes we do not know about. It is essential that people responsible for your company’s digital channels know what software is being used, appropriate prevention, detection, and protection measures are in place and a plan has been prepared for responding to vulnerabilities and attacks detected. In many cases, a company might opt to use a vulnerability scanner to keep a track of “live” vulnerabilities, as not all of them can be patched.
Should your company lack adequate competence in this field, you can use a service partner that can draw attention to and prioritize cyber security issues. “The question is not whether an attack will come but when, how well the defense has been arranged, and how prepared the company is to respond,” Jaanhold points out. “Our team has helped to analyze the situation on this issue and develop the most appropriate and cost-effective plan in several companies.”
Explore the fusion of service design and cybersecurity in our latest blog post, inspired by KüberCAST’s enlightening episode with Andres Kostiv. Learn how this integration not only enhances digital service innovation but also fortifies user trust and safety in the evolving digital landscape.
Dive deep into the world of cybercrime with insights from Alexander Leslie of Recorded Future, exploring the LockBit ransomware’s rise and fall, the strategies behind its operation, and the collaborative efforts leading to its takedown.
Delve into the complexities of data security and AI, understanding how these pivotal technologies are transforming business strategies and operational efficiencies.
