The Log4J vulnerability has commanded our full attention. This appears to be the biggest security event we have had to face yet. Why? Like sugar, Log4j is everywhere. Even hidden in products you didn’t expect it in. And when abused, there’s nothing healthy about it.
What’s going on
In simple terms: a commonly used Java library that processes log messages contains a flaw. If you feed a specially crafted message through it, it will download a program from the internet and run it. This “special message” is now widely known and not overly complex, and criminals are exploiting it to find and if possible, take over vulnerable systems at an aggressive rate.
While the criminals are currently keeping a low profile, likely harvesting vulnerable hosts for later use. We expect more impacting attacks, such as ransomware, to occur in the near future.
What we are doing
At Schuberg Philis, we have a good understanding of where risky components are in systems and services, we are responsible for, and our understanding improves by the hour. Our security leads are on daily calls with each other about the vulnerability. We are in close contact with our customers about it. We track any updates of affected and potentially affected vendors. Finally, systems that were vulnerable are analyzed for malevolent behavior.
We are vigilantly monitoring these systems as well as the situation as a whole. We encourage everybody responsible for IT systems or services to do the same.
While we seem to be on top of this issue, we acknowledge that we might discover new places we did not know were vulnerable. This vulnerability lies in the way JNDI (Java Naming and Directory Interface) has been integrated into Log4j. Log4j isn’t the only Java library to integrate JNDI and it is possible that others have made the same mistake, but the focus — of both malicious actors, ethical hackers, and defenders like us– now is on finding vulnerable Log4j instances.
At some point, we will likely find out that something else, besides Log4J, is vulnerable. We hope we hear this from those using their skills for good but learning this through new attacks is likely too.
What is next?
Dealing with the Log4J vulnerability began as a sprint. But this race is going to be long and drawn-out. This news is ill-timed, as we near the holiday season. What’s more, the Dutch government just extended COVID-19 measures and lengthened the upcoming school breaks, forcing many of our already busy colleagues to balance work and childcare.
So be nice to one another and yourself. As they say in auto racing: to finish first, you first have to finish.
If you are a Schuberg Philis customer, reach out to your dedicated customer teams using your regular contacts.