The Lessons From Log4j And Other Zero-Day Attacks

As the tech industry registers the anniversary of the shocking cyber vulnerability, MSPs have reason to pay close attention.

It has been just over a year since news of the Log4j vulnerability sent shockwaves through the global tech industry. Deemed by the Department of Homeland Security as one of the most critical cyber vulnerabilities ever encountered, the flaw — known as Log4Shell or CVE-2021-44228— exposed a wide range of web applications, email services, cloud platforms, and more to exploitation.

The threat still remains

Since then, intense remediation efforts and patching have defused the most urgent threat but the fallout from Dec. 9, 2021, the day the Apache Software Foundation went public with its discovery, is far from over. The vulnerability, found in the Apache Log4j library, a ubiquitous Java logging tool, is still omnipresent in systems worldwide. Amid the raft of vulnerabilities that have been identified over the years, the Log4j flaw stands out as it allows attackers to install malware or mount other digital attacks simply by getting the system to log a special string of code via remote code execution (RCE).

Even more concerning, Wired reports as many as 25% of Log4j downloads from the Apache repository Maven Central and other repository servers are — to this day — full of vulnerable versions of Log4j. This means software developers are actively maintaining flawed versions of the utility or even building new vulnerable software.

Log4j is the most high-profile example of a zero-day vulnerability. The invocation of “zero day” (also 0-day) signals just how urgent the threat is. A recently discovered security vulnerability leaves an organization at risk of an attack. With no immediate patch available, hackers can exploit the new vulnerability with a high chance of succeeding. In other words, there’s no time to lose — the developer or vendor has “zero days” to fix the issue. Three terms are typically used in association with “zero-day”:

• Zero-day vulnerability: A vulnerability in a system or device that has been disclosed but is not yet patched.
• Zero-day exploit: The method used to attack a zero-day vulnerability and gain access to a system.
• Zero-day attack: An attack that exploits a previously unknown hardware, firmware, or software vulnerability.

Aside form Log4j, examples of notable zero-day attacks include:

Stuxnet

Few zero-day attacks have received more publicity than Stuxnet. The documentary Zero Days chronicles the harrowing zero-day attack that primarily targeted Iran’s uranium enrichment plants. The malicious computerworm was discovered in 2010 and affected manufacturing computers running programmable logic controller (PLC) software.

2020: Zoom

A vulnerability was found in the popular video conferencing platform. This example involved hackers accessing a user’s PC remotely if they were running an older version of Windows. If the target was an administrator, the hacker could completely take over their machine and access all their files.

2020: Apple iOS

Apple’s iOS is often described as the most secure of the major smartphone platforms. However, in 2020, it fell victim to at least two sets of iOS zero-day vulnerabilities, including a zero-day bug that allowed attackers to compromise iPhones remotely.

2017: Microsoft Word

This zero-day exploit compromised personal bank accounts. Victims were people who unwittingly opened a malicious Word document. The document displayed a "load remote content" prompt, showing users a pop-up window that requested external access from another program. When victims clicked "yes," the document installed malware on their device, which was able to capture banking log-in credentials.

Part of the challenge with the Log4j vulnerability was (and is) the enormity of the attack surface. With 6.6 million Java developers worldwide and roughly 5.5 billion devices that run Java in some shape, more than 100 exploitation attempts were made every minute at its peak, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Nation-state hacking groups from Chin, Iran, North Korea, and Turkey all attempted to exploit the flaw, according to Microsoft.

For many organizations, three facts put them at particularly high risk of zero-day attacks:

1. They lack a full accounting of all systems in use: As the saying goes, you don’t know what you don’t know. If you don’t have visibility into your software supply chain, adequately identifying and patching vulnerabilities is a futile undertaking.
2. They are unaware of all software components: Even if you have (1) under control, a list of software that has been bought or deployed is hardly enough to shield an organization from risk. Software components in these programs can include, for instance, open-source libraries and utilities like Log4j, that you may not be aware of.
3. They see no need to take action: The combination of (1) and (2) instills a false sense of security. Organizations that don’t understand their risk exposure are not going to see the importance of investing in vulnerability management and appropriate upgrades.  

With the lingering presence of Log4j and new threats inevitably surfacing, vulnerability management is more important than ever. Whether you’re a managed service provider (MSP) seeking to secure your own environments or would like to introduce its benefits to your small to medium-sized business clients, we’re here to help. ConnectSecure, then CyberCNS, was one of the first to detect the Log4j vulnerability in December of 2021 and remains on the forefront of helping our customers with identifying and mitigating vulnerabilities.

Read more: 

Whitepaper: How to win business with cybersecurity assessments

5 ways vulnerability management can drive profits for MSPs

Understanding the big picture of cybersecurity starts with NIST