Log4Shell flaw: Government asks organisations to check server security

13 Dec 2021

Image: © ABCreative/Stock.adobe.com

A cybersecurity flaw in Java-based utility Log4j, used by many major tech companies, could give hackers access to computer systems.

The National Cyber Security Centre (NCSC) has issued a warning to all organisations that use web servers to respond to a new cybersecurity threat dubbed Log4Shell.

The flaw stems from Apache Log4j, a Java-based logging utility used by many of the world’s major tech companies for their web infrastructure, including Microsoft, Apple, Amazon, Cisco, Tesla, Twitter and Baidu.

The vulnerability can potentially give a hacker unrestricted access to a company’s computer systems.

Log4Shell first received wide public attention after Microsoft-owned Minecraft published a statement to its 140m active monthly users alerting them to the flaw. The company said any player of the game’s Java edition who doesn’t host their own server needs to take mitigating steps.

However, Minecraft is not the only product susceptible to the Log4Shell flaw, and governments, including the US, are rushing to advise organisations with web servers to take immediate steps before hackers get there first.

“It is likely that malicious actors will shortly begin using this vulnerability to attack web servers,” Ireland’s NCSC wrote in a statement. “The NCSC advises that organisations assess their web servers for exposure to this risk. This should include services administrated and provided by third-party service providers.”

It clarified that Apache, which maintains Log4j, has published an update to patch the Log4Shell flaw. It said companies should make use of this immediately and noted that researchers have published tools to help identify attempts to exploit the vulnerability.

“There is no evidence of any successful exploitation of this vulnerability in the State, or any effect on services or data, but the risk of eventual compromise will persist for any entity until the vulnerability is addressed,” it added.

The NCSC is the State cybersecurity organisation in Ireland, part of the Department of Environment, Climate and Communications. It was founded in 2011 and is responsible for advising the Government on cybersecurity threats.

Threat hunting a ‘high priority’

Andrii Bezverkhyi, founder and CEO of cybersecurity start-up SOC Prime, said the problem with the Log4Shell flaw is that Log4j is used by “every major tech on our planet that has Java” and the vulnerability has actually been around since March.

“As defenders, we need to do three things: work on mitigation, hunt to understand if we were breached since March, and report the status to our board of directors for tactical and strategic support,” he said, adding that mitigation will be hard and could take months of work.

“Threat hunting must be a high priority. You should be running continuous detections while patching and protecting the network. That means putting alerts in place and querying the logs to search for evidence of attempts to exploit while you are patching the vulnerability.”

Bezverkhyi cautioned that while enterprises with large security teams will find it easier to hunt threats, thousands of smaller organisations will remain vulnerable to the Log4Shell security flaw.

“For these organisations, it will be important to tap into the power of the cybersecurity community, which has mobilised quickly and come together in the face of an urgent and widespread threat.”

Projects such as the Internet Bug Bounty help organisations of all sizes deal with such cyberattacks by pooling funding to incentivise research into open-source vulnerabilities, according to Kayla Underkoffler, senior security technologist at HackerOne. She added that most high-risk open-source flaws discovered in 2020 have existed in code for more than two years.

“Most organisations lack direct control over open-source software within supply chains to easily fix these weaknesses. Securing this often poorly funded software is an imperative for any organisation that relies on it.”

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Vish Gain is a journalist with Silicon Republic