Advertisement

Why the Log4j vulnerability is such a big deal, according to a former NSA hacker

David Kennedy is the CEO and founder of TrustedSec, and the co-founder and CTO of Binary Defense. He is a former hacker for the NSA and Marine Corps, a former technical advisor to "Mr. Robot" and previously served as Chief Security Officer at a Fortune 1000 company.

In a year that has experienced one jarring cyber attack after another — from ransomware disruptions to the U.S. gas supply and food industries to one of the largest crypto heists ever witnessed — it seems only fitting that 2021 should end with yet another major cyber threat.

This time, the threat is called Log4Shell, a serious vulnerability in Apache’s widely used Log4j logging library tool.

While that name may be rather unassuming and even boring to those outside of the techie universe, this threat is anything but. Log4Shell is one of the biggest cyber threats the world has faced in a very long time.

ADVERTISEMENT

In simple terms, Log4j is an open-source software tool that is used by companies and developers to monitor the performance and errors inside applications, as well as user activity.

The world is increasingly connected by software such as Log4Shell. (Getty Images)
The world is increasingly connected by software such as Log4Shell. (Getty Images) (Hiroshi Watanabe via Getty Images)

Log4Shell, which is the actual bug in Log4j, is what is known as a remote code execution (RCE) vulnerability, the worst kind of threat. In this particular case, the Log4Shell vulnerability is so severe that it received a threat rating of 10 (the highest score possible) by the cybersecurity industry’s rating system, known as CVSS.

To give you a better idea of just how impactful this is, Log4j is a component in everything from Apple (AAPL)’s iCloud, Twitter (TWTR), and Amazon (AMZN) to online gaming like Minecraft and Steam, email, cybersecurity tools, and even Tesla (TSLA) cars and NASA’s Mars helicopter.

How bad is this vulnerability?

The Log4j tool is so widely distributed across websites, networking, and other software that it is essentially a ubiquitous technology and a key part of the software supply chain. According to one estimate, 31.4% of all websites use it.

Log4Shell exposes a company to remote access attacks and, because the tool is distributed in so many different products and systems, it will take a long time — and painstaking efforts — to find and patch them all. It will be luck if U.S. businesses are fully immune to this by the end of next year.

According to W3Techs, Apache is used by 31.4% of all websites. (Chart: W3Techs)
According to W3Techs, Apache is used by 31.4% of all websites. (Chart: W3Techs)

If hackers can exploit Log4Shell, they can cause a tremendous amount of damage — from stealing information to infecting the system with malware (including ransomware) and gaining remote control over it as well.

We are already seeing a surge in cyber attacks on businesses because of this vulnerability. These attacks are coming from everywhere — cybercriminals, ransomware gangs and nation-states. For the next year (or more), we will be in a constant state of crisis as enterprises and other leading organizations struggle to get all their systems patched.

However, an even scarier prospect is with small- and medium-sized businesses, which have less resources to secure against this. Many of these companies will suffer debilitating attacks next year, as a result of Log4j. Some might even go out of business.

Wait, it gets worse

This type of vulnerability would be bad enough if it was limited to just one product or brand. But because Log4j is such a ubiquitous technology, the effect of this will be exponentially higher.

To make matters worse, just finding Log4j in a company’s systems is incredibly complex. Log4j is an under-the-radar software tool that is quietly distributed into the back-end of countless technology products, so companies have to do extensive audits to locate each and every instance of it inside their networks. If they miss just one case of Log4j in their systems, they face detrimental damage from hackers.

How to determine whether your organization's products with Log4j are vulnerable. (Chart: CISA)
How to determine whether your organization's products with Log4j are vulnerable. (Chart: CISA)

Finding and patching every single instance of Log4j in a major corporate network is a monumental task, and many organizations lack the resources or understanding to do it. This is especially true for small- and medium-sized businesses, which play a critical role in many corporate supply chains.

It will take months, if not years, to discover the full scope of this exposure. Meanwhile, hackers are actively taking advantage of it, and the attacks are only going to get worse.

The hacks are already happening

While I can’t reveal any names, my security company has already seen numerous organizations that are being targeted by hackers over the Log4j vulnerability.

These hackers run the gamut from suspected nation-state actors to organized criminal groups to ransomware gangs to lower-level thieves.

Other sources can confirm this. For instance, it is being reported that Chinese and Iranian hackers are actively exploiting this flaw in an effort to breach organizations.

The same is true with a growing number of ransomware groups. Altogether, there are already hundreds of affected vendors, with more being discovered every day.

FBI Director Christopher Wray speaks during a news conference over ransomware cyberattack at the Department of Justice in Washington, DC on November 8, 2021. (Photo by Olivier DOULIERY / AFP)
FBI Director Christopher Wray speaks during a news conference over ransomware cyberattack at the Department of Justice in Washington, DC on November 8, 2021. (Photo by Olivier DOULIERY / AFP) (OLIVIER DOULIERY via Getty Images)

Powerful botnets like Mirai are also incorporating this into their attacks, which means any ‘Internet of Things’ devices in homes and businesses that contain Log4j could be hijacked, ransomwared, or simply infected with crypto-mining malware that will steal the device’s processing power and run it into the ground.

A dark prognosis

For the past 10 years, the public has been inundated with cybersecurity alerts and dire warnings that the sky is falling because of the latest vulnerability or breach. It’s easy to become immune to these warnings, and to not take them too seriously.

However, Log4j isn’t a risk you want to ignore.

It is quite simply one of the biggest digital threats the world has seen. Bigger than the massive Heartbleed bug in 2014, and more recently, Kaseya, Microsoft Exchange, and Accellion. It may even be bigger than the far-reaching SolarWinds breach.

Don’t take my word for it: Jen Easterly, director of DHS’s Cybersecurity and Infrastructure Security Agency (CISA), recently said it’s the most serious vulnerability she’s seen in her decades-long career.

Jen Easterly testifies during her confirmation hearing before the Senate Homeland Security and Governmental Affairs Committee on June 10, 2021 in Washington, DC. (Photo by Kevin Dietsch/Getty Images)
Jen Easterly testifies during her confirmation hearing before the Senate Homeland Security and Governmental Affairs Committee on June 10, 2021 in Washington, DC. (Photo by Kevin Dietsch/Getty Images) (Kevin Dietsch via Getty Images)

There is absolutely no question that we will see significant and widespread breaches as a result of the Log4j vulnerability, in addition to a surge in ransomware and other attacks.

This could have disastrous consequences because it combines three really bad things: the highest risk vulnerability you can have, widespread distribution of the vulnerability, and an extremely arduous process for finding and patching said vulnerability.

Businesses and investors should expect to see considerable fallout from this flaw over the course of the next year (at a minimum). Businesses will lose valuable data. Customer and employee personal information will be exposed. Ransomware will flourish. We could also see some hackers use this to infiltrate critical infrastructure operators.

Log4j is going to cause a lot of damage, and it will likely take years before we can stop it.

David Kennedy is the CEO and founder of TrustedSec, and the co-founder and CTO of Binary Defense. He is a former hacker for the NSA and Marine Corps, a former technical advisor to "Mr. Robot" and previously served as Chief Security Officer at a Fortune 1000 company.

Read the latest financial and business news from Yahoo Finance

Follow Yahoo Finance on Twitter, Instagram, YouTube, Facebook, Flipboard, and LinkedIn