Log4Shell, Ten Days On: YesWeHack’s Hunters Are at the Forefront of Securing Organisations
December 20, 2021
Log4Shell, a critical zero-day vulnerability of the widely used Java logging library Log4j, is currently occupying the IT security world. IT security experts are working hard to secure their systems with the help of the now known information and initial updates. The software bug, which incidentally was uncovered via a bug bounty program, is already classified as the most critical security vulnerability of the last decade. The vulnerability was discovered in an open-source logging tool ubiquitous in cloud servers and enterprise software.
Gilles Yonnet, the Deputy CTO of YesWeHack, highlights that the Log4Shell vulnerability reminds us that every modern computer system consists of hundreds and thousands of components. The most significant risk can also come from those components that would have been least expected, regardless of whether it is open source or closed source software. In this particular case, a component used by almost all systems – often without knowing it – for such a harmless and usually ‘unassailable’ function as logging proves to be the Achilles’ heel of the Internet.
Why the Apache Log4j Flaw Has Everyone Worked Up?
The logging library – Log4j is a widely-used, open-source logging utility with over 400,000 downloads from its GitHub project. It is used in almost every website and app by technology companies. These include Minecraft, Apple iCloud, Cloudflare and Twitter and many more. The ubiquity of the tool makes the extent of the zero-day’s potential damage likely wide-reaching. Technology companies such as Amazon Web Services, Microsoft, Cisco, Google Cloud, and IBM are rushing to issue fixes. “Normally a vulnerability is reported privately to the software maintainers, who then have time to repair the issue and release an update, so attackers don’t gain a temporary advantage,” VMware highlighted on its security blog. “With a zero-day disclosure like this one, attackers have an advantage while software maintainers scramble to develop the fix.”
Exploiting this vulnerability is simple, and attackers will continuously look for creative new ways to discover and exploit as many vulnerable systems as possible. Unfortunately, many organisations will not even realise that they have systems at risk by cybercriminals to control their Java-based web servers and launch remote code execution attacks. Meanwhile, since December 10th, cybersecurity firm Checkpoint has witnessed what looks like evolutionary repression, with new variations of the original exploit being introduced rapidly- over 60 in less than 24 hours.
Jen Easterly, the director of the US Cybersecurity and Infrastructure Security Agency, stressed that the Apache Log4j flaw is one of the most serious she has seen in her entire career, if not the most serious. Easterly expects the vulnerability to be widely exploited by sophisticated actors, and there is limited time to take the necessary steps to reduce the likelihood of damage. Meanwhile, the UK’s National Cyber Security Centre emphasised on Monday that enterprises need to “discover unknown instances of Log4j” in addition to patching the usual suspects.
Here’s How YesWeHack Prepared Its Clients to Confront the Apache Log4j Flaw
The Apache Log4j flaw underscores the urgency of building software securely from the start. The rapid mobilisation of the security community to identify affected systems and find solutions has put our clients in a good position to reduce the potentially catastrophic effects of such a vulnerability. To prevent the recurrence of similar risks, it is becoming increasingly necessary to make greater use of this community, particularly the community of ethical hackers. This can help organisations protect their security boundaries and, more importantly, monitor their network continuously. This allows them to make any corrections before a malicious actor benefits.
Responding to security issues such as this one shows the value of having multiple layers of defensive technologies. This is very important for maintaining the security of our customers’ data and workloads. Traditional penetration testing does not provide immediate access to security specialists and only serves as a snapshot in time. A critical 0-day vulnerability such as the Apache Log4j flaw requires organisations to identify exposed assets and take quick remedial action. This is why Guillaume Vassault-Houlière, the CEO and Co-Founder of YesWeHack believes that crowdsourced security provides a clear advantage over traditional methods including vulnerability scanners. Bug bounty is an active approach to security that involves tens, hundreds or even thousands of researchers, and can be of great help as organisations scramble to address this critical flaw with limited internal resources and time.
The infosec and bug hunters community has produced and exchanged a huge quantity of information, techniques and tools related to Log4Shell since day one and are better positioned to help secure organisations against the Log4j flaw. Selim Jaafar, the Head of Customer Success at YesWeHack is usually at the front lines when addressing 0-day vulnerabilities. He shares that the platform has assisted its clients in this matter by clearly identifying their needs and providing them with advice adapted to their specific situations.
YesWeHack’s customers are continuously leveraging the support team and the hunter community to assess the impact of this vulnerability on their systems. Our customers first reached out on Friday, 10th December, requesting to integrate the Log4j clause into their program. We immediately integrated it, offering maximum rewards for Remote Code Execution (RCE), receiving over 14 reports the first few days. Our customer success team then continued throughout last week to incorporate these clauses at the request of our customers, which made a total of 140 reports. Romain Lecoeuvre, the CTO of YesWeHack also highlighted that YesWeHack’s VPN allows isolating hunter traffic to not raise any additional alerts at the Security Operations Center (SOC) level.
Even as the industry is frantically scrambling to mitigate and fix the original Apache Log4j Flaw (rated 10 out of 10 on the CVSS vulnerability scale), a second Log4j vulnerability (CVE 2021-45046) was discovered, enabling cybercriminals to execute denial-of-service (DoS) attacks. The hunters are identifying affected applications and our customer success team is encouraging YesWeHack’s clients to install the patch for the second vulnerability as soon as possible.
Since addressing Log4Shell is a race against time, YesWeHack’s hunters have helped in multiple ways, notably:
- Identifying vulnerable components when internal resources can’t cover the whole spectrum.
- Understanding how far the exploitation of a vulnerable component could go in a given technical context by providing a complete and specific Proof-of-Concept.
- Double-check that a supposedly already patched scope does not have remaining flaws or that the security measures applied cannot be bypassed.
In the end, the Log4Shell case opened a more profound reflection and discussion on the help the community could provide more broadly on the subject of 0-day vulnerabilities in the longer term, which will undoubtedly lead to a more systematic and better-structured collaboration on this crucial topic.
Eager to know more about YesWeHack’s crowdsourced security platform? Drop us a line and one of our experts will get back to you!