Flaws found in the code of a near-universally adopted utility, known as Log4j, were considered to pose the most severe security threat in history when they were uncovered in December. The logging utility, which records activities in systems used by companies and governments around the world, poses a threat to the private funds industry and its investments.
Impacting the universally adopted Apache Log4j logging utility, the first vulnerability, dubbed Log4Shell, was first disclosed last November by Chinese e-commerce platform Alibaba. Log4Shell received the National Institute of Standards and Technology’s most severe risk grading.
Log4Shell remains a significant concern for cybersecurity practitioners around the world. After a record year of private equity-fueled mergers and acquisitions in 2021, consolidations that inevitably imply myriads of IT integration initiatives, the PE industry may find itself particularly exposed to Log4Shell intrusions.
The developing conflict with Russia over its invasion of Ukraine – and the accompanying cyberattacks against Western targets that many anticipate will follow – significantly amplifies the risk of hackers exploiting unpatched Log4J flaws.
How it works
Apache’s Log4j utility has multiple so-called “zero-day” vulnerabilities. Zero-days are novel and previously undisclosed flaws in software code. Apache’s Log4J is the most popular java logging library – a utility used to collect, store and retrieve information across the internet, software applications and computer networks – in the world, according to cybersecurity firm CheckPoint. Log4j has more than 400,000 downloads from its GitHub site, and is used by a “vast number of companies worldwide,” enabling developers to record the activity of Java applications, the firm said. Apache is the most widely used open-source and cross-platform web server software in existence.
Log4Shell allows threat actors who have breached unpatched Java applications to log messages or log message parameters, allowing them to perform remote code execution (RCE) attacks. RCE intrusions are attacks where adversaries introduce exogenous, malicious commands into a system.
The other two Log4J vulnerabilities enable hackers to launch denial-of service (DoS), which can disable compromised machines or entire networks if left unpatched, security researchers said. These exploits are considered less severe than Log4Shell.
“Portfolio companies in more of a startup phase of growth may have less mature security controls implemented, and could therefore be at greater risk of having the vulnerability”
Darren Van Booven
According to Checkpoint, the Log4Shell empowers attackers to remotely execute “cryptojackers and other malware on compromised servers.” Cryptojackers are malicious software that allow hackers to mine cryptocurrencies on compromised machines. Effectively, the flaw in Log4j’s code gives hackers a wide range of abilities, from maintaining access to a target institution’s systems, generating digital currency, to stealing private data and more.
A December report authored by Google’s open-source security team said that “more than 35,000 Java packages, amounting to over 8 percent of the Maven Central repository (the most significant Java package repository), have been impacted by the recently disclosed log4j vulnerabilities… with widespread fallout across the software industry.”
Darren Van Booven, a cyber-advisory practice lead at cybersecurity firm Trustwave, said the “Log4j flaws pose a unique threat because it is not a single piece of software. It is a software component that can be used by computers, websites, apps and other technologies running online services. It is trivial to exploit.”
The Log4j vulnerability is thus a software supply-chain exploit that imperils the critical infrastructure underpinning the Internet itself. “As a popular logging tool, Log4j is used by tens of thousands of software packages (known as artifacts in the Java ecosystem) and projects across the software industry,” said the Google report.
The report also noted that “user’s lack of visibility into their dependencies and transitive dependencies has made patching difficult; it has also made it difficult to determine the full blast radius of this vulnerability.”
According to a security report from Google, researchers had identified 17,000 affected Java artifacts, which are programs bundled together to serve a common purpose, amounting to 4 percent of the Log4j-core ecosystem, as of last December.
“This vulnerability has underscored the following areas where companies need to focus their attention: code security and open-source vulnerability management, as well as breach detection mechanisms”
Richard Fleishman and Associates
But it’s important to emphasize that these are only the compromised artifacts that have been identified by security researchers. The devil, as stated by the Google report, is in the dependencies and transitive dependencies. “The deeper a vulnerability is within a dependency chain, the more steps are required for it to be fixed,” according to Google.
‘The most severe security issue in recent history’
Grigoriy Milis, the chief technology officer of Richard Fleishman and Associates, an IT consulting firm that serves some of the largest private fund managers in the world, said the Log4J vulnerability is “considered the most severe security issue in recent history due to how easily it can be exploited and how widely this software is present in IT systems.”
“This vulnerability has underscored the following areas where companies need to focus their attention: code security and open-source vulnerability management, as well as breach detection mechanisms. In addition, every company should review all of their systems to see if the vulnerability is present, including any third-party vendor appliances,” said Milis.
Van Booven noted that “Log4j is an equal opportunity threat in that it places a red X on any company – in any industry – that contains the vulnerability.”
“Portfolio companies in more of a start-up phase of growth may have less mature security controls implemented, and could therefore be at greater risk of having the vulnerability,” he added.
In a December blog post, cybersecurity firm Tenable wrote that “10 percent of all assessed assets are vulnerable” to Log4Shell, one of the zero-day vulnerabilities found in Log4j. They included a wide array of servers, web applications, containers and Internet of Things devices. The exploit is “pervasive across all industries and geographies,” said Tenable, with the vulnerability impacting one out of 10 corporate servers.
But alarmingly, Tenable found that “30 percent of organizations haven’t even begun looking for this bug, a startlingly negligent delay given the aggressiveness of threat actors hunting for it.”
Van Booven advised that “the remediation of Log4j can be significantly more costly in terms of the time needed by IT staff to patch, update, and test systems across the enterprise. We’ve supported clients for several weeks triaging their environment for the presence of Log4j and implementing remediation actions.”
To learn more about the Log4j vulnerabilities and how to patch them, cyber-practitioners should seek guidance from the Apache Logging Services Project, which creates and maintains Log4j and other open-source logging software.
But fund managers should be advised of the inherent difficulty of assessing their full risk exposure to the exploit. In a hearing before the U.S. Senate Committee on Homeland Security & Governmental Affairs earlier in March, Apache Software Foundation president David Nalley testified that completely fixing the Log4j vulnerability could take months or years to complete.
On a positive note, both cybersecurity firm Sophos and the industry non-profit SANS Internet of Technology issued reports saying that threat actors appear to have lost interest in exploiting Log4Shell. It’s not clear how the West’s rapidly evolving conflict with Russia will impact this.