Millions of devices are vulnerable to cyberthreats due to a bug in the software tool known as Log4j. The flaw was made public two weeks ago on Dec. 9, and allows hackers to remotely execute code on an organization’s systems, giving them an open door to steal data, mine cryptocurrency or launch ransomware attacks.

Log4j is a free, open-source logging library used by companies around the world and across many industries for recording activity on their websites and applications. It is operated by the nonprofit Apache Software Foundation.

Security firm Check Point wrote on its blog that in the three days after the Log4j flaw was publicly disclosed, attempted breaches rose quickly, numbering more than 800,000. By Dec. 17, Check Point recorded more than 3.8 million attempts to exploit the bug.

One of the first known successful cyberattacks was on the servers of the computer game Minecraft, which is owned by Microsoft. Other large technology companies like Amazon, Apple, Oracle and IBM run the software, and several acted within days of the disclosure to notify customers of the threat of the Log4j flaw, also known as Log4Shell.

It puts popular apps and websites operated by enterprise technology companies at risk, and an attack on them could have a widespread effect. But every organization with the software installed is potentially in danger.

Megan Soat, director of security services at Pratum, an Ankeny-based information security services company, said its clients haven’t experienced any actual breaches since Log4Shell became public, but there has been an increase in activity and breach attempts on clients’ networks. Pratum serves organizations in 28 states, including Iowa.

Soat said Pratum’s clients have avoided issues partly because they quickly “patched” the flaw, which means they installed a new version of the Log4j software without the vulnerable code. Apache has released three new versions of Log4j since the initial outbreak because the first two were both discovered to have other vulnerabilities that hackers could exploit.

The bigger issue is that many vulnerable organizations have not installed any of the patches. She said many vendors haven’t patched yet, putting the businesses they serve at risk.

“It becomes a business decision, whether whatever [service] you’re getting provided from that vendor — does that need to be running? Is that a risk that the organization wants to take at this time?” Soat said.

Vendors and other organizations could be waiting to install the patches because downloading the new versions will cause more issues than they solve, which is common particularly in older systems.

Organizations could also not be aware that Log4j is even installed because they don’t know about all of their company’s vendors and what assets those vendors use. Pratum President Jordan Engbers said that is “one of the big challenges” organizations face and it happens internally as well, where departments don’t know what programs or software others are running.

He said it’s a “you don’t know what you don’t know” situation, and in the case of Log4j or any other vulnerability, having an inventory of the assets the company is affiliated with provides a road map for organizations to determine next steps.

Protecting your business

Much of the alarm around this outbreak is centered on predictions from security professionals that even after the Log4Shell vulnerability is shut down, cybersecurity risks will linger for months or years.

Soat said with the estimated number of servers and applications using the software in the millions, the magnitude of the Log4j vulnerability is what’s catching the security community’s attention.

“A lot of organizations or security companies right now are saying this probably is going to be a breach like no other, just the amount of impact that it’s going to have and the amount of organizations that it’s going to touch,” she said.

Engbers (pictured) said the effects are likely to be long-term because cyber criminals could access organizations’ systems now while they’re vulnerable and “stay dormant until the opportune time comes.”

“[Apache] keeps adding new patches, so every time they add a new one, that means that they didn’t quite get it the first time,” he said. “As this keeps going, how much more [disruption] is going to be discovered over time? We wholeheartedly believe that this is a really big deal for organizations, and we will see the impact of it for months or years to come.”

Vulnerabilities like Log4j’s are often not known about before they start causing problems, which Engbers said is why organizations need to be both proactive and reactive to security threats.

“What we try to help businesses understand is that they need to prepare to defend against cyberthreats, but they also need to prepare to be ready to react, because you can’t always defend against what you don’t know is out there,” he said.

Below, Soat shares some guidance on how organizations can identify whether they are vulnerable and how to respond in case of a breach.

What can my organization do to protect itself right now?

  • Create or check your company’s asset inventory

“First and foremost is understanding what you have, your asset inventory, device inventory, understanding that first and then determining what, if anything, is vulnerable.

“There are some different scanning tools available out there. CISA (Cybersecurity and Infrastructure Security Agency) has a lot of good resources out there, some free scanning tools that you can use to identify it. First, look at all your external-facing assets, determine what you have, run those scans, determine if they’re vulnerable. If they have the Log4j, then begin remediation actions, such as patching, if you can.”

  • Seek guidance from CISA:

“The CISA website has up-to-date information too. There have been several patches out there to get deployed, and I can only imagine there’s going to be more. So staying up to date, checking on that to see what the latest news is, the latest patches out there, will be extremely important for organizations as well.”

What if my organization has the Log4j software and thinks our systems have been breached?
“Talk to the IT team and see if they’ve taken any actions. If they haven’t gotten to this point, it’s been 12 days, and at this point, we’re going to move forward with the assumption that a compromise has probably happened if you are still vulnerable and you haven’t patched. [The next step] would be reaching out to a security forensics company to start looking at your systems to see if any compromises did happen [or] if anyone was able to exploit that vulnerability.

“If they haven’t patched at this point, it’s good to move forward with the patching. Of course, it’s never too late to patch, but knowing that there’s been at least probably two weeks of time that your systems were vulnerable and to kind of assume that a compromise may have taken place.”

What if my organization patched but didn’t act immediately?
“Even if they have patched, it’s still good to have a security company come in and do some investigation and analysis on their systems to make sure that there wasn’t a compromise that happened before the patch.”