Sophos: Log4Shell would have been a catastrophe without the Y2K-esque mobilisation of engineers

Anti-malware biz weighs in on one of the worst security flaws of recent times

Anti-malware outfit Sophos has weighed in on Log4Shell, saying that the galvanization of the IT world to avert disaster would be familiar to those who lived through the Y2K era.

The Log4Shell vulnerability turned up in the common-as-muck Apache Log4j logging library late last year. As a remote code execution (RCE) flaw, miscreants wasted no time in exploiting it following its disclosure.

However, the IT community promptly responded by patching it. "As soon as details of the Log4Shell bug became clear," explained Sophos, "the world's biggest and most important cloud services, software packages and enterprises took action to steer away from the iceberg."

The company noted that Log4Shell attacks blocked by its firewalls peaked between 20 and 23 December, then tailed off during January. Sophos put the high numbers down to people trying to gauge how bad things were by looking for exposed systems and redundant scans trying different ways to exploit different applications.

The infosec firm noted:

In the first few days, the volume of scans was moderate, reflecting the early development of Proof-of-Concept exploits and preliminary online scanning for exploitable systems.

Within a week, there was a significant increase in scan detections, with numbers peaking between December 20 and December 23, 2021.

As January wore on, Sophos noted that only a "handful" of its customers were subject to attempted Log4j intrusions. "The majority of these were cryptominers."

There are a few parallels that can be drawn with the Y2K panic. The action of engineers to deal with the problem undoubtedly saved the day for many organisations in both cases. The absence of a total IT meltdown left the rest of the world wondering, "well, was it as bad as all that?"

However, as Sophos observed, "just because we've steered round the immediate iceberg, that doesn't mean we're clear of the risk" with attempted exploits rumbling along "for years."

Where the Y2K incident shone a light on coding practices of decades previous, the Log4Shell vulnerability has made it clear just how dependent some companies are on open-source components they don't even know about, don't contribute to or don't have a support contract for.

The issue was summarised neatly by curl creator Daniel Stenberg with both a tweet and a later blog post detailing an email he'd received from a large company with a number of questions aimed at gauging how vulnerable his components might be. The company had no support contract with Stenberg and he correctly suggested that one would be a good idea before he slogged through the questionnaire.

"The level of ignorance and incompetence shown in this single email is mind-boggling," he said of the request.

"I think maybe this serves as a good example of the open source pyramid and users in the upper layers not at all thinking of how the lower layers are maintained. Building a house without a care about the ground the house stands on."

Stenberg also said: "No code I've ever been involved with or have my copyright use log4j and any rookie or better engineer could easily verify that."

Sophos concluded that the threat was not yet over and "the urgency of identifying where it is used in applications and updating the software with the patch remains as critical as ever."

While the danger from the Log4j vulnerability may have ebbed in the weeks since its disclosure, thanks in large part to an almost Y2K-esque mobilisation of engineers, some good might come of the RCE.

Companies are waking up to the open-source components they are using in their estate and hopefully understanding that just because something can be downloaded for free, ensuring it is supported and maintained means somebody must get paid. ®

Other stories you might like

  • US won’t prosecute ‘good faith’ security researchers under CFAA
    Well, that clears things up? Maybe not.

    The US Justice Department has directed prosecutors not to charge "good-faith security researchers" with violating the Computer Fraud and Abuse Act (CFAA) if their reasons for hacking are ethical — things like bug hunting, responsible vulnerability disclosure, or above-board penetration testing.

    Good-faith, according to the policy [PDF], means using a computer "solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability."

    Additionally, this activity must be "carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services."

    Continue reading
  • Intel plans immersion lab to chill its power-hungry chips
    AI chips are sucking down 600W+ and the solution could be to drown them.

    Intel this week unveiled a $700 million sustainability initiative to try innovative liquid and immersion cooling technologies to the datacenter.

    The project will see Intel construct a 200,000-square-foot "mega lab" approximately 20 miles west of Portland at its Hillsboro campus, where the chipmaker will qualify, test, and demo its expansive — and power hungry — datacenter portfolio using a variety of cooling tech.

    Alongside the lab, the x86 giant unveiled an open reference design for immersion cooling systems for its chips that is being developed by Intel Taiwan. The chip giant is hoping to bring other Taiwanese manufacturers into the fold and it'll then be rolled out globally.

    Continue reading
  • US recovers a record $15m from the 3ve ad-fraud crew
    Swiss banks cough up around half of the proceeds of crime

    The US government has recovered over $15 million in proceeds from the 3ve digital advertising fraud operation that cost businesses more than $29 million for ads that were never viewed.

    "This forfeiture is the largest international cybercrime recovery in the history of the Eastern District of New York," US Attorney Breon Peace said in a statement

    The action, Peace added, "sends a powerful message to those involved in cyber fraud that there are no boundaries to prosecuting these bad actors and locating their ill-gotten assets wherever they are in the world."

    Continue reading

Biting the hand that feeds IT © 1998–2022