Log4Shell: Cybersecurity experts concerned about the impact of the breach

As the consequences of the Log4j vulnerability continue to be felt, cybersecurity experts question the future of this problem.

Tom Kellermann, head of cybersecurity strategy at VMware, says it is one of the worst vulnerabilities he has seen in his career and one of the largest in history.

Take advantage of the flaw to create a worm

Log4j is part of the Apache project. For Tom Kellermann, Apache is “one of the pillars between the applications and computing environments of the world”, adding that the exploitation of Log4j “will destabilize this medium and can, in turn, destabilize the digital infrastructure that has been built up above. “. .

But what worries him the most is that someone is further exploiting the vulnerability by creating a worm. It describes this type of malware as polymorphic malware that can spread on its own.

Think of an autonomous drone. A worm can travel between systems and infect them by targeting a specific vulnerability, ”he explains. “One of the most important in the early 2000s was the ‘Code Red.’ We haven’t seen such a global impact since then, and if this vulnerability were used as a weapon by a malicious actor, be it intelligence, one of cyberspace’s great malicious powers, or one of the major cybercrime groups, things would be. become more interesting. “

The threat of a worm is up for debate.

The possibility of a worm has sparked a major debate among cybersecurity experts. Cybersecurity expert Marcus Hutchins qualifies the fears about the appearance of an “exaggerated” worm in several Twitter threads.

“First, there is already a massive exploitation (you can access the entire Internet from a server). Second, worms take time and skill to develop, but most attackers work against the clock (patches and other attackers). Finally, due to the nature of the exploit, there is no standard way to exploit it. People just put the payload on HTTP requests, which doesn’t require a worm to do it. A worm would need a new exploit technique to get real value from the analysis, ”he wrote on Twitter.

“I think of some players who have the means and the motivation to develop a worm, but personally I would be much more concerned with protecting external systems (the ones that are being exploited en masse in the here and now). Attackers don’t need a worm to destroy your network if they break into it. “

Marcus Hutchins adds in another thread that WannaCry “has given people an exaggerated idea of ​​the threat posed by worms,” ​​noting that worms “are not the worst-case scenario for most exploits.”

“It is not just a case where every defect has to give birth to a worm (we have never seen a worm for any of the RCE defects and even if it did, it would be no worse than normal operation). WannaCry was created by North Korea, using an NSA exploit, stolen by Russia. This is not the norm, “he recalls.

The Ghost of WannaCry

Steve Povolny, head of threat research at McAfee Enterprise and FireEye, tells that his biggest concern is the appearance of a worm, adding that he cannot “imagine a worse scenario for log4j vulnerabilities than” capable malicious code. to replicate and spread. at incredible speed, delivering ransomware payloads. “

Worms like 2017’s WannaCry demonstrated the kind of impact cybersecurity experts might expect, he said, noting that even this example was cut off due to a “kill switch.”

“We can’t expect to be so lucky this time, it’s not about if, but when. Organizations of all sizes need to implement an aggressive patch deployment and recognition strategy while there is still time, ”he said.

Others, like BreachQuest CTO Jake Williams, argue that while it is true that someone will create a worm that exploits vulnerabilities in Log4Shell, it is unlikely to compare with WannaCry, NotPetya, or other similar incidents.

The vast majority of vulnerable Log4Shell servers will run the vulnerable process with very limited permissions, explains Jake Williams. He adds that, in most cases, a worm that exploits Log4Shell will probably not be able to achieve persistence on the machine after rebooting.

Since the process probably has no rights to the file system, consider the risk to be ransomware. “A malicious process cannot encrypt what it cannot write in the first place. While we absolutely must expect a Log4Shell worm to be created, we must not confuse the expected damage from a worm with what has been observed in previous large-scale incidents. “

The vulnerability is already used in common cybercrime operations.

Salt Security Vice President Yaniv Balmas says his team is already seeing instances where “common” cybercrime operations use the Log4Shell vulnerability to spread ransomware and other common malware.

He points out that, even today, the cybersecurity world continues to find traces of infection by computer worms launched years ago. If someone decides to turn this vulnerability into a worm, they believe it will be “nearly impossible to stop once it reaches critical mass.”

“However, without neglecting the impact of such a worm, this may not be the worst case scenario due to the incredible ease with which this attack can be applied. Anyone with a basic computer and Internet access could launch an attack on millions of online services in minutes, ”he says. “The impact is quite similar to that of a worm and the extent of the damage could be even greater than that of a worm, since it operates ‘blind’ in an automated way. In this alternative scenario, there are real humans behind the attacks that can target specific entities or institutions and allow attackers to refine their attacks as they go. “

Ahead of cybercriminals

Fortunately, some cybersecurity experts believe that leadership in detection, mitigation, and remediation will help them prepare for the worst.

John Bambenek, a senior analyst at Netenrich, says a worm would have been much worse last week, but work across the industry has improved the situation for many of the most vulnerable machines.

Others believe that while the vulnerability can be exploited by a worm, there is no indication that it is a priority for threat actors at this time.

Source: .com

Woodmart Theme Nulled, WP Reset Pro, Newspaper 11.2, Newspaper – News & WooCommerce WordPress Theme, Premium Addons for Elementor, Rank Math Seo Pro Weadown, WeaPlay, WordPress Theme, Plugins, PHP Script, Jannah Nulled, Elementor Pro Weadown, Woocommerce Custom Product Ad, Business Consulting Nulled, Jnews 8.1.0 Nulled, Avada 7.4 Nulled, Nulledfire, Dokan Pro Nulled, Yoast Nulled, Flatsome Nulled, PW WooCommerce Gift Cards Pro Nulled, Astra Pro Nulled, Woodmart Theme Nulled, Slider Revolution Nulled, Wordfence Premium Nulled, Elementor Pro Weadown, Wpml Nulled, Consulting 6.1.4 Nulled, Fs Poster Plugin Nulled

Back to top button

Adblock Detected

Please consider supporting us by disabling your ad blocker.