Written by
Jonathan Greig, Staff Writer
Jonathan Greig
Staff Writer
Jonathan Greig is a journalist based in New York City.
Full Bio
on December 15, 2021
| Topic: Cyber Threats
As the fallout from the Log4j vulnerability continues, cybersecurity experts are debating what the future might hold.
Tom Kellermann, VMware’s head of cybersecurity strategy, said the Log4j vulnerability is one of the worst vulnerabilities he has seen in his career — and one of the most significant vulnerabilities ever to been exposed.
Log4j, a Java library for logging error messages in applications, was developed by the Apache Software Foundation. Kellermann called Apache “one of the giant supports of the bridge between the world’s applications and compute environments,” adding that the exploitation of Log4j will “destabilize that support and… destabilize the digital infrastructure that’s been built on top of it.”
But his greatest concern is that someone further weaponizes the vulnerability by creating a worm, which Kellermann described as a polymorphic type of malware that can essentially spread on its own.
“One of the most significant [worms] from back in the early 2000s was Code Red,” Kellermann told ZDNet. “We haven’t seen a widespread global impact like that since then. If this vulnerability were to be weaponized by one of the cyber communities — whether it be intelligence services, one of the four major rogue powers in cyber, or one of the major cybercrime cartels — that’s when things will get more interesting.”
The possibility of a worm has generated significant conversation in the cybersecurity community. Cybersecurity expert Marcus Hutchins called fears of a worm “overblown” in multiple Twitter threads.
“Firstly, there’s already mass exploitation (you can spray the entire internet from one server). Secondly, worms take time and skill to develop, but most attackers are racing against the clock (patching and other attackers),” Hutchins wrote on Twitter.
He added that “a worm would need a novel exploitation technique to gain any real value over scanning,”
In another thread, Hutchins wrote that 2017’s WannaCry ransomware attack “gave people a way overinflated sense of the threat posed by worms,” adding that worms “aren’t a worst case scenario (or even a worse case scenario) for most exploits.”
“It’s not a case of there’s an exploit so there will be a worm (we never saw worms for any of the recent wormable RCEs and even if we had it’d be no worse than regular exploitation). WannaCry was written by North Korea, using an NSA exploit, stolen by Russia. Not the norm,” Hutchins explained.
Steve Povolny, head of advanced threat research for McAfee Enterprise and FireEye, told ZDNet that his biggest concern is around “wormability,” adding that he couldn’t “think of a worse scenario for Log4j exploits than malicious code that can replicate and spread itself with incredible speed, delivering ransomware payloads.”
Povolny said worms like WannaCry demonstrated the type of impact that cybersecurity experts could expect, noting that even the WannaCry example was cut short from its true potential for spread and disruption due to a “kill switch.”
“We can’t hope to get as lucky this time — it’s not a matter of if, it’s a matter of when this will happen. Organizations of all sizes must be undergoing an aggressive reconnaissance and patching strategy while there is still time,” Povolny said.
“If you ever watched the TV show ‘The Amazing Race’, it now seems to pale in comparison to the global race taking place as a result of Log4Shell [the vulnerability’s nickname]. Even as thousands of organizations worldwide continue to search for and patch this exceptional vulnerability, threat actors are working at a furious pace to weaponize and further refine exploits for the flaw.”
Others, like BreachQuest CTO Jake Williams, said that while it is a certainty someone will create a worm that abuses the Log4Shell, it is unlikely to be like WannaCry, NotPetya, or previous worms that abuse system level processes.
IT Priorities