A critical vulnerability called Log4Shell, detected last week in widely used open-source logging software Apache Log4J, is now being exploited by attackers to target organizations all over the world, including India. According to an analysis by cybersecurity firm Check Point Research, 41% of corporate networks in India have already faced an attempted exploit.
The Australia-New Zealand (ANZ) area was the most impacted region with 46% of corporate networks facing an attempt, while North America was the least impacted with 36.4% of organizations facing an attempt, the security firm said.
“If you are using any Java product that needs logging, it is quite possible you are using Log4j," said Karan Saini, a Bengaluru-based security researcher. "There are a lot of Java-based products that are used in India,” he added. Java is one of the most commonly used programming languages in the world.
However, Saini also said that Indian companies using Java-based applications doesn't mean they are more vulnerable than their western counterparts. “Indian companies are at high risk because of their weak security posture, especially the smaller companies that may not have the know-how or resources to detect and fix the issue quickly,” he added.
Check Point Research said it had detected over 846,000 attacks exploiting the Log4Shell vulnerability across the world in the 72 hours following the discovery. It added that 46% of those attempted exploits were the handiwork of known malicious groups. Lotem Finkelstein, Director, Threat Intelligence and Research for Check Point, called the involvement of known malicious groups “most worrying” and suggested that this requires an immediate reaction from security teams or it can cause "incalculable damage".
Log4 Shell has been assigned a severity rating of 10 by security experts, the highest level possible. It falls in a class of security loopholes called 'zero-day vulnerabilities', which are flaws in software code that weren't known to anyone before and hence have no ready fix available.
The vulnerability can be exploited by using a single line of code and allows attackers to execute remote commands on a victim's system(s). It can be exploited by attackers to take control over any Java-based web server and carry out remote code execution (RCE) attacks. In an RCE attack, attackers take control over the targeted system and can perform any function they want.
According to researchers at Check Point, the Log4j library is embedded in every Java-based web service or application and is used by a wide number of companies to enable logging in on applications. Almost all major names, including Amazon, Microsoft or Twitter use it. The vulnerability was first detected on websites that were hosting servers of a Microsoft-owned game called Minecraft.
“On the face of it, this is aimed at crypto miners but we believe this creates just the sort of background noise that serious threat actors will try to exploit to attack a whole range of high-value targets such as banks, state security and critical infrastructure,” added Finkelstein.
In a blog post, security researchers at Microsoft pointed out that the majority of attack attempts related to Log4Shell so far have been used for mass scanning by attackers to identify vulnerable websites and applications. However, they have also detected some instances of exploitation and post-exploitation activities, including installing crypto mining software and installing cobalt strike malware for credential theft. Microsoft also found that attackers are using obfuscation techniques to evade detection