For cybersecurity companies, last week has been hectic. They have been fielding calls from clients on ways to protect their systems from what the experts have described as the “single biggest most critical vulnerability of the last decade”— Log4j, a logging utility.
While major businesses have secured their systems from the vulnerability, experts say firms should brace for serious business impact from hackers, given the time lag between when the vulnerability was first exposed and addressed.
What is Log4j?
Think of it like this. Any software application will need to log information. This could be errors, information about software, or even a warning. If an enterprise is using Java as its programming language, the library it is likely to use is Log4j, the most commonly used Java-based logging utility on Apache servers.
Companies that were using this include Apple, Twitter, LinkedIn, Amazon and even Google.
What is making news is the vulnerability in this utility, which gives easy access to hackers to enter the system, take control, and exploit it.
It came to light on December 9, 2021, when the Alibaba security team first published the information and gave it the name ‘Log4Shell’.
The vulnerability in this software has serious implications for businesses and their users, as it gives bad actors easy access to information, and also the ability to carry out ransomware or malware attacks with ease.
Companies’ response
Since it came to light, cybersecurity companies went into overdrive to help customers.
Anand Prakash, founder, PingSafe, which offers security solutions for cloud, said, “Everyone was on fire to address the issue.”
Prakash has been on calls constantly to secure their clients’ infrastructure by patching the security updates on time. The company works with 40-50 clients in India and overseas and is seeing new interest for its product from businesses in light of this vulnerability.
Koushik Sivaraman, VP–Cyber threat intelligence, CloudSEK, said the weekend following the exposure has been one of the busiest, with clients trying to understand the situation and secure the systems at the earliest.
The situation was dire enough that Anirudh Batra, threat analyst from CloudSEK, was on call constantly. “As a threat analyst I take two-three calls per day but with Log4j, I was on call constantly,” he said.
CloudSEK works with more than 100 clients globally, out of which 40 percent are overseas customers.
Pankit Desai, co-founder & CEO, Sequretek, a cybersecurity firm, shared their clients witnessed a four to five-time increase in attacks on their platforms, even as the patches were applied on time.
While the situation is under control, with companies offering security patches for the security flaw, the situation needs to be continuously monitored for several reasons, he said.
Business impact
While the companies were quick to offer patches, the time lag between when the vulnerability was made known, the duration of its existence and the time it took to act have raised concerns.
While the vulnerability came to light only on December 9, it was first notified to the non-profit Apache foundation on November 24. Desai said “bad actors” could have known about it much earlier and used it to their advantage. “But we will never know,” he said.
The other issue is when the patches were made available. Between December 9 and 13, when the patch was made available by Apache, there was a gap of four days. Hackers could have used the window to enter into business networks.
Hackers can create a backdoor to enter into systems even after the patches, and a company might not be able to detect them, Batra said.
They could observe what is happening in a company for a few months. It would enable them to collect enough information, use it against the company during a critical period such as an initial public offering or business mergers through ransomware, Sivaraman said.
The hackers can also steal data and sell it to rivals which has happened over the last year as the frequency of cyberattacks increases.
“So companies will have to brace for aftershocks,” Batra said.
There are other concerns as well. While large enterprises have applied the security patch, the same cannot be said for the small vendors, who use this utility as a plugin and offer it as a service to thousands of services. This could be a contact page plugin that applications use.
“Unless these small vendors patch their systems, the user data is not safe,” Batra said.
Impact on consumers
It affects consumers as well. As we have seen over the last year, multiple attacks have been launched against companies such as Domino’s, payment service provider Mobikwik, Upstox and Unacademy, where user data was stolen and put on sale on the darknet.
This could happen with this security flaw as well, only at a much bigger scale and there is nothing end-users can do.
“The only thing users can do is trust the large organisations since they would always be quick to react in cases of breach instead of small vendors but apart from that, users cannot do anything about it,” CloudSEK’s Batra added.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
