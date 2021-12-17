The date of December 9, 2021 could be remembered as the day when humanity experienced one of the most serious vulnerabilities in cyber history. The Log4Shell flaw in the tool Apache Log4j, widely used for logging operations of software events, represents a threat whose consequences are likely to have repercussions in the future and for a rather extended time.

As we have already pointed out above, the degree of severity of this leak is determined by the intersection of two factors: the spread of Log4j (it is an open source tool that has been used in many Java applications since 2014) and the ease of exploiting the flaw itself, which does not require any kind of sophisticated operation and can potentially be within the reach of almost anyone.

Its diffusion, in particular, is an aspect that has a double meaning: on the one hand the possibility, for criminals and attackers, of having a very large potential victim park, on the other hand the difficulty of the security officers to be able to understand if and where Log4j is actually present within the applications they are managing.

Widespread and easy to exploit: Log4Shell a godsend for hackers

What happened once Log4Shell became public is a script already seen: the diverse population of hackers and criminals did not delay trying to exploit the flaw before applying any security patches and appropriate countermeasures. While cryptominer installations and foreseeable (but no less serious) compromises by ransomware were initially found, the real concerns are about the long-term consequences of the situation.

The cyber security companies that are monitoring the situation have indeed the presence in the field of the most dangerous threats has already been identified, and that of the more sophisticated hacker groups (including those in the pay of oppressive governments and regimes) which are currently at work to try to exploit Log4Shell in order to guarantee access to computer networks to be used at a later time. The goal in these cases is not to quickly take advantage of the vulnerability to collect monetary loot (as is the case, for example, with cryptominers and ransomware), but to insert and hide an access point within a target network. to be exploited later for other purposes.

To this is added the prospect that many systems, by virtue of their mission-critical use for which it is necessary to guarantee continuity of service, they may also never be updated, as well as many others who could simply escape a phase of verifying the existence of the vulnerability. This would not be new, as even today in the lists of the most exploited vulnerabilities there are some that came to light several years ago. In this case, given the diffusion of Log4j, the risks can only be significantly amplified.

For example, a perspective as unfortunate as it is likely is that represented by the possibility of the so-called “supply-chain attack“, that is, those actions where a target is aimed at trying to exploit the weakest links in its supply chain as entry points. In this case, even a large company, with adequate capacity to respond to cyber threats and vulnerabilities, could fall victim to hackers and criminals who manage to compromise the network of one of its less scrupulous suppliers. Also in this case it would not be a novelty: it is enough to cite the case of the Stuxnet worm.

The story of Log4Shell, and even before that of HeartBleed, represents one of the most paradoxical peculiarities of the Internet today: a network that has become a fundamental part of the daily functioning of the whole world and which is based on open source projects managed in some cases on a completely voluntary basis. Projects that very frequently were born as simply personal tools but which then, as in the current case, have also been widely used by large commercial realities without being participated by them neither financially, nor from the point of view of development and maintenance efforts. .

Jen Easterly, director of the US CISA, described Log4Shell as one of the most serious vulnerabilities ever seen in her career, if not the most serious. The suspicion that Homer Simpson may be right: “until now!”.