Last week, the White House’s National Cyber Director, Chris Inglis, and Deputy National Security Advisor for Cyber and Emerging Technology, Anne Neuberger, wrote a letterto all corporate executives and business leaders warning about “Protecting Against Malicious Cyber Activity before the Holidays.”
The urgent warning comes immediately following disclosure of what many experts consider the single largest cyber vulnerability in world history, known as “The Apache Log4j Vulnerability.” Apache Log4j is a logging software that captures “events” on electronic devices and servers and is considered the most popular java logging library in the world. Nearly every internet-connected service or application has the Log4j library embedded within it – ranging from Amazon to Twitter and from Microsoft to Minecraft – creating immense opportunities for hackers.
The vulnerability is now officially known as CVE-2021-44228. A “CVE” is a “Common Vulnerability and Exposure” a name given within the reference system established by the U.S. Department of Homeland Security’s National Cyber Security Division and operated by the MITRECorporation to “identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.”
DHS’s Cybersecurity and Infrastructure Security Agency (CISA) explained in detail how it can be exploited by hackers:
“An adversary can exploit this CVE-2021-44228 by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows the adversary to take full control over the system. The adversary can then steal information, launch ransomware, or conduct other malicious activity.”
A leading private cybersecurity research company, Check Point Software Technologies, considers the vulnerability “a true cyber pandemic.” “It is clearly one of the most serious vulnerabilities on the internet in recent years, and the potential for damage is incalculable,” said Lotem Finkelstein, Check Point’s director of threat intelligence. As of December 20th, the organization had witnessed more than 4,300,000 attempts to exploitthe vulnerability in 48% of corporate networks worldwide with nearly half of those attempts being made by known malicious actors such as criminal gangs and state-sponsored hackers.
Another reason this vulnerability is considered a “pandemic” by experts is not only the size and scope of the vulnerability but also because of the likely duration of its effects. “This is not going to be something that’s going to be patched and finished. This is something we’re going to be working on, likely, for months, if not years,” said Jen Easterly, head of DHS’s CISA.
Last year hackers were busy during the holiday season exploiting the “SolarWinds” hack and many government agencies and private companies spent much of this year mitigating the effects of that hack. The present Java vulnerability is much worse. Mark Ostrowski, head of engineering with Checkpoint Research, explained the difference to CBS News. “From a magnitude perspective, the [Log4j vulnerability] is astronomical compared to SolarWinds. It’s not just a software package that corporations are using. It is a software code that us as consumers – you and I – use every day. It’s an open-source piece of code that everybody has access to.”
Sergio Caltagirone, vice president of threat intelligence of the cybersecurity firm Dragos, added:
“This could mean entire e-commerce sites go down during the Christmas holiday. It could mean that entire manufacturers could not be able to ship or receive goods. It could mean water utilities with automated and remote management systems are now vulnerable to attacks.”
Also at risk are control system devices used in critical infrastructures upon which millions of people rely daily for their basic survival. The remote code execution attacks made possible by the Apache Log4j vulnerability can be waged against these control system devices used in infrastructures ranging from gas pipelines to the electric grid – with devastating results. Unfortunately, those devices are not getting the attention they deserve at the onset of this “cyber pandemic.”
Control systems cybersecurity expert Joe Weiss recently warned that “control system device cyber security is missing in government and engineering societies.” In his blog he described how he used open source Apache software in 2004to conduct a cyberattack demonstration that sent exploited code between two Department of Energy National Laboratories 700 miles apart and executed four specific actions that have, in other real world scenarios, caused major damage (actions much like those that inflicted damage with the “Stuxnet” attack on Iranian centrifuges and the 2015 cyberattack that took down the Ukrainian electric grid.) Weiss warns that since his demonstration in 2004 almost nothing has been done within government and industry to promote the monitoring and security of the control system devices he attacked back then, and which are still targeted today.
As these control system device vulnerabilities persist and as government and industry cyber experts scramble to mitigate the effects of the Apache Log4j vulnerability, Americans would be wise to consider preparing themselves to deal with the potential consequences. Corporate and government leaders should ensure their IT professionals and engineers are immediately and intently focused on mitigating the vulnerabilities and individual device users should be on the lookout for software update alerts.
Moreover, since the potential for harm to critical infrastructures is profound and growing, it would be prudent for organizations and individual Americans to review and inspect their own emergency readiness plans – or create them where they don’t exist. While the Federal Government’s “Ready.Gov” website encourages people to plan for emergencies with three days’ worth of supplies, prudence would suggest a higher level of preparedness since the scarcity surrounding current supply chain issues would only worsen after the interruption or collapse of any of our critical infrastructures.
Unfortunately, an enhanced focus on security and emergency preparedness is often quite unwelcome in the minds of most Americans during the holiday season, which is exactly why we should be concerned about our enemies exploiting this growing “cyber pandemic.”