Cyber experts express growing alarm over Apache vulnerability

A vulnerability in a widely used logging platform uncovered late last week has left security professionals and officials scrambling to respond and patch systems before other nations and cybercriminals can exploit the flaw.

The vulnerability in Apache logging package log4j has affected potentially thousands of companies worldwide, and is a particularly serious problem.

“This is one of the worst vulnerabilities in the history of vulnerabilities,” Tom Kellermann, a former member of an Obama administration cybersecurity commission and the head of Cybersecurity Strategy at technology company VMware, told The Hill on Monday. 

The vulnerability, first discovered late last week, is severe because it is in a system that underlies most company systems around the world, and has been in use for decades.

Cybersecurity professionals around the world worked all weekend trying to respond to it, but it will likely take months, if not the rest of the year, to fully address the issue.

“Think of Apache as being one of the legs, one of the giant supports of a bridge that facilitates the connective tissue between the worlds of applications and computer environments,” Kellermann said. “If you could poison that support, which is essentially what is going on right now by our adversaries, because you have active scanning and exploitation of this vulnerability occurring, you could essentially destabilize these bridges.”

John Cofrancesco, vice president of Business Development at Fortress Information Security, described log4j as being as “ubiquitous” as salt in a cooking recipe. It underlies systems used by companies including Amazon, Tesla, Microsoft and Oracle, among many others. 

He also warned that many still aren’t seeing how big an impact it could have.

“If I asked you, ‘hey show me the salt you have in your house,’ you would probably walk up to the salt you have sitting on the table, maybe some you have hidden in the cabinet,” Cofrancesco said. “What you probably wouldn’t do is show me ‘hey, here’s my Panera sandwich, or here’s the soup I have, or here’s the juice I have, my powerade.’ All those other things have salt in it, it’s just obscured by the fact that there are a bunch of other ingredients. That is precisely what is going on here.”

Attackers are actively exploiting the issue, with Check Point Software reporting Monday afternoon that it was seeing a “pandemic-like spread” of attacks since last week, with more than 800,000 attempted attacks in 72 hours, and about 100 hacks a minute. Check Point said more than 40 percent of corporate networks worldwide were coming under attack.

“This vulnerability, because of the complexity in patching it and easiness to exploit, will stay with us for years to come, unless companies and services take immediate action to prevent the attacks on their products by implementing a protection,” Lotem Finkelstein, the head of threat intelligence at Check Point, said Monday in a statement provided to The Hill. “Now is the time to act.”

Cofrancesco said some parts of the federal government have yet to take action.

“Federal agencies, some have more maturity and are doing the right thing, many took the weekend off, didn’t respond to this actively, and they are coming in on Monday and having to educate themselves to the fact that this particular library is embedded in everything,” Cofrancesco said.

The discovery comes after one of the most challenging years for the cybersecurity sector, and almost a year after the SolarWinds hack was discovered. The incident involved Russian government-backed hackers exploiting a vulnerability in IT group SolarWinds’s software to breach at least nine federal agencies and 100 private sector groups.

The incident served as a wake-up call for government officials and led to an unprecedented amount of action in the federal space on cybersecurity, and a major increase in public-private partnerships to respond to attacks.  

Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly on Saturday announced that the log4j vulnerability had been added to the agency’s catalog of vulnerabilities, requiring federal agencies to immediately address it, and that CISA’s Joint Cyber Defense Collaborative had established a senior leadership group to focus on the issue. The team includes partners at the FBI and the National Security Agency (NSA). 

“To be clear, this vulnerability poses a severe risk,” Easterly said in a statement Saturday. “We urge all organizations to join us in this essential effort and take action.” 

CISA hosted a call with owners and operators of critical infrastructure to brief them on the threat posed by the log4j vulnerability on Monday afternoon. Following the call, CyberScoop reported that Easterly, a former NSA official, told participants that the vulnerability “is one of the most serious I’ve seen in my entire career, if not the most serious.” 

Despite the work to address the vulnerability, it is likely to get worse.

Experts are expecting to see adversaries including Russia and China move to exploit the vulnerability in a way that could involve launching a “worm,” which hunts through a network to find one specific vulnerability, making it easier for attackers to quickly take down systems. 

“There could be a worm released in the next 24 hours by our adversaries to exploit this,” Kellermann warned. “If the worm does manifest, this is going to be a national security issue for critical infrastructure across the U.S.”

Cofrancesco was equally concerned about the potential for exploitation, particularly as tensions between the U.S. and Russia are reaching a critical level due to Russian troop movement to the Ukrainian border, and as President Biden has pressured Russian President Vladimir Putin to curb Russia-linked cyberattacks.

“It is a certainty, it is as certain as the sun is going to come up tomorrow that that has already happened,” Cofrancesco said of a potential worm. “The Chinese don’t take weekends off and the Russians don’t take weekends off when it comes to attacking America … this is going on right now, we have indications that this is going on right now all over the spectrum.”

Despite the ongoing concerns, both praised the work done by CISA and other top cybersecurity officials to prioritize the issue, noting that the ability for the public and private sector to work together has advanced since the SolarWinds incident.

“Jen Easterly deserves credit here, because this is a level 10, should scare the pants off everybody moment,” Cofrancesco said. “Half the market’s not responding that way, she is getting them to move appropriately, the smart half of the market is responding that way already, and that has kept us quite busy.”