Example blog

Log4j: Log Jam’s latest zero-day cybersecurity exploit

Outside of cyber and tech circles, the term zero-day exploits may not be very familiar or meaningful. It sounds more like a character from the upcoming Matrix movie than something those of us who use software on a daily basis need to pay attention to. But the reality is that zero-day exploits and the attacks that use them are the basis of how hackers break into computer systems to steal information, install ransomware, or whatever technique is currently in use.

What is Log4j?

The Washington Post explains that log4j is “a piece of code that helps software applications keep track of their past activities. Instead of reinventing the “logging” – or record-keeping – component every time developers create new software, they often use reusable code like log4j instead. It is free on the Internet and very widely used, appearing in “a large part” of Internet services.

Whenever software that uses log4j to log something new, it examines the new entry and adds it to the registration. The Washington Post article goes on to explain that recently the cybersecurity community realized that by simply asking the program to save a line of malicious code formatted in a particular way, it would execute that code in the process, effectively allowing bad actors to easily take control of servers running log4j.

Log4j is a library written in the Java programming language, a fundamental language used for writing software for 30 years. A lot of products, software and technologies run on Java and contain log4j like AWS, Google and Twitter and are affected by this.

This vulnerability allows hackers to gain access to the core of the system they are trying to enter, bypassing all of the typical defenses used by software companies to block attacks. Overall, it’s a cybersecurity expert’s nightmare – and it’s mutating quickly. As of December 17, new variations of the original exploit have been generated quickly – over 60 in less than 24 hours, and this week Google’s open source team reported that a whopping 35,863 Java packages in Maven Central is still using faulty versions of the Log4j library. .

What is a zero-day attack?

The National Institute of Standards and Technology (NIST) defines a zero-day attack as an attack that “exploits a previously unknown hardware, firmware, or software vulnerability.”

As we have seen in this article, the term “zero day” or “never seen before” refers to the fact that by the time security analysts find out about these exploits, the delay allows them to fix the problem. Cybercriminals and hackers try to keep this information to themselves for as long as possible, so that exploits are not corrected, but once they are discovered and shared with the world, it is referred to as a “zero” exploit. day ”because it was“ zero days ”since the world knew the details.

Here are some terms related to zero-day attacks:

  • Zero-day vulnerabilities are software flaws discovered many times by bad actors
  • Zero-day exploits are the steps or tools for hackers to use these vulnerabilities
  • Zero-day attacks actively use these exploits to breach networks in order to sabotage an organization or steal data

Log4j is the latest example of a zero-day feat to uncover and plunge much of the industry into chaos. Considering its wide adoption by developers, the impact of the log4j exploit is quite large and will take a very long time to resolve. Even the NSA is taking action related to its GHIDRA toolset due to the inclusion of log4j. Rob Joyce, Director of Cyber ​​Security at the NSA, explained in Dark Reading why it is essential to know which software uses libraries like this: “This is a case study of why the concepts of software nomenclature (SBOM) are so important to understand the exhibition ”

Why self-learning AI is best equipped to handle zero-day attacks

The cybersecurity problem here is manifold. First, the vulnerability to do this has been present in log4j for many years. This means that the propagation time of this problem was long enough that thousands of pieces of software were impacted on millions of machines. Since the exploit using this vulnerability was not publicly known, there was no way for legacy cybersecurity tools to identify what was installed and highlight it. Second, since the exploit allows an attacker to execute their own code, there is no known “signature” of what a person using the exploit would look like. Many cybersecurity systems need these signatures to try and uncover attacks, but they would miss this feat as this is a new signature unsigned attack because every hacker might do something different. Finally, while the industry waits for updated software to become available to remove the vulnerability, poor IT staff are still blind to what is happening through this exploit and this is made worse by the fact that an acceleration in their use will now occur by hackers. that the stopwatch is running.

So what are you doing? How do you deal with zero-day threats and new attacks like this?

What we need is a self-learning AI capable of automatically and precisely building an ever-changing understanding of the environment of every business or person. Instead of just trying to see what attacks are already known and being blind to new attacks like many legacy cybersecurity systems are, this approach will elevate what is observed but not expected for threat assessment.

Improve Your Zero-Day Security Approach with Self-Learning AI

With zero-day exploits like Log4j reaching new levels every year, organizations with legacy security tools will be the ones to suffer. The Ponemon Institute notes that next year, 42% of all attacks will result from the use of zero-day exploits and new attacks, and organizations will remain vulnerable to these major attacks because the existing security tools they use are only equipped with detection technologies that use signatures from past attacks. By their very nature, these tools will never be able to detect these zero-day threats or any signatures.

A security tool capable of accurately detecting behavioral anomalies in an environment without relying on signature-based detection is the best approach to defend businesses. This will show the unexpected behavior related to zero-day attacks as they will not match the allowed and expected behavior. To be able to have an anomaly detection approach, the security tool you have chosen must take advantage of the AI ​​which can learn on its own and become smarter and more responsive to the environment it monitors over time. time. Otherwise, the bad actors will find ways around detection and wreak havoc. A platform like MixMode that leverages “third wave” self-learning AI is perfectly positioned for this.

MixMode’s AI does not require any rules, signatures or information flows and can detect zero-day attacks like attacks using the Log4j exploit by understanding an organization’s environment, predicting the behavior expected and identifying abnormal activities related to attacks using this vulnerability in real time.

Signature-based threat detection tools will never be able to detect zero-day threats like this, as signatures are created based on past threats that have been identified. It’s like playing “whack a mole” with new variations discovered frequently, many of which are extremely dangerous feats.

Somewhere out there right now is the next catastrophic zero day feat lurking in the operating environment of a large corporation or government. As frightening as it may be, the reality that a bad actor can deploy this and launch a major attack at any time is far scarier. It can take days, weeks, months, or even years before a hacker is caught using this exploit. If this exploit goes undetected by the security researchers who create the signatures that cybersecurity platforms rely on, organizations using these legacy platforms remain vulnerable to catastrophic outcomes.

MixMode items you may like:

Video: The challenges of using out of the Box cloud security solutions

Phoenix CISO uses a back-to-basics approach to cybersecurity

As businesses embrace 5G, AI-enhanced cybersecurity emerges as a top security priority

Ransomware attacks in healthcare persist

Protect your business against ransomware with MixMode

Beware of SMEs: Ransomware Hunter is targeting you

Source link