Log4j: the Latest Zero-Day Exploit to Log Jam Cybersecurity

Christian Wiens Director of Marketing

Christian Wiens is Director of Marketing at MixMode. He has 10+ years of experience as a cybersecurity professional. He has his BA from The University of California, Berkeley and resides in Austin, TX.

Outside of cyber and tech circles, the term “zero-day” exploits may not be very familiar or make sense. It sounds more like a character in the upcoming Matrix movie rather than something those of us that use software everyday need to pay attention to. But the reality is that zero-day exploits and the attacks that use them are the foundation of how hackers break into computer systems to steal information, install ransomware or any of the other techniques currently being used.

What is Log4j?

The Washington Post explains log4j is “a chunk of code that helps software applications keep track of their past activities. Instead of reinventing the ‘logging’ — or record-keeping — component each time developers build new software, they often use reusable code like log4j instead. It’s free on the Internet and very widely used, appearing in a ‘big chunk’ of Internet services.”

Every time software that uses log4j to log something new, it examines the new entry and adds it to the record. The Washington Post article continues to explain that recently, the Cybersecurity community realized that by simply asking the program to log a line of malicious code formatted a particular way, it would execute that code in the process, effectively letting bad actors to easily grab control of servers that are running log4j.

Log4j is a library written in the Java programming language – a foundational language that has been used to write software for 30 years. A large number of products, software, and technology run on Java and contain log4j like AWS, Google, and Twitter and are affected by this.

This vulnerability gives hackers access to the heart of whatever system they’re trying to get into, avoiding all typical defenses software companies use to block attacks. Overall, it’s a Cybersecurity expert’s nightmare – and it’s mutating quickly. Since December 17th there have been new variations of the original exploit being generated rapidly – over 60 in less than 24 hours and just this week Google’s open-source team reported that a whopping 35,863 Java packages in Maven Central are still using defective versions of Log4j library.

What is a Zero-Day Attack?

NIST (National Institute of Standards and Technology) defines a zero-day attack as one that, “exploits a previously unknown hardware, firmware, or software vulnerability.”

As we discussed in this article, the term “zero-day” or “never before seen” refers to the fact that by the time security analysts discover these exploits, the timer for them to fix the problem. Cyber criminals and hackers try to keep this information to themselves as long as possible, such that the exploits aren’t fixed, but once it is discovered and shared with the world is called a “zero-day” exploit since it has been “zero days” since the world knew the details about it.

Here are a few terms related to zero-day attacks:

Zero-day vulnerabilities are flaws in software uncovered, many times by bad actors
Zero-day exploits are the steps or tools for hackers to use these vulnerabilities
Zero-day attacks actively use these exploits to breach networks in order to sabotage an organization or to steal data

Log4j is the latest example of a zero-day exploit to be discovered and put a big part of the industry into chaos. Given its wide adoption by developers, the impact of the log4j exploit is quite broad and will take a tremendous amount of time to resolve. Even the NSA is taking steps related to their toolset GHIDRA due to log4j’s inclusion. Rob Joyce, NSA’s Director of Cybersecurity noted on Dark Reading why it is critical to know what software uses libraries like this: “This is a case study in why the software bill of material (SBOM) concepts are so important to understand exposure”

Why Self-Learning AI is Best Equipped to Handle Zero-Day Attacks

The Cybersecurity problem here is many fold. First, the vulnerability to do this has been present in log4j for many years. That means that the time for this issue to spread has been long enough that there are thousands of pieces of software impacted on millions of machines. Since the exploit using this vulnerability wasn’t publicly known, there was no way for legacy Cybersecurity tools to identify what was installed and highlight it. Secondly, since the exploit allows a hacker to run their own code, there isn’t a known “signature” of what someone using this exploit would look like. Many Cybersecurity systems need these signatures to try to discover attacks, but this exploit would be missed by them, since it is a novel attack with no signature as each hacker could do something different. Lastly, while the industry waits for updated software to become available to remove the vulnerability, poor IT personnel are still blind on what is going on via this exploit and that is compounded by the fact that a ramp up in its usage will occur by hackers now that the timer is ticking.

So, what do you do? How do you handle zero-day threats and novel attacks like this?

What is needed is a self-learning AI that can automatically and accurately build a constantly evolving understanding of each company or person’s environment. Instead of trying to just see what attacks are already known and being blind to the new novel attacks, as many legacy Cybersecurity systems are, this approach will elevate what is observed but not expected for threat assessment.

Enhance Your Zero-Day Security Approach with Self-Learning AI

With zero-day exploits like Log4j ramping to new levels every year, organizations with legacy security tools will be the ones who suffer. Ponemon Institute notes that next year 42% of all attacks will result from using zero-days exploits and novel attacks, and organizations will be left vulnerable to these major attacks because the legacy security tools they use are only equipped with detection technologies that use signatures of past attacks. By their very nature, these tools will never be able to detect these zero-day or no signature threats.

A security tool that can accurately detect behavioral anomalies in an environment without relying on signature based detection is the best approach to defend enterprises. This will show the unexpected behavior related to zero-day attacks as they won’t match the expected, authorized behavior. To be able to have an anomaly detection approach, your chosen security tool must leverage AI that can learn on its own and get more intelligent and attuned to the environment it’s monitoring over time. Otherwise, bad actors will find ways around detection and wreak havoc. A platform like MixMode which leverages “third-wave” self-learning AI is perfectly positioned for just this.

MixMode’s AI requires no rules, signatures, or intel feeds and can detect zero-days like attacks using the Log4j exploit by understanding an organization’s environment, forecasting expected behavior, and pinpointing anomalous activity related to attacks using this vulnerability in real-time.

Signature-based threat detection tools will never be able to detect zero-day threats like this because signatures are created based on past threats that have been identified. This is like playing “whack a mole” with new variants discovered frequently, many of them extremely dangerous exploits.

Somewhere out there right now there is the next catastrophic zero-day exploit lying in wait on a major enterprise’s or Government’s operating environment. As frightening as that is, the reality that a bad actor could deploy that and levy a major attack at any time is far scarier. It could be days, weeks, months, or even years before a hacker is caught using that exploit. If that exploit remains undetected by security researchers that create signatures which Cybersecurity platforms rely on, organizations using those legacy platforms are left vulnerable to catastrophic outcomes.