A Vancouver Island tech company is claiming a world first in the battle against Log4jShell cyberattacks.
On Dec. 9, a previously unforeseen avenue for online troublemakers to create digital havoc was discovered in the Log4j software used in devices ranging from network servers to cell phones.
Lantzville-based cybersecurity firm aDolus Technology Inc. has already started scanning its clients’ systems for vulnerabilities.
Log4j is software, which essentially records and builds libraries of interactions to and from computers within networks, has been in use for 20 years. The Log4j vulnerability is called Log4jShell.
“Log4j is a really commonly used piece of open source software,” said Eric Byres, chief technical officer of aDolus Technology Inc., which specializes in industrial systems software security.
“It’s a logging system that you can use for whatever you want and so, people use it for everything from soup to nuts … Your computer’s doing it all the time. It’s just filling itself up with logs and this is a way to exchange those logs, which is critical for big companies.”
In larger companies, the software is used to share events, such as notifications of a user logging into a network or an attempt to inject spam or malicious software into a computer within a network.
“If your computer wants to send logs to head office about the fact it’s under attack, head office would use something like Log4j in order to receive those incoming messages,” Byres said.
Researchers discovered that by sending deliberately malformed logs to a log collector, they could take over the log collector, which is what Log4jShell does. It allows hackers to take over networks by sending malicious code through a infected application.
“Log4j is so widely used … it’s easy for the bad guys to take advantage of it,” Byres said. “If they can get a message to that server, possibly through a poorly secured laptop … from there they can go straight to command headquarters and take over.”
The vulnerability could impact industrial control systems, air carrier booking systems, medical systems, hospitals and beyond. Byres said some attacks may have already happened and malicious software may have been injected and will sit inactive until conditions arise where it can cause the most damage.
“This is where the nastiness is going to come in. Nobody is going to know that they should be doing anything because they don’t know it’s buried deep into their packages,” Byres said.
Hidden vulnerabilities through Log4jShell can be uncovered by scanning lists of components that make up software applications. ADolus is currently scanning its industrial clients’ ‘software bills of materials’ to find Log4j in their systems and informing them of the level of vulnerability to hacker exploitation.
“We’re the very first company in the world to release what are called [vulnerability exploitability exchange] documents … in the whole world, period…” Byres said. “If you’re a big oil company you can look through the VEX document and you can search it for the versions of the software you’re using and you can see it’s exploitable … or it’s not exploitable and say, forget it. Let’s go work on something else more important.”
To learn more about the Log4Shell vulnerability, visit the aDolus website at http://adolus.com/vulnerabilities/log4j/.