With the weekend came more Log4J news.
First, there is a new attack vector and a new patch. Blumira’s security team said it discovered the potential for an alternative attack vector in the Log4j vulnerability. The latest upgrade target is 2.17.0 to avoid the denial-of-service condition.
On Friday, CISA issued an emergency directive ordering federal civilian entities to take immediate action on the issue. The directive gives federal agencies until December 23 to detail all of the internet-facing installations of the software on their networks and turn the information over to CISA. Agencies must also check to see if their networks employ publicly-available software that utilizes Log4j.
The concern may lie in reports that the Conti gang is now the first professional ransomware operation that has pulled Log4Shell into their daily operations. They are focused explicitly on VMWare vCenter servers, known to be vulnerable.
Beyond that, the Dridex malware is a banking trojan – and is now being deployed via the Log4J vulnerability. Verified by cybersecurity research group Cryptolaemus, this has been linked to the Evil Corp hacking group.
Why do we care?
Tactically, Log4J is proving to be the gift that keeps on giving for the holidays. Multiple patch iterations make resolving the issue highly problematic and make a difficult situation worse. With the holidays coming, the work isn’t over.
Strategically, none of this should be a surprise. If you’re interested in a long read, let me tease with this quote of an opinion piece by Matt Asay:
“Just don’t blare headlines like “Open source can be [an] open door for hackers,” as the Financial Times did. And don’t use the problem to start banging the drum of “open source sustainability” crises. Open source isn’t a security problem, and open source sustainability is a complicated issue. Instead, it’s time to recognize, as Matt Klein, founder and maintainer of the Envoy open source project, has done, that “All we can do is accept the reality of bugs/outages, do the best that we can to mitigate, learn, and improve, and wait for the next one.”
I’m watching my own hot-take-o-meter here too – although I do think there’s more to dig into with open source sustainability. Just because it’s complicated doesn’t mean it’s a black box never to be touched. I don’t want a hot take – but I do want the industry to have a conversation.