In December 2021, a security flaw was found in the software programme called Log4J, a Java program for information storage. Log4J is used to record details of people's passwords and login information, for various company accounts and websites both private and public. Data logs for every web entry or online account for a business create a huge amount of information, which is then stored and managed by Log4J. Given the unfathomable volume of logs on each website, this software flaw has the ability to compromise millions of people’s personal data, private information and even credit card details. The director of the U.S Cybersecurity agency called Log4Shell, stated this was the worst "security vulnerability" she had seen throughout her career. Of course, as soon as the ‘gap’ in programming was discovered, cybercriminals quickly began to take advantage of the security failure.
How can Log4J be exploited?
The extent to which this security issue could be exploited is limited only by a hacker's imagination. A hacker for example could inject instructions into a set of logs, making them do anything they desire. Having remote access to a server or log could disrupt companies' supply chains, allow cash withdrawals or deposits from banks, and it would all go entirely undetected. As hackers are equipped with login information and account details, it is incredibly difficult to identify this activity as fraud, as it looks completely normal. Log4J has been exploited to install the ability to mine cryptocurrency on machines that don’t even know it’s happening.
How has it been exploited already?
Most notably, cybercriminals decide to target a cream cheese factory on the cusp of Christmas, entirely disrupting their festive production schedule. Bloomberg reported the attack targeted the company Schreiber Foods’ distribution and plant centres. Consequently, the company’s production ground to a halt for several days, just prior to Thanksgiving, Hanukkah and Christmas. Another company SolarWind, which specialises in solar-powered technology was targeted by cybercriminals exploiting the Log4J malfunction. Russian hackers were able to extract sensitive information about multiple different government agencies and cyber security companies that SolarWind works with.
What happens next?
Companies have had to trawl through their systems and processes, to hunt for Log4J, to see whether their systems are at risk or not. Most companies do not keep a closely detailed record of their logging systems, thus this small piece of code could theoretically be hiding anywhere. Companies must learn any tiny kink within a coding system could lead to the total disruption of a company, costing extreme amounts of money. The UK's National Cyber Security Centre's (NCSC) main point of action is to identify internet-facing companies using Log4J, upgrading them to newer versions of the code and urging them to set up alerts for attacks on Log4J. It is clear no company is safe, with even the NHS having to issue warnings that hackers have attempted to gain access to the system via Log4J, recommending different factions of the health service protect themselves and apply necessary updates. The Log4J debacle is another example of why the UK must enact stricter, comprehensive data security, before a more serious breach occurs.