Hackers Return to the Field with a Proven Playbook

Hackers Return to the Field with a Proven Playbook

What’s worked

Back in April 2021, when the SolarWinds hack was publicly disclosed, much of the world discovered just how vulnerable it is to a major cyberattack against common systems and applications. Instead of targeting individual organizations, hackers came to realize that they could do a lot of damage in a relative short amount of time by simply targeting the software used by a lot of companies. Reports filed with the SEC indicate that SolarWinds had over 33,000 customer organizations who were using its Orion software. Hackers managed to break into SolarWinds systems and maliciously alter the Orion code. When SolarWinds subsequently pushed out a software update to its customers, it didn’t realize that the update included the malicious code added by the hackers. SolarWinds, a major cybersecurity vendor, was unknowingly used as a conduit for the hackers to introduce malware onto company systems all over the world.

The playbook

Much like an NFL football team that keeps running the same play route if it keeps working, hackers are re-using their playbook because it worked so well before. This time, the software being targeted is a piece of code used by software development teams all over the world in their applications. The software is called log4j and is made available as an open source tool by the Apache Software Foundation. Just as its name implies, log4j is Java software (i.e. “log for Java”) that logs actions within an application, typically for debugging and troubleshooting purposes.  The log4j code is so useful, in fact, that it has been downloaded millions of times from Apache and has become one of the most widely used pieces of code in business applications all over the word. And just like with the SolarWinds hack, the widespread use by corporate networks of the log4j software code makes it a particularly attractive target for hackers. Exploiting a zero-day vulnerability in log4j (computer-speak for a brand new, never before published vulnerability for which no fix was available yet), hackers demonstrated an ability to remotely execute code on target machines that were running the software. The ability to remotely execute code means that hackers could do almost anything they want on computers with log4j, including installing malicious programs to steal data, encrypting files with ransomware, and installing software to mine for cryptocurrency.

Companies are racing to inspect their software and systems to determine the extent of any impacts. Others are reaching out to their critical vendors as part of ongoing due diligence to inquire about any potential impacts.

Hackers are clearly finding creative new ways to identify and target the least common denominator – tools and software used by  large portion of the world – to move swiftly and exploit a large number of computers in a short amount of time.

In the age of zero day vulnerabilities, even regular patching practices likely can’t do much to help us prevent these types of cyberattacks initiated by nation-state actors. By its very definition, a zero day issue has no patch available when the vulnerability is first being exploited.

What can we do?

What we can do is improve reaction times. We can promptly patch systems as soon as word gets out about a new threat such as a log4j vulnerability. We can continue to exercise reasonable due diligence over our third party vendors, and continue to invest in strong cybersecurity controls, testing, and security awareness training to maintain an otherwise strong set of defenses against the known threats that are out there.

For more information or to speak with a regulatory expert, please email info@cssregtech.com.