The Log4J Software Flaw Is ‘Christmas Come Early’ for Cybercriminals

Researchers have just identified a security flaw in a software program called Log4J, widely used by a host of private, commercial and government entities to record details ranging from usernames and passwords to credit card transactions. Since the glitch was found last weekend, the cybersecurity community has been scrambling to protect applications, services, infrastructure and even Internet of Things devices from criminals—who are already taking advantage of the vulnerability.

“For cybercriminals this is Christmas come early, because the sky’s the limit,” says Theresa Payton, a former White House chief information officer and the CEO of Fortalice Solutions, a cybersecurity consulting company. “They’re really only limited by their imagination, their technical know-how and their own ability to exploit this flaw.” Payton spoke with Scientific American about what Log4J does, how criminals can use its newly discovered weakness, and what it will take to repair the problem.

[An edited transcript of the interview follows.]

What is Log4J, and how is it used?

In both technology and cybersecurity teams, everybody needs really good logs. You need logging for audit trails, in the event of a ransomware event, to do forensics, sometimes for regulatory considerations. And so [Log4J] is a Java feature and function where you log things. You could log the fact that somebody used this particular type of credit card, you could log the fact that somebody just logged in today, any number of different types of events could be captured.

But Log4J has a major security flaw.

This type of vulnerability means somebody can inject instructions into the logs and make the logs do anything they want them to do. Researchers discovered this vulnerability—and I always say thank goodness for the researchers—in early December. Basically, it allows an attacker to have unauthenticated remote code access to the servers. So they can send instructions, they can execute things, and potentially do it completely undetected. There’s already been examples of where attackers have leveraged the Log4J vulnerability. They’ve installed cryptocurrency mining malware on unknowing machines. If we recall the…