Apache log4j2 is a strange word for most Internet users. But in the eyes of many programmers, it is a good partner to accompany them. It is used to record logs every day. However, it is precisely this component used by countless programmers every day that has a vulnerability. The harm of this vulnerability may even exceed the “eternal blue”.
Ji Jing, senior emergency response director of Dbappsecurity Co.Ltd(688023) , commented: “Apache log4j2 has reduced the cost of hacker attacks and can be called an epic vulnerability in the field of network security in the past 20 years.” Some insiders also believe that this is “the biggest loophole in the history of modern computers”.
On December 17, 2021, the Ministry of industry and information technology issued a document to remind the risk: “there is a serious security vulnerability in Apache log4j2 component… This vulnerability may lead to remote control of the equipment, which may lead to serious hazards such as sensitive information theft and equipment service interruption. It is a high-risk vulnerability.”
Even national government departments have been recruited. In late December 2021, the Belgian Ministry of defense admitted that they had suffered a serious network attack based on Apache log4j2 related vulnerabilities. The network attack paralyzed some businesses of the Belgian Ministry of defense, including the mail system.
The “power” of this vulnerability is so great that even national information security has been affected. So how should ordinary enterprises, especially those using cloud services, deal with it? Since the outbreak, a large number of enterprises and institutions have accelerated the digitization process and become “enterprises on the cloud”. In the traditional environment, enterprises have more control over their own security system construction. After cloud migration, are the cloud security protection of these enterprises in place?
security vulnerability once in 20 years: it will become a “network pandemic”
Late at night on December 9, 2021, Apache log4j2 Remote Code Execution Vulnerability attack broke out. For a time, major Internet companies were “alarmed”, and many network security engineers woke up in the middle of the night and were busy repairing the vulnerabilities. “It’s said that programmers in major factories are called to change in the middle of the night. If they don\’t finish the change, they won\’t be allowed to get off work.” Relevant forums also discussed the matter one after another.
Why is a security vulnerability so influential? Gao Yifeng, managing partner of Ernst & Young Greater China network security and privacy protection consulting service, said: “the Apache log4j2 vulnerability crisis has attracted much attention due to its wide impact, high threat and low attack difficulty, resulting in a global impact.”
“Log4j2 is an open source log component under Apache, an open source community. It is widely used by enterprises and organizations all over the world in the development of various business systems,” Ji Jing said, “According to incomplete statistics, within 72 hours after the outbreak of the vulnerability, more than 70 mainstream development frameworks were affected. These frameworks are widely used in the construction of digital information systems in various industries, such as finance, medical treatment, the Internet, etc. because many familiar Internet companies are using the framework, the impact of Apache log4j2 vulnerability is very large. ”
In addition to being widely used, the cost of exploiting Apache log4j2 vulnerability is relatively low. Attackers can construct malicious data and attack the vulnerable system through remote code without strong interaction such as authentication and login. Moreover, it can also obtain the highest authority of the server, which eventually leads to the remote control of the equipment, further causing data leakage, equipment service interruption and other hazards.
Not only the attack cost is low, but also the technical threshold is not high. Unlike the “eternal blue” outbreak in 2017, the use of attack tools is relatively complex. An attacker based on Apache log4j2 vulnerability can use many ready-made tools to construct and update a malicious code with a little knowledge of technology.
The low utilization difficulty and low attack cost mean that the recent attack against Apache log4j2 vulnerability will continue for some time, which will be a “network security pandemic”.
the Internet should also be “epidemic prevention”: enterprises ignore it or will bring serious consequences
Similar to the “influenza virus”, the Apache log4j2 vulnerability has produced a “variant”. In addition to the previously announced vulnerability cve-2021-44228, a new vulnerability cve-2021-44832 was found on December 29. After the vulnerability exposure and initial repair, a large number of targeted attack variants have been derived, which is really impossible to prevent.
On the one hand, there are different “variants” of vulnerabilities; On the other hand, attackers are also looking for new exploit patterns. Therefore, people in the industry generally expect that the impact of Apache log4j2 vulnerability will exist for a long time, and some experts even expect it to last more than ten years.
The attacker’s attack methods are also diverse. For example, after an attacker obtains the highest permission of the server, he may leave a “back door” in the system code and turn it into a puppet machine to engage in black production activities such as mining or DDoS attacks.
Can enterprises “ignore” this vulnerability? The answer is clearly no. Gao Yifeng warned: “Enterprises that fail to deal with this log4j2 vulnerability crisis in a timely and serious manner may face risks such as website tampering, service interruption and data leakage. In particular, the harm of data leakage events may be \’devastating\’ to enterprises, which must involve direct sales losses, compliance fines, impact on employee productivity and long-term goodwill damage. Once a data leakage event occurs Health, the regulatory authorities will inevitably impose fines and put forward rectification requirements, which will seriously lead to the loss of business qualification and criminal charges. “
how to protect “enterprises on the cloud”? Building a security system is the key
In the traditional mode, security personnel can detect, patch and repair vulnerabilities locally. Compared with the traditional model, “enterprise on cloud” uses cloud computing, cloud storage services, etc., without its own computer room and server. When entering the cloud environment, the “boundary” of security protection no longer exists, and the control authority on the underlying host is not as much as that of the local host. At the same time, there is another layer of virtualization attack.
Especially under the influence of the epidemic, a large number of enterprises and institutions have started digital transformation and migrated from local servers to cloud servers. If the cloud migration is completed in a short time, the enterprise is likely to lack the maturity of the corresponding cloud security management capability; At the same time, it is often faced with insufficient security capacity and shortage of professional staff.
How should “cloud enterprises” deal with this epic vulnerability crisis?
According to Dbappsecurity Co.Ltd(688023) senior product expert Gai Wenxuan: “after enterprises go to the cloud, traditional network security risks still exist. In addition, they will face new security risks, such as the division of security responsibility boundary between users and cloud platforms. In addition, traditional hardware devices may not be suitable for cloud environment, so relevant security services need to be deployed for special situations.
”
According to Zhao Jianshu, partner of anyong Greater China Science and technology risk consulting service: “in the face of rapid cloud access, enterprises urgently need to build a security system to meet their own business development and management requirements.”
So, for these “cloud enterprises”, whether to choose the native security services provided by cloud service providers or to find a third-party professional security service provider?
Gai Wenxuan said: “the timeliness of network security services is very critical. If a security incident occurs, there is a big gap between an hour of rapid response or a few hours or even a day or two, and the risks and losses borne by customers are continuous. Choosing a third-party security organization is more professional and cloud service providers are more compatible.”
In fact, at present, even highly automated cloud native security solutions cannot achieve complete autonomy, and qualified cloud security service professional teams are still required to participate. Gao Yifeng stressed that for small and medium-sized enterprises, selecting qualified third-party professional safety institutions can ensure the independence of services and ensure the smooth development of work and service quality.
Cloud service providers\’ native security services and third-party security services are not two choices. Zhao Jianshu said: “in the construction of enterprise security protection system, enterprises should combine their own security management experience, consider security practices from the computing layer, network layer, data layer and security management layer, and select security services suitable for enterprises to build security stack security.”
network security experts talk about security practice: “prepare before rain”
Website risk discovery and website security protection are highly professional work. Many units lack professional security equipment and technicians, and their business systems cannot respond in time after being attacked, resulting in content tampering, implantation of dark chains, black pages, business downtime and paralysis, causing negative effects and even serious economic losses to website management units. Therefore, it is particularly necessary to carry out normalized security protection and monitoring for business systems exposed to the Internet.
Zhao Jianshu concluded: “excellent safety practice ‘should prepare before rain, rather than dig wells in the face of thirst\’.”
For “enterprises on the cloud”, Anheng Xuanwu shield SaaS service is a typical integrated solution of cloud protection and cloud monitoring. It helps users effectively realize vulnerability security monitoring, attack protection and 7×24 hour security expert on-site service guarantee under the emergency response scenario of day vulnerabilities, and helps users master the security situation of important information systems and key websites, Realize the anti tampering, anti intrusion and anti data leakage of the website and related business systems to avoid website security events
industry data overview
In November and December, the number of computer malicious programs spread in China exceeded 190 million, but it was significantly lower than that of 21 million in October. The number of malicious computer programs spread in November peaked at 53.672 million in the second week, and in December peaked at 63.741 million in the third week. In November, the total was 192.949 million; The total in December was 195416000.
The number of hosts infected with computer malicious programs in China showed an upward trend every week in November, with a total of 3.976 million in November; It was controlled in December, showing a downward trend every week, totaling 4.237 million.
In terms of the total number of tampered websites in China, there were 4767 in November and 6708 in December, both of which were significantly lower than those in October; In terms of the number of government websites, there were 36 in December, which is not much different from 34 in November. The attacks faced by government websites still can not be ignored and should be vigilant;
In December, the total number of back door websites implanted in China totaled 2062, down 41.9% from 3551 in November; The number of counterfeit web pages for domestic websites was 1365 in December and 668 in November, an increase of 104.3%. It can be seen that by the end of the year, we should pay more attention to network security in China.
The number of information security vulnerabilities in December was 2419, up 8.04% from 2239 in November; The number of high-risk vulnerabilities increased by 31.2% in December compared with November. Vulnerabilities occur every month. For security vulnerabilities, we must download applications in formal ways and update them in time.
After goes to the cloud, what are the threats to Enterprise Cloud Security?
data source: CSA
The number of various network security events on cloud platforms in China still accounts for a high proportion. Among them, the number of events subject to large traffic DDoS attacks on cloud platforms accounts for 71.2% of the number of domestic targets subject to large traffic DDoS attacks, and the number of implanted back door websites accounts for 87.1% of all implanted back door websites in China The number of tampered websites accounts for 89.1% of all tampered websites in China.
At the same time, attackers often use the Chinese cloud platform to launch network attacks. The number of events in which the cloud platform initiates DDoS attacks as the control end accounts for 51.7% of the number of events in which the domestic control initiates DDoS attacks, and the number of back door links implanted as the attack springboard accounts for 79.3% of the number of back door links implanted outside the domestic attack springboard; The number of IP addresses controlled by the control end of Trojan horse and botnet malicious programs accounts for 65.1% of the total number in China, and the number of types of malicious programs carried accounts for 89.5% of the number of types of malicious programs carried on the Internet in China
the above pie chart data source: CNCERT / cc
Image source: screenshot of iResearch Consulting Report
development trend of cloud security technology in the next five years
Gartner’s “hype cycle for ICT in China, 2021” horizontal dimension is divided into five stages from emerging to mature according to the technology maturity, and the vertical dimension represents the expected value of the technology. The ICT maturity curve analyzes more than 20 new technologies with significant development value, such as aiops platform, data midrange, 5g, low code, container as a service, multi cloud, cloud security and edge computing
Image source: screenshot of Gartner Report
China’s cloud security market has broad space. According to the data of China Academy of information technology, the overall market scale of cloud computing in China reached 133.45 billion yuan in 2019, with a growth rate of 38.6%. It is estimated that it will still be in the stage of rapid growth from 2020 to 2022, and the market scale will exceed 375.42 billion yuan by 2023. Under the neutral assumption, security investment accounts for 3% ~ 5% of the cloud computing market, so the scale of China’s cloud security market is expected to reach 11.26 billion yuan ~ 18.77 billion yuan in 2023.