2021 is characterized by a dramatic few cyber events. In the US, the Colonial Pipeline Oil Company paid $ 5 million to attackers shutting down computers operating on its main pipeline.

In Israel, Black Shadow, the Iran-affiliated insurance company Shirbit, unveiled the database of the dating site of Proud Community Atrif and car financing company KLS Capital. Hillel Yaf Hospital also suffered a serious cyber attack that shut down its computers.

Despite the busy year, 2022 and beyond marks a vulnerability that security experts revealed three weeks ago as one of the most important events in the cyber world. On November 24, Chen Jogun, a Chinese researcher in Alibaba’s cloud, reported a vulnerability in the popular open source Java directory Log4j. The damage was officially released on September 9th, and it was supposed to be fixed with a fix, but it turned out to be a problem in itself. Since then the event has made headlines but it is still not over.

“In my opinion, this is a bigger event than the SolarWinds attack. A system for controlling and repairing damage “has affected many companies, and these cases have not yet been published. “It’s still a strong storm. The weakness was revealed just before Christmas, so organizations left the network and celebrated the holidays,” explains Lotem Finkelstein, director of research and intelligence at Checkpoint. .

“Software update is just the tip of the iceberg”

The vulnerability of the so-called log4 shell is the large distribution of the log4j code library in which it is located. Log4j is a directory that records activity within various applications. As it became available in the open source, the library became popular among organizations, both large and small, eliminating the need for self-development of such an element. According to Cynic, an Israeli-British cyber company, 39% of Java applications use the library directly, and about 61% indirectly expose it. At the checkpoint it was found that half of the organizations they sampled were weak.

“Organizations across all regions are exposed to the fact that everyone uses Java applications. It could be a pulse measurement product used by Log4j to collect measurement results or a security system that records who logs in, and the organization that updates its code depends on it, and the external systems that are embedded in it. Finkelstein explains.

Another problem is that weakness is relatively easy to take advantage of. All you have to do is send the correct malicious code to the app, wait for it to register on Log4j, and then gain system access. At checkpoint, more than 60 variants of vulnerability have been reported, with different types of inputs that can be sent to the app to remotely control it.

As of this week, Checkpoint has already identified 5.4 million attempts to exploit vulnerabilities blocked in its systems. Some of the exploiters were crypto miners who tried to hijack the resources of hacked computers in favor of mining. In addition, the company identified groups from Iran that were using the library to attack Israeli sites. Other security companies have found attempts to breach trust through open loopholes.

A sample by Startup Wise, founded by Ernest and Young, found that only 45% of attacked organizations published the required vulnerabilities and installed the required updates in their cloud environment within ten days. So it would probably be naive to assume that all attempts at aggression through weakness have so far failed. Many attackers, such as pilgrims or money launderers, have already infiltrated organizations’ computer systems and are now more likely to try to dig deeper into those systems.

“There is a real race between good and evil. Security officials want to find vulnerable areas and fix them as soon as possible. The problem is so big. Organizations have tens of thousands or millions of cloud systems,” Rapaport said.

“The code replacement process is so complicated that having a software update is just the tip of the iceberg. When I worked at Microsoft, I remember it sometimes took months for everyone responsible for fixing the various parts of it to code.” Schwartz says. “Eventually, if you lose a place, you’re going to become a company that makes headlines for not solving the problem and losing someone’s job.”

Tomar Schwartz, co-founder and VP of technology at the startup of the day / Photo: Nathaniel Tobias

To illustrate, the EternalBlue vulnerability in Microsoft protocol was leaked in April 2017. Although there was already a high-risk patch at the time of the leak, this vulnerability was used for widespread mistrust attacks in the US and Europe in May and June. That year, an attack by TSMC in Taiwan cost him millions of dollars in production losses.

Is Weakness a Sales Promotion?

Dangerous security breaches are certainly a potential business opportunity for cyber companies to expand their customer base. Indeed, after the publication of Vulnerability, several companies, from cloud giant Snowflake to Israeli Vice, announced that they would provide free tools to organizations to identify new risks, in the hope that they would later become paid customers.

Rappaport says Log4j has definitely boosted Wise’s performance. “The environment we protect is tripled in a week, with existing customers installing us on 100% of their cloud systems at the same time, which is usually time consuming, while those who were in the sales process became customers,” he says.

Dazez released its product around the same time as it discovered the weakness of Log4Shell, not a bad time. “Such an event that gets the focus gives us a whiff. We see that processes with customers are accelerated because of their desire to resolve the issue quickly and celebrate the holidays with a calm mind,” Schwartz says.

However, Finkelstein, from the checkpoint, is more skeptical about the impact of such an event on sales. “Of course it raises awareness about cyber, and we see organizations’ spending on information security increasing over time, but the event itself is not really a sales promotion, and its impact on the results is negligible.”