Belgian Defence Ministry become the first organisation to suffer from the Log4j vulnerability

The Belgian Defence Ministry become the first actual organisation to suffer a cyber-attack because of the Log4j vulnerability. 

The log4j security loophole has been described by US Cybersecurity director, Jen Easterly, as “the most serious vulnerability I have seen in my decades' long career”. Tech companies are currently in a state of panic over the vulnerability, which could let hackers take control of almost anything on the internet. 

A spokesperson for the Belgian ministry has announced that an attack on a computer network with internet access took place and the ministry immediately took quarantine measures to isolate the impacted network areas. 

A statement from the Belgian Ministry of Defence said “This attack follows the exploitation of the Log4j vulnerability, which was made public last week and for which IT specialists around the world are jumping into the breach. The Ministry of Defence will not provide any further information at this stage”. 

Centre for Cybersecurity Belgium spokesperson Katrien Eggers has said “Because this software is so widely distributed, it is difficult to estimate how the discovered vulnerability will be exploited and on what scale. It goes without saying that this is a dangerous situation”. Eggers also added that any organisations that had not already taken action should “expect major problems in the coming days and weeks” and that any affected organisations should contact the Centre for Cybersecurity Belgium immediately. 

What is the log4j vulnerability? 

Log4j is a popular Java library for logging error messages and contains the Log4shell software vulnerability. The vulnerability enables a remote attacker to take control of a device on the internet if the device is running specific versions of Log4j. The original vulnerability, published as CV3-2021-44228, was on version Log4j.214, however, updated versions have also suffered from related vulnerabilities. 

The Log4j vulnerability has been given a CVSS (Common Vulnerability Scoring System) a score of 10 out of 10, by the publishers of the Log4j library – Apache Software Foundation. A score of 10 is the highest-level severity score because of the ease with which malicious attackers can exploit it and its potential for widespread exploitation. 

Log4j vulnerability timeline 

Cloudflare CEO Matthew Prince said, “Earliest evidence we’ve found so far of Log4J exploit is 2021-12-01 at 04.36.50 UTC. That suggests it was in the wild at least 9 days before publicly disclosed. However, don’t see evidence of mass exploitation until after public disclosure”. 

On December 10th details emerged of the new Log4J vulnerability and exploits spread quickly. Within 12 hours of the news being publicised, the vulnerability had been used in over 40,000 attempted cyber-attacks. After 72 hours there had been over 830,000 attempted cyber-attacks.  

On the day the news was publicised, Apache released its first patch for the vulnerability, named Log4j 2.15. However, on December 14th it was found that this new version also had a security vulnerability and so Apache released version 2.16. 

Due to another Log4j vulnerability found in version 2.16, another fix has been released on December 20th – Lof4j 2.17. 

Whilst Apache Software Foundation is working hard to fix the current patches, malicious third parties are working just as hard to exploit the vulnerability. The full extent of the Log4j vulnerability is yet to be seen.