As the fallout from the Log4j vulnerability continues, cybersecurity experts are debating what the future might hold.
Tom Kellermann, VMware's head of cybersecurity strategy, said the Log4j vulnerability is one of the worst vulnerabilities he has seen in his career -- and one of the most significant vulnerabilities ever exposed.
Log4j, a Java library for logging error messages in applications, was developed by the Apache Software Foundation. Kellermann called Apache "one of the giant supports of the bridge between the world's applications and compute environments," adding that the exploitation of Log4j will "destabilize that support and... destabilize the digital infrastructure that's been built on top of it."
But his greatest concern is that someone further weaponizes the vulnerability by creating a worm, which Kellermann described as a polymorphic type of malware that can essentially spread on its own.
"One of the most significant [worms] from back in the early 2000s was Code Red," Kellermann told ZDNet. "We haven't seen a widespread global impact like that since then. If this vulnerability were to be weaponized by one of the cyber communities -- whether it be intelligence services, one of the four major rogue powers in cyber, or one of the major cybercrime cartels -- that's when things will get more interesting."
The possibility of a worm has generated significant conversation in the cybersecurity community. Cybersecurity expert Marcus Hutchins called fears of a worm "overblown" in multiple Twitter threads.
"Firstly, there's already mass exploitation (you can spray the entire internet from one server). Secondly, worms take time and skill to develop, but most attackers are racing against the clock (patching and other attackers)," Hutchins wrote on Twitter.
He added that "a worm would need a novel exploitation technique to gain any real value over scanning,"
In another thread, Hutchins wrote that 2017's WannaCry ransomware attack "gave people a way overinflated sense of the threat posed by worms," adding that worms "aren't a worst-case scenario (or even a worst-case scenario) for most exploits."
"It's not a case of there's an exploit so there will be a worm (we never saw worms for any of the recent wormable RCEs and even if we had it'd be no worse than regular exploitation). WannaCry was written by North Korea, using an NSA exploit, stolen by Russia. Not the norm," Hutchins explained.
Steve Povolny, head of advanced threat research for McAfee Enterprise and FireEye, told ZDNet that his biggest concern is around "wormability," adding that he couldn't "think of a worse scenario for Log4j exploits than malicious code that can replicate and spread itself with incredible speed, delivering ransomware payloads."
Povolny said worms like WannaCry demonstrated the type of impact that cybersecurity experts could expect, noting that even the WannaCry example was cut short from its true potential for spread and disruption due to a "kill switch."
"We can't hope to get as lucky this time -- it's not a matter of if, it's a matter of when this will happen. Organizations of all sizes must be undergoing an aggressive reconnaissance and patching strategy while there is still time," Povolny said.
"If you ever watched the TV show 'The Amazing Race', it now seems to pale in comparison to the global race taking place as a result of Log4Shell [the vulnerability's nickname]. Even as thousands of organizations worldwide continue to search for and patch this exceptional vulnerability, threat actors are working at a furious pace to weaponize and further refine exploits for the flaw."
Others, like BreachQuest CTO Jake Williams, said that while it is a certainty someone will create a worm that abuses the Log4Shell, it is unlikely to be like WannaCry, NotPetya, or previous worms that abuse system level processes.
The vast majority of servers vulnerable to Log4Shell will be running the vulnerable process with very limited permissions, Williams explained, adding that in most cases, a worm exploiting Log4Shell would probably not be able to achieve persistence across process restarts.
Because the process probably doesn't have filesystem permissions, Williams said people should be less worried about ransomware payloads.
"A malicious process can't encrypt what it can't write in the first place. While we should absolutely expect a Log4Shell worm to be created, we shouldn't conflate the expected damage of a worm with what has been seen in previous high profile worms," Williams said.
Salt Security vice president Yaniv Balmas said his team is already seeing cases where the Log4Shell vulnerability is used by "common" cybercrime-related operations in order to spread ransomware, calling a wormable exploit a "valid scenario."
Balmas noted that even today, the world is still seeing artefacts from similar worms that were launched years ago. If someone decides to embed this vulnerability into a worm, Balmas said it would be "almost impossible to stop once it reaches a critical mass."
"However, while not neglecting the impact of such a worm, that might not be the worst scenario because of the unbelievable easiness that this attack can be applied. Everyone with a basic computer and internet access could launch an attack against millions of online services within minutes," Balmas said.
Thankfully, some cybersecurity experts said the head start in dealing with detection, mitigation, and patching will help as they prepare for the worst.
John Bambenek, principal threat hunter at Netenrich, said a worm would have been far worse last week. But the industry-wide work being done made sure many of the most vulnerable machines are in a better place.
Others said that while the vulnerability is wormable, there has been no evidence to suggest this is a priority for threat actors at this time. Worms also require a significant amount of time and effort to develop, according to Digital Shadows senior analyst Chris Morgan.
"This activity differs from the WannaCry incident, which saw a perfect storm of a highly exploitable vulnerability coinciding with an NSA-level exploit breach in EternalBlue. It's still very much early days with regards to Log4j," Morgan said.
"While many threat actors will likely be at different stages of the kill chain, most actors will likely still be scanning for susceptible systems, attempting to establish a foothold, and identifying further opportunities, depending on their motivations. Efforts among actors at this stage are rushing to exploit before companies have a chance to patch, rather than spending time developing a worm."
Vectra CTO Tim Wade echoed that sentiment, noting that the Log4j vulnerability is still mostly at risk from attack by creative and adaptive human adversaries that may leave fewer fingerprints behind them as they undertake less overt attacks -- such as extracting cryptographic secrets or API keys for present or future campaigns.
While a worm enabling further mass exploitation is problematic, Wade said less direct attacks "may introduce more lasting damage when they go undetected for great lengths of time."