2021 saw notable increases in cyber attacks on critical infrastructure and public safety. The Colonial Pipeline, the Oldsmar, Florida water treatment plant attack, and the Microsoft Exchange Sever vulnerability, (and other Microsoft security issues) are all among the most notable and severe cybersecurity issues of the past year.
The impact of the latest cyber security issue, the Log4Shell critical vulnerability, is going to be felt for years and is going to take a great deal of collaborative effort to mitigate and fix. The full extent of the vulnerability is going to take a long time to fully assess. Wired.com wrote that this vulnerability will “haunt the internet for years.”
(Learn more about the Log4j vulnerability, the risks, lessons learned and remediation techniques by signing up for our blog on January 12, 2022: Log4j Vulnerability: Crisis and Mitigation)
What is the Log4j Vulnerability?
The Log4j vulnerability, also known as Log4Shell (CVE-2021-44228), is a critical remote code execution (RCE) zero-day vulnerability in Apache Log4J software. The vulnerability affects Log4j version 2.0-beta9 and 2.14.1, and later 2.15.0 in 2.16.0. All Java 8 users should patch to version 2.17.1. as of January 5, 2022.
The first discovery of the vulnerability is credited to the staff of the popular video game, Minecraft, discovering a digital flaw that hackers could exploit, that would allow them to take over players’ computers. That happened in late November 2021.
Log4j is a library of open-source software that is used by millions of software applications, servers and services worldwide.
Due to the free, publicly accessible software, wide usage, and the ease it takes to exploit the vulnerability due to thisf2. design failure, the Apache Software Foundation placed a CVSS (Common Vulnerability Scoring System) rating of 10 on this vulnerability, the highest severity rating for a security vulnerability. CISA (Cybersecurity & Infrastructure Security Agency) ordered all federal civilian agencies to patch the Log4j vulnerability, along with four others, by December 24, 2021.
Log4j is an open-source library that is used by software developers as a building block that builds a record of log activity that includes, but is not limited to: performance monitoring, examine security implication, troubleshooting, auditing, and data tracking. It records commands and writes them to store for records and analytical purposes.
Why is the Log4j vulnerability so severe and who does it affect?
In short, there are a lot of industries and sectors that are at risk for an attack based on his flaw, including critical infrastructures such as power, communications, water, energy and more.
The Log4Shell zero-day vulnerability is dangerous because of the number of programs impacted by it. Almost all programs written in Java, or relief on software written with it, used by products from Apple to Amazon use are at risk. It is a relatively easy flaw for actors to exploit. Actors have attempted attacks on Log4j for years and now that the vulnerability is widely known, everyone will be able to use it.
Attackers can take the newly discovered vulnerability and introduce a string of data that enables remote execution of code on the server, thus allowing them to introduce compromised information into system logs and give them full access to take over a device.
The critical remote code execution in the Log4j library could allow a cyber threat to completely take control of an affected server and target applications within the library. Log4j is used in a variety of software and on traditional web servers potentially leading to other vectors of exploitation.
That means even developers who do not use the software directly may be impacted because several areas of the internet may be running code from a library that depends on Log4j itself. It is one of the most popular logging libraries used.
Another attack vector that was discovered after the vulnerability included anyone with a compromised version of the code could have their network exploited locally on their machine browsing a website and triggering the vulnerability. It was previously thought that attacks were limited to only exposed vulnerable web servers, but that is not the case now.
Jen Easterly, the Director of CISA, issued this statement during a briefing on the Log4j vulnerability on December 13, 2021: “This vulnerability is one of the most serious that I’ve seen in my entire career, if not the most serious. We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damaging incidents.”
In CISA’s released statement on the zero-day vulnerability on December 11, 2021, Easterly also said “To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action.”
Companies including Apple, IBM, Oracle Cisco, Google, Amazon run Log4j software. There are hundreds of millions of devices, apps and websites that access these services that could be exposed.
The vulnerability not only affects Java-based applications and services that use the Log4j library, but potentially many other popular Java components and development frameworks that rely on it such as: Apache Struts2, Apache Solr, Apache Druid, Apache Flink, ElasticSearch, Apache Kafka, and many others.
Microsoft has stated that they observed state-actors from China, Iran, North Korea, and Turkey all utilizing the vulnerability for payload deployment, ransomware and making modifications to exploit the vulnerability wider.
According to a Threatpost article on December 21, 2021, Conti, a Russian ransomware group, has already developed a full sequence of attack vectors to infiltrate.
Upgrading to Log4j version 2.17.0 is immediately critical.
Why the Log4J Vulnerability should increase focus on Cybersecurity Posture
Company’s, organizations, leaders and C-Suites should take heed to the warning in the words of the director of CISA’s statement that this may be the most serious vulnerability she has seen in her long career. That comes after a particularly brutal year of cyber security attacks and issues. As the impact of cyber security and ransomware attacks on critical infrastructures, public safety, supply chains, healthcare, education and several other sectors have proved, the need for good Cyber Hygiene and Cybersecurity Posture is incredibly important
It is also notable that CISA’s Director stated that initial efforts are only going to minimize potential impacts through a collaborative effort of the government and the private security. Due to this vulnerability already being easily, and widely exploited, with more expected, along with the length of time it is going to take to understand and assess the impact of this vulnerability, there should be an increased focus on cyber hygiene and cybersecurity posture.
Your cybersecurity posture is the power of controls and protocols that give your organization the ability to predict and prevent potential cyber threats, and your response plan during and after a cyber attack. The best way to determine cybersecurity posture is through continuous third-party monitoring, analyzing data, threats, and vulnerabilities.
Leaders, now more than ever, cannot afford to be complacent in the face of cyber threats. CIO’s and CISO’s should become more vigilant than ever and urge their organizations to follow suit. The adoption of policy and training is critical for good cyber hygiene.
The ability to scan networks and understand its known vulnerabilities is critically important for good cybersecurity posture. Understanding your network’s vulnerabilities isn’t enough. Once they are discovered, an actionable remediation plan is needed along with putting cybersecurity policies into place. Part of your cybersecurity policy should also include a cyber incident response plan if you are impacted by the Log4j vulnerability, or any others that will inevitably arise in other areas.
There will likely be an increased call for action to for the government to prioritize cybersecurity, hearings and enhanced cybersecurity policy based on the Log4j vulnerability. In the meantime, as CISA Director Easterly stated, it is up the private sector to work with the government to take action to mitigate issues.
How SecuLore can help with Log4j vulnerability monitoring?
SecuLore provides continuous layer two monitoring of all network traffic through our patented SecuLore™ Paladin product technology to passively capture all traffic traversing the monitored network. The raw packets are captured for full forensic captures of all segments and sends the meta-data back to the 24x7x365 SOC (Security Operations Center). The data is processed via a unique behavioral analysis that is constantly reviewed by our team of CEH (Certified Ethical Hackers).
SecuLore developed a scanner, though CISA’s tool, that remotely scans networks using on-site Paladin’s™ that can detect Log4j vulnerabilities.
SecuLore’s™ OverWatch allows us to determine when the compromises occur and alert on behaviors that would allow the compromises to succeed. This service provides continuous layer-2 cybersecurity monitoring of all network traffic. Data is processed and sent to our 24x7x365 Security Operations Center (SOC) team who look for anomalies in the observed behavior. The data is processed via a unique behavioral analysis that is constantly reviewed by our team of Certified Ethical Hackers (CEH).