Thinking about cyber insurance? We can help with a fast approval, up to 30% off your premium and provide amazing security to boot! Find out how!

What you need to know about the log4j vulnerability

December 24, 2021
 - Created by 
David Emerson

There’s a new vulnerability making waves across the cybersecurity industry and the business media at large. It’s called log4j, it’s a zero-day exploit, remote code execution vulnerability, and is found within a number of various third-party vendors, infrastructure providers, and SaaS companies. Because these companies are major third-party providers, the number of companies, sites, and services impacted are wide.

A zero-day exploit or vulnerability refers to the fact that the vulnerability is unpatched and is often discovered by hackers first, not security experts (or original manufacturers of the affected app or software). This is critically troubling for a number of reasons.

It means hackers had knowledge of a vulnerability weeks or months before any company or security researcher even knew about it, giving malicious actors ample time to exploit it. Even once it was discovered, manufacturers need to develop fixes, and deploy them in the form of updates, again, taking time that can be used by a hacker to carry out an attack.

This is a stark contrast to normal vulnerabilities, which are often discovered by security experts, communicated to the affected organizations, and fixed before the public knows about the vulnerability. This drastically minimizes the window of opportunity any bad actors have to take advantage of the exploit.

2021 set a record for zero-day exploits, with 66 (and counting) as of September 2021, which has already increased with the discovery of Log4j.The fact that log4j is a zero-day exploit is part of the reason why it’s regarded as so dangerous.

Log4j is a critical vulnerability so it’s important to know what the vulnerability is, who’s most at risk, how it can affect you, and what you can do to minimize the risk of anyone using the exploit against your organization.

What is the log4j vulnerability?

Log4j is a vulnerability found within Apache’s Log4j software, which is used by thousands of different companies, as an open-source javascript-based logging utility. This utility is embedded in various apps and services, particularly those used by SaaS companies and other digital supply-chain providers like Cisco, IBM, VMware, Microsoft, and Amazon.

Because of the nature of Log4j being a utility found within a widely used Java-based framework, that makes it much more difficult to know whether your organization depends on anything running Log4j. It’s embedded within apps or apps in apps so identifying it and understanding the associated dependencies and involvement in your environment is a challenge.

How can log4j affect you?

Malicious actors and hackers can take advantage of the vulnerability and drop malicious code within any affected app running log4j. Depending on the compromised app’s connection to your organization and environment, the attack can easily make its way into your organization.

The fact that it’s a remote code execution (RCE) vulnerability makes it particularly dangerous as hackers can deploy attacks remotely. Hackers can drop malware, ransomware, and in the wild researchers have seen cryptomining as the most common compromises using the log4j exploit. This refers to a more hidden compromise where a device’s computing power is used to mine cryptocurrency without the device owner’s knowledge, affecting its performance.

However, Microsoft has recently divulged that its seen log4j exploits lead to credential theft, data exfiltration and state sponsored attacks.

Who does log4j affect?

While the news surrounding this vulnerability sounds dire, it’s important to be reasonable and not add to the hysteria and fear-mongering. The log4J doesn’t directly affect all organizations, but it does affect digital supply chain providers, cloud-based infrastructures, and SaaS companies.

For example, none of our clients are directly impacted, largely because they don’t own their own servers. However, they are leveraging cloud-based infrastructure providers who are directly impacted by Log4j.

This is a nuanced point but important enough because it changes how we see the vulnerability and what all companies can do to prevent their exposure to it. Get a holistic picture of the impact to your business by identifying if you have log4j deployed internally on systems and which 3rd party providers are vulnerable.

How can organizations fight against log4j?

Fortunately, since the discovery, many of the directly impacted companies have released critical updates for customers who are using services or apps that are exposed to log4j. You can find a list of running updates (and impacted companies) via CISA’s Github page, or from Bleeping Computer for a more digestible list.

Deployment of an endpoint protection (EPP) and endpoint detection and response (EDR) can provide a lot of value against something like log4j. Most EPP technologies can detect exploits against the vulnerability and block the attack. The EDR acts as an additional control by identifying vulnerable systems and looking for signs of compromise in the event the prevention components fail. Also, because this is a logging-based vulnerability, any log-based monitoring can help alert you to any suspicious actions or behaviors.

Asset and vendor visibility is absolutely crucial against these kinds of exposures. If you’re not aware of all the services and third-parties that are part of your vendor ecosystem, you won’t be able to ensure all necessary apps are updated. With a vulnerability that’s known to be exploited, one point of risk may be enough to lead to a compromise.

Lastly, this type of vulnerability is a lesson in why third-party, cloud-based vendors, and supply chain security is so important. The attack surface of the average organization has changed drastically and it’s not enough to consider yourself secured just by focusing on your own organization.

How a modern MSSP like Solcyber can help

For resource-strapped organizations, an MSSP can provide technology, guidance, and speed when dealing with these kinds of critical vulnerabilities.

  • Technology: An MSSP can bring their own technology partners and vendors like an EDR, an EPP, and logging tools among others that can help detect and prevent unauthorized users as well as help with asset and vendor inventory tools to help you maintain visibility of your environment.
  • Guidance: An MSSP should provide guidance that will also help you identify any gaps in your security posture so these kinds of vulnerabilities won’t put you at a major risk. They should be able to help you prioritize what controls are needed to reduce the risk of the most common and critical attacks.
  • Speed: The right MSSP should be a partner that will alert you to any zero-day vulnerability or critical vulnerabilities you’re exposed to. By relying on an MSSP who is looking out for potential problems 24/7, you can make sure you have an eye out for security even when your organization is done for the day or the week.

SolCyber provides all of the above through our Foundational Coverage, and for a limited time we will be providing 3 months of additional monitoring for all existing Foundational customers and new customers*. Contact us to discuss how this can benefit your organization and get cyber resilient within days.

*Note: New customers for this promotion are limited to use of our cloud connector or are required to have central logging in place.

Share this post

Subscribe to our blog!

To receive the latest articles from our team, provide us with your email address.
Cycling and cybersecurity

The importance of a curated stack, as told […]

Dustin Deckard
Find out more
Latest cyber insurance stats and what's trending

If there’s one thing we can definitely say […]

Hwei Oh
Find out more
Identity-First Cloud Security with Ermetic and SolCyber

As public clouds supersede the datacenter for our […]

Hwei Oh
Find out more
We've simplified managed security, to help you combat modern threats.
Follow Us
© 2022 SolCyber. All right reserved | Made with   by Jason Pittock
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram