What you need to know about the log4j vulnerability

There’s a new vulnerability making waves across the cybersecurity industry and the business media at large. It’s called log4j, it’s a zero-day exploit, remote code execution vulnerability, and is found within a number of various third-party vendors, infrastructure providers, and SaaS companies. Because these companies are major third-party providers, the number of companies, sites, and services impacted are wide.

A zero-day exploit or vulnerability refers to the fact that the vulnerability is unpatched and is often discovered by hackers first, not security experts (or original manufacturers of the affected app or software). This is critically troubling for a number of reasons.

It means hackers had knowledge of a vulnerability weeks or months before any company or security researcher even knew about it, giving malicious actors ample time to exploit it. Even once it was discovered, manufacturers need to develop fixes, and deploy them in the form of updates, again, taking time that can be used by a hacker to carry out an attack.

This is a stark contrast to normal vulnerabilities, which are often discovered by security experts, communicated to the affected organizations, and fixed before the public knows about the vulnerability. This drastically minimizes the window of opportunity any bad actors have to take advantage of the exploit.

2021 set a record for zero-day exploits, with 66 (and counting) as of September 2021, which has already increased with the discovery of Log4j.The fact that log4j is a zero-day exploit is part of the reason why it’s regarded as so dangerous.

Log4j is a critical vulnerability so it’s important to know what the vulnerability is, who’s most at risk, how it can affect you, and what you can do to minimize the risk of anyone using the exploit against your organization.

What is the log4j vulnerability?

Log4j is a vulnerability found within Apache’s Log4j software, which is used by thousands of different companies, as an open-source javascript-based logging utility. This utility is embedded in various apps and services, particularly those used by SaaS companies and other digital supply-chain providers like Cisco, IBM, VMware, Microsoft, and Amazon.

Because of the nature of Log4j being a utility found within a widely used Java-based framework, that makes it much more difficult to know whether your organization depends on anything running Log4j. It’s embedded within apps or apps in apps so identifying it and understanding the associated dependencies and involvement in your environment is a challenge.

How can log4j affect you?

Malicious actors and hackers can take advantage of the vulnerability and drop malicious code within any affected app running log4j. Depending on the compromised app’s connection to your organization and environment, the attack can easily make its way into your organization.

The fact that it’s a remote code execution (RCE) vulnerability makes it particularly dangerous as hackers can deploy attacks remotely. Hackers can drop malware, ransomware, and in the wild researchers have seen cryptomining as the most common compromises using the log4j exploit. This refers to a more hidden compromise where a device’s computing power is used to mine cryptocurrency without the device owner’s knowledge, affecting its performance.

However, Microsoft has recently divulged that its seen log4j exploits lead to credential theft, data exfiltration and state sponsored attacks.

Who does log4j affect?

While the news surrounding this vulnerability sounds dire, it’s important to be reasonable and not add to the hysteria and fear-mongering. The log4J doesn’t directly affect all organizations, but it does affect digital supply chain providers, cloud-based infrastructures, and SaaS companies.

For example, none of our clients are directly impacted, largely because they don’t own their own servers. However, they are leveraging cloud-based infrastructure providers who are directly impacted by Log4j.

This is a nuanced point but important enough because it changes how we see the vulnerability and what all companies can do to prevent their exposure to it. Get a holistic picture of the impact to your business by identifying if you have log4j deployed internally on systems and which 3rd party providers are vulnerable.

How can organizations fight against log4j?

Fortunately, since the discovery, many of the directly impacted companies have released critical updates for customers who are using services or apps that are exposed to log4j. You can find a list of running updates (and impacted companies) via CISA’s Github page, or from Bleeping Computer for a more digestible list.

Deployment of an endpoint protection (EPP) and endpoint detection and response (EDR) can provide a lot of value against something like log4j. Most EPP technologies can detect exploits against the vulnerability and block the attack. The EDR acts as an additional control by identifying vulnerable systems and looking for signs of compromise in the event the prevention components fail. Also, because this is a logging-based vulnerability, any log-based monitoring can help alert you to any suspicious actions or behaviors.

Asset and vendor visibility is absolutely crucial against these kinds of exposures. If you’re not aware of all the services and third-parties that are part of your vendor ecosystem, you won’t be able to ensure all necessary apps are updated. With a vulnerability that’s known to be exploited, one point of risk may be enough to lead to a compromise.

Lastly, this type of vulnerability is a lesson in why third-party, cloud-based vendors, and supply chain security is so important. The attack surface of the average organization has changed drastically and it’s not enough to consider yourself secured just by focusing on your own organization.

How a modern MSSP like SolCyber can help

For resource-strapped organizations, an MSSP can provide technology, guidance, and speed when dealing with these kinds of critical vulnerabilities.

• Technology: An MSSP can bring their own technology partners and vendors like an EDR, an EPP, and logging tools among others that can help detect and prevent unauthorized users as well as help with asset and vendor inventory tools to help you maintain visibility of your environment.
• Guidance: An MSSP should provide guidance that will also help you identify any gaps in your security posture so these kinds of vulnerabilities won’t put you at a major risk. They should be able to help you prioritize what controls are needed to reduce the risk of the most common and critical attacks.
• Speed: The right MSSP should be a partner that will alert you to any zero-day vulnerability or critical vulnerabilities you’re exposed to. By relying on an MSSP who is looking out for potential problems 24/7, you can make sure you have an eye out for security even when your organization is done for the day or the week.

SolCyber provides all of the above through our Foundational Coverage. Contact us to discuss how this can benefit your organization and get cyber resilient within days.

FAQS

• What is the log4j vulnerability? The log4j vulnerability (also known as Log4Shell) is a zero-day exploit, a remote code execution flaw in the Apache Log4j library that could allow attackers to remotely execute code on systems that use vulnerable versions of the library.

• How many devices are affected by the log4j vulnerability? Experts estimate that when the vulnerability was discovered, over 3B devices were at risk.

• Is there a fix for log4j? Many application and software companies have released patches and fixes for the log4j vulnerability in the form of security updates. Security specialists have found that the deployment of an endpoint protection (EPP) and endpoint detection and response (EDR) can help organizations protect themselves from the log4j vulnerability. Furthermore, updating your log4j version, implementing multi-factor authentication, changing system properties, and removing the Java Naming and Directory Interface (JNDI) can also help. 

• Who’s at risk for log4j? Essentially, anyone using web servers, web applications, network devices, and other software and hardware is at risk of being affected by the log4j vulnerability. This security concern can affect individuals too, as many devices use log4j. 

• Who’s responsible for log4j? It is believed that a Chinese hacking group connected to the government is behind the log4j zero-day exploit and evidence shows that they were actively exploiting the vulnerability.

• How many companies have been affected by log4j? It is unclear how many companies have been affected by the log4j flaw. However, because this is a supply-chain vulnerability affecting some of the biggest companies (such as Adobe, CISCO, and IBM), it’s possible that hundreds of thousands of companies have been affected by this vulnerability. 

• Are hackers using log4j to attack companies? Yes, hackers are using log4j to attack companies. In fact, this zero-day exploit has been used in targeted attacks against high-profile organizations. 

• How can I fix my devices and applications at risk for log4j? There is no precise answer to this question as the solution will largely depend on which devices and applications you are using that are vulnerable to log4j. However, it is recommended that you update your Log4j version, remove the JNDI, and implement multi-factor authentication. Most applications, however, have a fix in the form of an update so it’s extremely important that you’re aware of all the devices in your network and so you can update them accordingly.

• How can I prevent being at risk for log4j in the future? The best way to prevent being at risk of becoming a log4j vulnerability target is to keep your devices and applications up-to-date. Furthermore, it is important to be aware of the latest cyber threats and trends so that you can quickly adapt your security measures accordingly.