There’s a new vulnerability making waves across the cybersecurity industry and the business media at large. It’s called log4j, it’s a zero-day exploit, remote code execution vulnerability, and is found within a number of various third-party vendors, infrastructure providers, and SaaS companies. Because these companies are major third-party providers, the number of companies, sites, and services impacted are wide.
A zero-day exploit or vulnerability refers to the fact that the vulnerability is unpatched and is often discovered by hackers first, not security experts (or original manufacturers of the affected app or software). This is critically troubling for a number of reasons.
It means hackers had knowledge of a vulnerability weeks or months before any company or security researcher even knew about it, giving malicious actors ample time to exploit it. Even once it was discovered, manufacturers need to develop fixes, and deploy them in the form of updates, again, taking time that can be used by a hacker to carry out an attack.
This is a stark contrast to normal vulnerabilities, which are often discovered by security experts, communicated to the affected organizations, and fixed before the public knows about the vulnerability. This drastically minimizes the window of opportunity any bad actors have to take advantage of the exploit.
2021 set a record for zero-day exploits, with 66 (and counting) as of September 2021, which has already increased with the discovery of Log4j.The fact that log4j is a zero-day exploit is part of the reason why it’s regarded as so dangerous.
Log4j is a critical vulnerability so it’s important to know what the vulnerability is, who’s most at risk, how it can affect you, and what you can do to minimize the risk of anyone using the exploit against your organization.
Log4j is a vulnerability found within Apache’s Log4j software, which is used by thousands of different companies, as an open-source javascript-based logging utility. This utility is embedded in various apps and services, particularly those used by SaaS companies and other digital supply-chain providers like Cisco, IBM, VMware, Microsoft, and Amazon.
Because of the nature of Log4j being a utility found within a widely used Java-based framework, that makes it much more difficult to know whether your organization depends on anything running Log4j. It’s embedded within apps or apps in apps so identifying it and understanding the associated dependencies and involvement in your environment is a challenge.
Malicious actors and hackers can take advantage of the vulnerability and drop malicious code within any affected app running log4j. Depending on the compromised app’s connection to your organization and environment, the attack can easily make its way into your organization.
The fact that it’s a remote code execution (RCE) vulnerability makes it particularly dangerous as hackers can deploy attacks remotely. Hackers can drop malware, ransomware, and in the wild researchers have seen cryptomining as the most common compromises using the log4j exploit. This refers to a more hidden compromise where a device’s computing power is used to mine cryptocurrency without the device owner’s knowledge, affecting its performance.
However, Microsoft has recently divulged that its seen log4j exploits lead to credential theft, data exfiltration and state sponsored attacks.
While the news surrounding this vulnerability sounds dire, it’s important to be reasonable and not add to the hysteria and fear-mongering. The log4J doesn’t directly affect all organizations, but it does affect digital supply chain providers, cloud-based infrastructures, and SaaS companies.
For example, none of our clients are directly impacted, largely because they don’t own their own servers. However, they are leveraging cloud-based infrastructure providers who are directly impacted by Log4j.
This is a nuanced point but important enough because it changes how we see the vulnerability and what all companies can do to prevent their exposure to it. Get a holistic picture of the impact to your business by identifying if you have log4j deployed internally on systems and which 3rd party providers are vulnerable.
Fortunately, since the discovery, many of the directly impacted companies have released critical updates for customers who are using services or apps that are exposed to log4j. You can find a list of running updates (and impacted companies) via CISA’s Github page, or from Bleeping Computer for a more digestible list.
Deployment of an endpoint protection (EPP) and endpoint detection and response (EDR) can provide a lot of value against something like log4j. Most EPP technologies can detect exploits against the vulnerability and block the attack. The EDR acts as an additional control by identifying vulnerable systems and looking for signs of compromise in the event the prevention components fail. Also, because this is a logging-based vulnerability, any log-based monitoring can help alert you to any suspicious actions or behaviors.
Asset and vendor visibility is absolutely crucial against these kinds of exposures. If you’re not aware of all the services and third-parties that are part of your vendor ecosystem, you won’t be able to ensure all necessary apps are updated. With a vulnerability that’s known to be exploited, one point of risk may be enough to lead to a compromise.
Lastly, this type of vulnerability is a lesson in why third-party, cloud-based vendors, and supply chain security is so important. The attack surface of the average organization has changed drastically and it’s not enough to consider yourself secured just by focusing on your own organization.
For resource-strapped organizations, an MSSP can provide technology, guidance, and speed when dealing with these kinds of critical vulnerabilities.
SolCyber provides all of the above through our Foundational Coverage. Contact us to discuss how this can benefit your organization and get cyber resilient within days.