The Log4j vulnerability burst onto the scene in December of 2021. One cybersecurity firm reported that the flaw was utilized in attacks on more than 40% of global networks, and that more than 100 breach attempts utilized it every minute when it first came out. At the time, the director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said it posed a severe risk and was perhaps the most serious threat she had seen in her lengthy career. No wonder government agencies panicked. All civilian federal agencies were ordered to immediately fix this vulnerability. Vendors, too, were concerned, rushing out a series of patches. There were dozens of patches to deploy related to Log4j.
A year on from the initial turmoil occasioned by this zero-day threat, where do we stand? Log4j continues to be exploited. After so many patches were made public by so many vendors, there are still plenty of organizations that have failed to install them. No wonder cybercriminals continue to enjoy success with this potent vulnerability.
Log4j Fundamentals
Log4j allows hackers to perform such things as remote code execution and to be able to access servers. They can use the Java logging library to deliver crypto-mining malware, steal usernames and passwords, access other systems, or cause a local denial of service condition.
Part of the problem for the continuing menace posed by Log4j is that it is embedded in almost all Java-based products or web services. In fact, it is so deeply embedded in Java-based systems that it is proving difficult for IT to find all the versions of it that may be running within its infrastructure, applications, or in the cloud. Hence, it is quite common for some IT departments to believe that they took care of it completely. Yet the reality is that they only dealt with the obvious places where it resides.
Beyond IT systems, Log4j is also heavily used in Supervisory Control and Data Acquisition (SCADA) systems and historian systems within many industrial and infrastructure systems. As these systems often have dependencies on other systems, cybercriminals can potentially use them to infiltrate the enterprise.
Another factor in the scary nature of Log4j is that vulnerable systems could be compromised due to many systems having code that uses this vulnerability to log information an application received from external sources. Hackers could take advantage of this simply by typing malicious text into a web application field, for example. The more creative among cyber-attackers have even been able to leak runtime and environment variables such as API keys or other credentials. And as Java can be used to send code over a network, code execution became possible on a remote basis.
For those wanting more information, the open-source Log4j Java logging component problem was eventually was broken into four vulnerabilities known as CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832. These CVEs offer plenty of data on the bug, where to find it, and its various remedies.
Good News and Bad News
The good new news is that Log4j attacks have been trending downward throughout 2022. But organizations cannot relax. The bad news is that there has been evidence of surges in its use by cybercriminals of late. One happened in June and another in August. The latter one saw Log4j playing a part in several high-priority security incidents.
Enterprises are advised, therefore, to check, check, and check again to ensure they have eradicated this problem completely from any and all systems.
CISA issues a series of recommendations for organizations to fix Log4j. Among these, where points such as:
1. Enumerate any external facing devices that have Log4j installed.
2. Download all relevant vendor patches for the applications and operating systems at use throughout the enterprise. Patches are available from Microsoft, IBM, Adobe, Cisco, VMware, and many other vendors to remedy Log4j.
3. Patch them all using an automated patch management system.
Those kinds of actions may require extensive inventorying and patching of enterprise systems. Syxsense can help businesses discover all impacted endpoints, devices, and systems and deploy fully tested patches to wherever they are needed rapidly. Its automation features will save IT departments a great many hours, if not days, when it comes to once and for all dealing with the Log4j scourge.
For more information visit www.Syxsense.com
