Why Log4j Keeps Getting Exploited

Log4j Still Being Targeted

It is a couple of months now since the Log4j vulnerability become public knowledge. Yet cybercriminals are still using it to rampage through enterprise after enterprise. Known as CVE-2021-44228, Log4j exploits Java servers that are ubiquitous in the enterprise. It has been spreading in the wild as fast as the Omicron variant of COVID-19. The sad part of the story is that the hacking world has jumped on it while many IT departments remain oblivious to it.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) keeps issuing warnings about it, attempting to raise awareness of the problem. Federal agencies have been ordered to search carefully through their systems for all Java servers and related dependences, and patch them all.

To make matters worse, nobody knows how long Log4j was being exploited by cybercriminals. Its discovery in early December 2021 does not mean that was the first time it was ever used by hackers. It could have been harnessed for months. Nevertheless, they are having a field day due to the number of potential systems at their disposal.

Consider the ubiquitous nature of Java:

• About 9 million people are considered to be Java developers worldwide.
• As many as 3 billion devices exist that are running Java in some form or another.
• That includes nine of out ten desktops, laptops, and tablets.
• Almost all enterprise desktops use Java.

That adds up to a lot of trouble for security personnel. As an analogy, imagine a relatively flat country like Poland trying to defend its borders while being attacked simultaneously by all the nations around it: Russia, Germany, Denmark, Sweden, Latvia, Belarus, Ukraine, Czech, and Slovakia – and having to deal with internal insurgency at the same time. Java is so pervasive that it offers hackers innumerable channels for exploitation. What worries security experts is that even a relatively thorough search for vulnerably Java servers might still miss one or two buried systems.

No wonder government agencies, open-source communities, and vendors have been issuing patches and remedies at a frantic pace. Here are a few highlights:

 

• The Apache Software Foundation released a detailed series of fixes for Log4j on its software. This is the most recent of a series of Apache patches and fixes. The foundation made an early release of remedies and followed that up with another couple of releases due after finding more ways Log4j could exploit Apache.
• Blumira announced the discovery of a nasty Log4j-related Javascript WebSocket attack vector that is very hard to detect.
• Google announced that nearly vulnerable 20,000 Java packages were found inside the Maven Central repository.
• JFrog found even more that are undetectable via dependency scanning.
• Microsoft released a series of scanning tools a dashboard to detect Log4j vulnerabilities running on Windows and Linux.
• CISA released a Log4J scanner.
• CrowdStrike released its own scanner to find hidden vulnerabilities.

But as fast as fixes, scanner, and patches are issue, ransomware groups are harnessing Log4j in sophisticated ransomware scams. One Chinese gang, for example, is using Log4Shell to breach VMware server products. Another gang from Iran has found a way to use it to distribute a PowerShell toolkit to exploit Java applications.

Fixing the Log4j Mess

It isn’t easy to fix the mess left behind by vulnerable Java code. The advice from CISA is to draw up a detailed list of external facing devices that have Log4j installed. Take action on every alert on those devices. Install a web application firewall (WAF) that can automate alert consolidation and centralization. And patch, patch, and patch again.

There are scanners available such as those noted above, as well as quite a number of patches to install. The advice of the UK’s National Cyber Security Centre (NCSC) is to update all systems with the latest security patches.

“In the case of this vulnerability CVE-2021-44228, the most important aspect is to install the latest updates as soon as practicable.”

How to Protect Yourself from Log4j

Although a number of popular IT management and security tools are vulnerable, Syxsense is pleased to confirm that it does NOT use Log4j. Syxsense Secure and Enterprise customers can use the Syxsense security scanner to identify endpoints that are exposed to this new vulnerability.

Syxsense vulnerability scanner is not only a complete security management package, it is automated, repeatable, and generates quick results, delivering security and safety in a timely manner. With security scanning and patch management in one console, Syxsense Secure is the only product that not only shows you what’s wrong, but also deploys the solution.

It offers visibility into OS and third-party vulnerabilities like defects, errors, or misconfigurations of components, while increasing cyber resilience. And it is fully integrated with automated patch management software that lets you easily manage unpatched vulnerabilities with the click of a button.

Syxsense includes patch supersedence, patch roll back, and a wealth of automation features. In addition, it provides a three-hour turnaround for the testing and delivery of new patches as well as technology to send software and patches across the wire once, using peer-to-peer within the network for local distribution.