Are You Taking the Right Precautions Against the Log4j Flaw?
Some breaches are more serious than others. And the Log4j Java logging library attack is a doozy! Publicly disclosed in early December, the number of attacks taking advantage of this zero-day flaw continues to grow.
Known formally as the CVE-2021-44228 vulnerability, Log4j makes it possible for remote code execution and access to servers using the Java logging library. Unfortunately, many are unaware that their enterprise systems utilize this Java feature. They might hear the news and yet not realize it applies to them. Hence, the number of incursions has increase markedly in recent weeks despite heavy publicity.
While IT departments may be sleeping at the wheel, hackers have been quick to jump on the Log4j bandwagon. In fact, some were already milking it for all it is worth only hours after it was publicly disclosed. Government sources said more than 100 attempts were made every minute utilizing the vulnerability. Cybersecurity firm Check Point believe that the flaw has been used in attempts to breach more than 40% of global networks.
What makes it so attractive is the ubiquitous nature of Java. Log4j, it turns out, is embedded in just about any and all Java-based products or web services out there – and that’s a lot! Thus, it is far from easy to manually remediate.
Meanwhile, hackers are unleashing hell on vulnerable systems. Some deliver cryptomining malware. Others use it to steal usernames and passwords to enable them to access networks and systems.
To make matters worse, the public disclosure of the exploit a couple of weeks ago is no guarantee that Log4j is a new phenomenon. How long have attacks been quietly using it to burrow into enterprise systems. No one knows as yet.
Government agencies are in panic one about Log4J. The U.S. Cybersecurity and Infrastructure Security Agency (CISA), for example, ordered all civilian federal agencies to immediately patch this vulnerability as well as others such as the Zoho’s Desktop Central Authentication Bypass vulnerability, Fortinet’s FortiOS Arbitrary File Download vulnerability and Realtek’s Jungle SDK Remote Code Execution vulnerability. CISA is working with multiple cybersecurity companies to shore up breached systems and protect other potential targets.
CISA Director Jen Easterly said this vulnerability poses a severe risk and noted it as being perhaps the most serious she has seen in her career. She urged enterprises to:
1. Enumerate any external facing devices that have Log4j installed.
2. Make sure that your security operations center is actioning every single alert on the devices that fall into the category above.
3. Install a web application firewall (WAF) with rules that automatically update so that your SOC is able to concentrate on fewer alerts.
However, Log4j is deeply embedded in many Java-based systems and may be difficult to find. It is even used in Supervisory Control and Data Acquisition (SCADA) systems and historian systems used in many industrial and infrastructure systems.
Yes, Log4J may be difficult to patch. Yet patching remains the best defense against it. The UK’s National Cyber Security Centre (NCSC) made that fact quite clear. In an alert, it said:
“In the case of this vulnerability CVE-2021-44228, the most important aspect is to install the latest updates as soon as practicable.”
The good news is that the vendor community is responding rapidly to the threat. Vendors such as IBM, Cisco, and VMware have already released patches as many of their systems have been impacted by this bug. More vendors are releasing Log4j patches every day.
Start 2022 with the Best IT Security Strategy
This means that IT departments are likely to be indulging in extensive patching of enterprise systems while they slowly get to work in 2022.
To avoid them becoming completely overwhelmed, they need the help of Syxsense. It will help them discover all impacted endpoints, test the released patches within three hours of receipt, and deploy them rapidly. Our automation features will save IT departments a great many hours, if not days.