Some breaches are more serious than others. And the Log4j Java logging library attack is a doozy! Publicly disclosed in early December, the number of attacks taking advantage of this zero-day flaw continues to grow.

Known formally as the CVE-2021-44228 vulnerability, Log4j makes it possible for remote code execution and access to servers using the Java logging library. Unfortunately, many are unaware that their enterprise systems utilize this Java feature. They might hear the news and yet not realize it applies to them. Hence, the number of incursions has increase markedly in recent weeks despite heavy publicity.

While IT departments may be sleeping at the wheel, hackers have been quick to jump on the Log4j bandwagon. In fact, some were already milking it for all it is worth only hours after it was publicly disclosed. Government sources said more than 100 attempts were made every minute utilizing the vulnerability. Cybersecurity firm Check Point believe that the flaw has been used in attempts to breach more than 40% of global networks.

Ubiquitous Java

What makes it so attractive is the ubiquitous nature of Java. Log4j, it turns out, is embedded in just about any and all Java-based products or web services out there – and that’s a lot! Thus, it is far from easy to manually remediate.

Meanwhile, hackers are unleashing hell on vulnerable systems. Some deliver cryptomining malware. Others use it to steal usernames and passwords to enable them to access networks and systems.

To make matters worse, the public disclosure of the exploit a couple of weeks ago is no guarantee that Log4j is a new phenomenon. How long have attacks been quietly using it to burrow into enterprise systems. No one knows as yet.

Government Panic

Government agencies are in panic one about Log4J. The U.S. Cybersecurity and Infrastructure Security Agency (CISA), for example, ordered all civilian federal agencies to immediately patch this vulnerability as well as others such as the Zoho’s Desktop Central Authentication Bypass vulnerability, Fortinet’s FortiOS Arbitrary File Download vulnerability and Realtek’s Jungle SDK Remote Code Execution vulnerability. CISA is working with multiple cybersecurity companies to shore up breached systems and protect other potential targets.

CISA Director Jen Easterly said this vulnerability poses a severe risk and noted it as being perhaps the most serious she has seen in her career. She urged enterprises to:

1. Enumerate any external facing devices that have Log4j installed.
2. Make sure that your security operations center is actioning every single alert on the devices that fall into the category above.
3. Install a web application firewall (WAF) with rules that automatically update so that your SOC is able to concentrate on fewer alerts.

However, Log4j is deeply embedded in many Java-based systems and may be difficult to find. It is even used in Supervisory Control and Data Acquisition (SCADA) systems and historian systems used in many industrial and infrastructure systems. 

Patching Log4J

Yes, Log4J may be difficult to patch. Yet patching remains the best defense against it. The UK’s National Cyber Security Centre (NCSC) made that fact quite clear. In an alert, it said:

“In the case of this vulnerability CVE-2021-44228, the most important aspect is to install the latest updates as soon as practicable.”

The good news is that the vendor community is responding rapidly to the threat. Vendors such as IBM, Cisco, and VMware have already released patches as many of their systems have been impacted by this bug. More vendors are releasing Log4j patches every day.

Start 2022 with the Best IT Security Strategy

This means that IT departments are likely to be indulging in extensive patching of enterprise systems while they slowly get to work in 2022.

To avoid them becoming completely overwhelmed, they need the help of Syxsense. It will help them discover all impacted endpoints, test the released patches within three hours of receipt, and deploy them rapidly. Our automation features will save IT departments a great many hours, if not days.

The new year is traditionally a time to consider the future and set down new goals and directions for life. In the IT world, it is also a time to make predictions for the coming 12 months.

Let’s take a look at ransomware and how it is likely to evolve. What are the ransomware predictions for 2022?

1. More Ransomware

The European Union Agency for Cybersecurity’s latest ENISA Threat Landscape report saw a distinct rise in ransomware over the past year, and expects that trend to continue, and even accelerate in 2022. With a 150% rise in 2021, that doesn’t bode well for enterprises in the coming year.

2. More High-Profile Victims

2021 saw a series of high-profile victims of ransomware. These included Colonial Pipeline, Kronos, JBS, and Kaseya. SolarWinds could perhaps be added, but it began at the tail end of 2020.

This year expect an even longer list. Ransomware has become the primary security threat for businesses. Groups like DarkSide, REvil, and BlackMatter are not only terrorizing organizations, they are getting smarter and more organized.

According to an analyst by Kela, hacking groups have formulated the ideal U.S. victim:

• Annual revenue of at least $100 million
• Not from verticals such as education, government, healthcare or non-profits
• Preferred access types are VPN, remote desktop protocol (RDP), and tools from Citrix, Palo Alto Networks, VMware, Fortinet, and Cisco.

Someone on the dark web can sell access to such companies for up to $100,000. That shows you just how lucrative this criminal enterprise can be. Expect an even longer ransomware “hall of shame” in 2022.

3. Ransomware Inc.

Ransomware has morphed from a few scruffy petty thieves operating in basement or attic apartment into a series of organized crime syndicates. Not only is there strength in numbers, here are economies of scale, as well as business advantages in developing a food chain and supply chain among cybercriminals.

These days, we have the lower levels pounding away via phishing emails and other scams, hoping to burrow into some juicy target. They, in turn, sell these leads and points of access to bigger fish and so it goes. There are even hacking development communities that create new viruses, trojans, and ransomware code. It’s getting sophisticated.

4. Multi-Vector Attacks

Yes, the bad guys want a ransom. But they have moved beyond being one-trick ponies. As well as money, they threaten reputations by exposing attacks, blackmail companies about exposing corporate or personal dirty laundry, or sell intellectual property (IP) to a competitor.

The smaller hackers and hacking groups will go after the small fish. But the more organized entities will target big fish and go after them in multiple ways.

5. Protection Money

Protection money used to be a simple thing. A couple of hoods would show up, and explain that your store could get robbed, or burned to the ground – that you needed protection. If you paid them, they could ensure those things didn’t happen to you. If you refused, they would beat you up, break some windows, or torch the premises – and then widely publicize the fact in the neighborhood to instill fear.

Those same tactics are now being expanded to the virtual world. Expect to hear more about organizations paying hacking groups to be left alone. If you don’t pay Luigi, the hacker, expect phishing to ramp up, ransomware demands to come thick and fast, and havoc to reign against the enterprise.

The Best Insurance

As these trends continue and accelerate, cyber-insurance is gaining momentum. But rates continue to climb. The best insurance against ransomware is to ensure that all systems and endpoints are adequately patched by Syxsense Secure.

Syxsense lets you easily manage unpatched vulnerabilities with the click of a button. It includes patch supersedence, patch roll back, and a wealth of automation features. In addition, it provides a three-hour turnaround for the testing and delivery of new patches as well as technology to send software and patches across the wire once, using peer-to-peer within the network for local distribution. It also incorporates vulnerability scanning to detect weaknesses that could lead to a ransomware attack if unmitigated.

There are so many breaches and attacks these days, that it is hard to keep up. Here are a few of the recent highlights:

1. Panasonic Breach

Panasonic is the latest high-profile victim of cybercriminals. It released a statement that it had suffered a breach of its network and that some data had been accessed during an intrusion.

The company claims it contained the breach and enacted countermeasures successfully. But investigation of the leak is ongoing, and until completed, the full extent of the damage has yet to be known. Some outlets reported that the breach began in early Summer. If that is the case, we could soon be hearing more about how deeply hackers infiltrated Panasonic systems.

2. New Phishing Report

No matter how much phishing is reported and how much security awareness training is done, it seems there is always someone willing to click to a dubious link or attachment. Terranova Security’s 2021 Phishing Benchmark Global Report found:

• 8% of those surveyed fail to spot nefarious emails
• Education, Finance and Insurance, and IT exhibited the highest totals, all scoring over 25%
• Healthcare, Transport, and Consumer Product all kept their click rates under 10%
• Overall, more than 50% of initial clickers on phishing emails downloaded a malicious file link.
• IT had the highest click-to-download ratio across all industries, with 84% of those who clicked on the initial phishing link eventually downloading the malware file.
• The United States fared better overall, with an 8.7% click rate and a 40.9% click-to-download rate.
• Canada had a 14.1% click rate and a 59.8% click-to-download rate.
• 8% of North American employees would fall victim to a phishing email if they were to receive one today

3. Vulnerabilities Increase for Fifth Straight Year

The US-CERT Vulnerability Database announced that the USA set a new record of security vulnerabilities for 2021. This marks the fifth year in a row setting a new annual total. As of December 8, 2021, a total of 18,376 vulnerabilities were detected in production code.

The good news is that fewer high-severity vulnerabilities were found compared to 2020.

Conclusions Drawn

With high-profile companies continually being the subject of security breach headlines, phishing and ransomware on a definite increase, and the number of vulnerabilities rising, these are not happy times for the security space.

While there are many remedial actions that can and must be taken, the best defense is to prevent a breach from happening in the first place. The single most effective action that IT can take is to be diligent in installing patches. And that’s where Syxsense comes in.

Syxsense takes care of:

• Patch distribution: sending the right patches to the right devices rapidly.
• Patch supersedence: automatically ignoring older patches that are included as part of a newer release
• Eliminating network overload: If you push Microsoft Office patches out to 300 machines simultaneously, it can stall the network due to the quantity of data involved. Intelligent management platforms send the patch across the wire once to be shared peer-to-peer within the network.
• Mobile devices returning to the office: The system detects their presence, quarantines the devices, checks for compliance, and remediates any issues before allowing them back onto the network.
• Patch approval: Some organizations require various points of approval before patches are released. Good management tools make it easy to set this up once and thereafter be implemented automatically as part of the patching process.
• Audits: Integrated management of vulnerability scanning and patch remediation simplifies the task of gathering up information for audits via drag and drop capabilities.
• Patch roll back: If a patch caused an issue, it should be a simple matter to roll it back without IT jumping through hoops.
• Threat alerts: Intelligent management sifts through enormous log entries and narrows threats downs to the handful requiring urgent attention.