Private and public officials continue to scramble around the clock to address the Apache Log4j vulnerability since initial reports of the exposed code sent the cybersecurity world into turmoil last Friday.
This article provides an update on the government initiatives aimed at the Apache Log4j vulnerability, recent statistics showing the severity of attack attempts and the possibility of threat actors exploiting the vulnerability for future ransomware attacks.
As cyber and IT professionals continue to work endlessly to combat the Apache Log4j vulnerability, government officials are joining the fight by developing resources and partnering with industry experts and officials to address what is considered one of the worst security flaws of all time.
Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly held a phone briefing regarding the vulnerability, stressing its severity and scale.
“We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damage,” said Easterly. “The issue is an unauthenticated remote execution vulnerability that could allow an intruder to take over an affected device.”
CISA Information Security Specialist Jay Gazlay of the Vulnerability Management Office also commented that he estimates hundreds of millions of devices are now vulnerable to unauthenticated remote execution, which allows intruders to take them over.
CISA has joined several other agencies across the world, including Canada, New Zealand and the United Kingdom (UK), to develop dedicated webpages providing trusted resources for organizations to leverage. The CISA page is at www.cisa.gov/uscert/apache-log4j-vulnerability-guidance and provides real-time updates on the the Log4j vulnerability, including the alert below:
Apache released Log4j version 2.15.0 in a security update to address this vulnerability. However, in order for the vulnerability to be remediated in products and services that use affected versions of Log4j, the maintainers of those products and services must implement this security update. Users should refer to vendors for security updates.
Given the severity of the vulnerability and the likelihood of increased exploitation by sophisticated cyber threat actors, CISA urges vendors and users to take the following actions outlined.
Vendors
Affected Organizations
Actions for Organizations Running Products with Log4j
CISA recommends affected entities:
log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m.JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.log4j2.formatMsgNoLookups to true by adding -Dlog4j2.formatMsgNoLookups=True to the Java Virtual Machine command for starting your application. Note: this may impact the behavior of a system’s logging if it relies on Lookups for message formatting. Additionally, this mitigation will only work for versions 2.10 and above. Additionally, the UK National Cyber Security Centre (NCSC) created a sourced A-Z list on GitHub of all known affected software products marked with one of the defined statuses outlined below.
The list is available at https://github.com/NCSC-NL/log4shell/tree/main/software.
A recent report states that Log4j-related attacks accelerated throughout the past few days and, at points, researchers were witnessing more than 100 attacks per minute. The same report identified Chinese state-backed threat actors as some of the largest perpetrators, launching an estimated 840,000 attacks on companies since last Friday.
So what are attackers after? A large-scale vulnerability such as this provides endless motives for threat actors, including scanning systems to install malware, stealing user credentials and cryptojacking. Reports also confirm several botnets, including Mirai, Tsunami and Kinsing, are attempting to take advantage of the vulnerability.
Additionally, Microsoft has stated they are witnessing activity including credential theft, lateral movement and data exfiltration in a post to their Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation blog.
One positive note coming out of the updates is that there is no evidence of an active supply-chain attack (for now at least).
Unfortunately, the omnipresent nature of the vulnerability means the window for threat actors to gain access remains open. A number of organizations are still unsure if the vulnerability impacted them, and vendors are still scrambling for patches.
While data breaches are nothing new, the scale and scope of this flaw has many cybersecurity professionals extremely concerned. Director of Threat Intelligence and Research for Checkpoint Lotem Finkelstein commented on the potential long-term impact of the situation.
"I cannot overstate the seriousness of this threat. On the face of it, this is aimed at cryptominers, but we believe this creates just the sort of background noise that serious threat actors will try to exploit in order to attack a whole range of high-value targets such as banks, state security and critical infrastructure."
Shortly after the Log4j vulnerability took over the headlines, two major ransomware attacks hit global HR software provider Kronos and the Virginia State Legislature. As of the time this article was written, the timing is simply coincidental, with neither incident reporting connections with the Log4j vulnerability. However, that does not mean threat actors are not strategizing about how to exploit the vulnerability for ransomware attacks.
A large cybersecurity firm stated that they are seeing indicators of attackers exploiting Log4Shell to lay the groundwork for ransomware attacks. Microsoft’s threat intelligence teams also reported they are seeing Log4Shell exploited to install the popular cybercriminal tool Cobalt Strike, which is a regarded as a precursor to deploying ransomware.
Despite the speculation and recorded activity, no ransomware groups have pulled the trigger as of the time this article was written – however, our team will continue to monitor the potential ransomware threat as it develops.
Apache Log4j Government Resources
This article is a continuation of our Apache Log4j Vulnerability series, available at https://www.schneiderdowns.com/our-thoughts-on/category/cybersecurity. We encourage you to share our article with your network and reach out with any questions at [email protected].
Apache Log4j CISA Resources
Apache Log4j Web Resources
Related Articles
About Schneider Downs Cybersecurity
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].
In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.
Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity, at www.schneiderdowns.com/subscribe.
Learn about effective risk management practices Financial Services institutions can take for consumer protection. ...
Uncover the frequently asked questions surrounding managing your credit cards more effectively and harnessing their potential benefits. ...
We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.
Ask us
[email protected]
p:412.261.3644
f:412.261.4876
[email protected]
p:614.621.4060
f:614.621.4062
[email protected]
p:571.380.9003
