Log4j, Here To Stay

Log4j – Here To Stay

The Log4j exploit was discovered publicly on 12/9/21. Although it’s been a few weeks, we continue to discover new things about this vulnerability every day.  Even if you don’t use Java in your tech stack, you more than likely work with SaaS providers who have been impacted.

In our latest video blog, Professional Services Manager, Michael Mallen, gives his expert take on the vulnerability and how it will continue to cause more severe issues in the months to come.

Background

Log4j 2 is an open-source Java logging library developed by the Apache Foundation. It is widely used in many applications and integrated as a dependency in many services. On December 9, 2021, a critical severity unauthenticated remote code execution vulnerability (CVE-2021-44228 aka “Log4Shell”) impacting multiple versions of the Apache Log4j utility was publicly disclosed. This is referred to as “Log4Shell.”

Intel

In the wake of the vulnerability disclosure, financially motivated actors involved in cryptocurrency mining were among the first to exploit targets en masse. Data theft, ransomware deployment, and different types of extortion are sure to follow, as these actors are known to incorporate zero-day and one-day exploits into their operations rapidly.

As of the publish date of this blog post, we have uncovered evidence of exploitation by China and Iranian state actors. Microsoft has observed exploitation by threat actors based in other countries. We expect threat actors from additional countries will exploit it shortly, if they haven’t already. In some cases, state-sponsored threat actors will work from a list of prioritized targets that existed long before this vulnerability was known. In other cases, they may conduct broad exploitation and then conduct further post-exploitation activities of targets as they are tasked to do so.

Due to the urgency of identifying and patching vulnerable applications and systems related to this vulnerability, on December 17, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) instituted Emergency Directive 22-02. This requires civilian federal agencies to identify and mitigate impacted assets by December 23, 2021, or remove them from agency networks.

To sum up, these types of vulnerabilities happen every couple of years and will continue to happen. Abacode’s managed services customers are protected from the Log4j flaw as follows: our Security Information and Event Management (SIEM) solutions, which are maintained with continuously updated threat feeds, are actively creating correlation rules to look for indicators of compromise (IOCs) related to the Log4J vulnerability. Any of these IOCs seen within the SIEM events will trigger alarms. As a result, our analysts will escalate as required in accordance with established client protocols.