You may have been made aware of a recently-uncovered vulnerability impacting a piece of open source software that is widely used by corporate networks, known as Log4J.
What is the Log4J Vulnerability? Why should I care?
The Log4J vulnerability requires immediate action for three reasons.
First, the exploit is a remote code execution flaw, rated with a severity score of 10 out of 10 (CVE-2021-44228). The exploit can be used to take full control of the vulnerable system, meaning that any system running Log4J version 2.0 to 2.14.1 as a dependency is basically presenting an unlocked front door to the network.
Second, the vulnerability is what’s called a Zero-Day vulnerability. Zero-Day flaws are those that defenders only become aware of after they have been exploited and observed “in the wild.”
Microsoft finds and patches vulnerabilities with severity ratings of 10 regularly, but these are discovered by Microsoft, patched and rolled out to most systems BEFORE hackers can take advantage of them.
Zero-Day attacks are more dire normally, but many of these are fairly obscure, exploits to software that only a few networks rely on.
In this case, Apache Log4J is an open source software package used by some of the world’s most popular frameworks, including Apache Struts2, Solr, Druit and Swift. These frameworks power entire communities of software and networks.
How many exactly? IT firm Checkpoint estimates that in North America, roughly 45% of corporate networks run Log4J. One out of every two organizations is vulnerable (or was, if they have upgraded past Log4J 2.14.1 since December 9).
Cybersecurity firms the world over have reported hundreds of thousands of attempts to exploit the Log4j vulnerability in the week following the announcement.
CISA Director Jen Easterly put it this way: “To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action.”
How should small businesses protect themselves against Log4J exploits?
Zero-Day exploits require two main actions. The first is to audit all systems under your control for potential vulnerabilities.
If you do find any systems that use Log4J, then these systems need to be further scrutinized. Every instance between version 2.0 and 2.14.1 needs to be upgraded as soon as possible, quarantined, and tested for malware.
As of the writing of this blog on December 19, 2021, it appears that the majority of nefarious activity on this vulnerability is tied to crypto mining malware. While this is a place to start your search, a thorough scan for all malware kits and TTPs should be conducted.
The primary question is, now that we know the door was wide open, did anyone exploit the vulnerable system?
Patching Log4J does not impact any malware that an attacker has already set up. Once an exploit is used, hackers typically set up permanent backdoors into the system. They then use these backdoors to send and receive sensitive information, passwords, etc. to the hacker.
These must be sought out rigorously, a process that your security software/partner should make relatively straightforward.
Platte River Networks customer are protected from Log4J vulnerability
We at Platte River Networks take great pride in our proactivity regarding potential threats, and this one is no exception.
At the current time, we are protected from this threat and are watching closely for any potential risk. We reviewed all customer servers and found no instances of this current threat.
We have worked closely with internal staff and external partners to ensure none of our systems are vulnerable to this exploit. We have also engaged our security partners, who will be monitoring this situation closely and will alert us should any threats arise.
We highly recommend using a premium security platform, such as our Security+ platform, which includes Sophos 24×7 Managed Threat and Response services.
Threats of this level are becoming increasingly common, and network security should be a priority, now and moving forward. Too many organizations have gone bankrupt already from network compromise.