Everything you need to know about the latest zero-day vulnerability: Log4j.
Preparations for the new year may include a renewed gym membership, plenty of books to read, and a resolution for a little less screen time. But for those in cybersecurity, that checklist grew a little longer with an unexpected internet-wide rush to patch against the widespread critical vulnerabilities in Log4j, to prevent future exploitation during the holiday season and beyond.
You can find last month’s edition of Bird’s Eye here, or get straight into the details of all you need to know about Log4j from our cybersecurity experts below:
Risk + Response Tips
Security tips and service updates from VP of Risk + Response Lauren Winchester
The Log4j zero-day vulnerabilities have taken the Internet by a storm over the last two weeks. Here’s the Bird’s Eye view of what’s happening:
- What is Log4j? Log4j is a software tool, written in Java, used by developers to track activities in their software applications or online services. This is known as logging. Essentially, if a developer wants to know what happened in an application, Log4j will facilitate the record of what happened in the application. This supports troubleshooting or understanding the general usage of the application. On December 9, 2021, a security researcher disclosed a critical vulnerability in Log4j (and two others have since been identified).
- Where is Log4j used? Log4j is open source software which means the code doesn’t require any special licenses for end users and developers to modify, use and distribute the software. In short, it’s free for everyone to use. Developers like this because they can use existing code instead of having to reinvent the wheel. Being that this is readily accessible, you are likely to find Log4j in a lot of software. Apple, Cisco and Minecraft, just to name a few, are vendors that had software that was reported to have been impacted.
- Why am I hearing so much about these vulnerabilities? So why are these particular vulnerabilities everywhere in the media? Unfortunately, these vulnerabilities are easy for attackers to scan for and exploit. When you couple the widespread use of Log4j, and the ease of exploitation of these vulnerabilities, it’s a perfect storm for attackers. When a hacker exploits the first vulnerability, it allows them to execute code on a remote system which can serve as an entry point into your environment. Attackers will also try to leave a backdoor into an organization’s system, allowing for re-entry at a later time to launch other attacks, like ransomware.
For more information on Log4j and how you can protect your organization, please review our article. And if you haven’t already, we strongly recommend deploying an endpoint detection and response (EDR) tool, to help you quickly identify and mitigate against attacks. Corvus offers a free 60 day trial for SentinelOne EDR.
Noteworthy trends in cybersecurity from Chief Information Security Officer Jason Rebholz
What have two zero-day vulnerabilities impacting millions of systems taught us this year? In the first half of 2021, we had the Microsoft Exchange zero-day that wreaked havoc on Microsoft shops. Not to be outdone, the second half of 2021 brought the Log4j zero-day that impacted an untold number of systems. Together, we can pull insights into how a zero-day vulnerability unfolds and how they apply to the trajectory of Log4j:
- Zero-day Scanning: In a “soft opening,” threat actors who’ve picked up on the zero-day before the knowledge is widespread get a jumpstart on scanning for vulnerable targets. This is the true definition of a zero-day vulnerability in that it is a vulnerability that is not publicly known. In the case of Log4j, this was a full week before the zero-day was made public. For some vulnerabilities, it could be hours, days, weeks, months, or even years before it is publicly known.
- Widespread Scanning: Once the zero-day vulnerability is publicly released, threat actors and security researchers dig in and create a working exploit code. That creates an arms race to exploitation, with widespread scanning of the Internet for vulnerable systems. Within 38 minutes of Log4j being publicly released, mass scanners began looking for vulnerable systems. While the widespread scanning continues, the initial sprint is focused without much variation in the scans.
- Evasive Scanning: As defenders catch up, defenses are implemented in the form of different technologies. This begins blocking the wide-spread scanning. Attackers shift to evasive scanning techniques to bypass the core defenses. This is the classic “cat and mouse” game between attackers and defenders. With Log4j, scanners began implementing different techniques to bypass filters in an attempt to reach the target systems.
- Attack Escalation: As defenders attempt to catch their breath, threat actors escalate their attacks to begin weaponing the exploit. Threat actors first shift from just identifying vulnerable systems to weaponizing it to install malware on vulnerable systems. Second, threat actors begin leveraging the payloads that were placed. This can be done by selling access to compromised systems to other cyber criminals or by exploiting the access themselves. For Log4j, we saw this occur with the installation of cryptominers, botnets, backdoors, and in some cases, the execution of ransomware. In the coming months, we expect to see enterprise wide ransomware events occurring as a result of the Log4j vulnerability as an initial point of compromise.
- Continuous Scanning: As with most things technology, after an initial burst of activity, things begin to die down but never go away. Log4j scans will continue, likely in perpetuity with vulnerable companies being impacted over the course of months, or possibly years.
For more on what is being referred to as “one of the greatest internet vulnerabilities in the last seven years,” and the next steps you need to take, read our full blog post here.
What to watch for this month.
Our Corvus Scan is a powerful asset that enables us to identify which policyholders are at risk for new vulnerabilities. You’ve probably already heard from us about the following if your organization is at risk, but we’ve gathered the monthly round-up of alerts and updates below:
SonicWall Secure Mobile Access (December ‘21)
On December 1, 2021, SonicWall issued an advisory addressing high and critical vulnerabilities in their SonicWall Secure Mobile Access (SMA) 100 series appliances. These vulnerabilities could allow an unauthorized user to gain complete control of the SMA 100 series appliances, which includes SMA 200, 210, 400, 410 and 500v products. SonicWall customers are encouraged to patch SMA 100 series products immediately. Read more on actionable steps for SonicWall Secure Mobile Access (SMA) 100 Series Customers here.
Log4j Zero Day Vulnerability (December ‘21)
On December 9, 2021, a security researcher disclosed a critical vulnerability in the popular Java–based logging package Log4j. The Log4j utility is commonly included in Java based third party software and multiple Apache web frameworks such as ApacheStruts2, Apache Solr, Apache Druid and Apache Flink. This vulnerability allows unauthenticated users to execute malicious commands on systems, and impacts a large number of web applications. A working exploit code is publicly available and threat actors are actively scanning and exploiting systems. Click here to learn more about the steps necessary to mitigate against a potential attack.
Confluence Vulnerability Advisory (December ‘21)
In September, Atlassian issued a security advisory for a vulnerability (CVE-2021-26084) affecting on-premise Confluence servers. The vulnerability allows an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. Although this vulnerability was initially disclosed in November, we are hearing from threat intelligence sources that ransomware groups are currently exploiting the vulnerability to encrypt Confluence servers. Find out more on the active exploit, as well as next steps for Confluence Server and Data Center customers here.