Some of our customers take the Log4j situation seriously, and some ignore it. You or your organization might use products and services from Amazon, Apple, Cisco, Google, LinkedIn, VMware, and other affected organizations. Do not ignore the danger. Attackers are abandoning some of their old attack methods to exploit Log4j vulnerabilities because the attack is so easy, and the benefits are enormous.
Organizational leaders, please support your IT teams by providing them with time to address this risky situation. They’re addressing many end-of-the-year tasks, and dealing with this potential crisis might delay their progress.
The Microsoft Threat Intelligence Center (MSTIC) reports that foreign governments are actively exploiting the situation now. Nation-states can attack the government, military, businesses, and individual users throughout the country.
One of a bad actor’s top priorities is establishing remote access into networks, computers, and electronic devices. Once they gain access, attackers can dwell quietly in networks to evade detection.
The US Cybersecurity Infrastructure Security Agency (CISA) ordered all federal agencies to patch Log4j by Christmas Eve. That could be too late because attackers started exploiting the vulnerability in late November.
And, of course, ransomware attacks exploiting Log4j will be more successful than ever.
Steps your IT Professionals and software developers can consider taking:
See guidance from the USA Cybersecurity Infrastructure Security Agency (CISA) https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance.
The Agency created and is updating an exhaustive list of affected software and tools at https://github.com/cisagov/log4j-affected-db. Review https://github.com/YfryTchsGD/Log4jAttackSurface too. That page lists well-known organizations including Amazon, Apple, Google, LinkedIn, and VMware. The great news is that highly qualified developers at those organizations started working on a fix immediately. The bad news is that attackers started developing exploits immediately too. That page lists well-known organizations including Amazon, Apple, Google, LinkedIn, and VMware. The great news is that highly qualified developers at those organizations started working on a fix immediately. The bad news is that attackers started developing exploits immediately too.
If your organization uses VMware, review their website to find guidance. An example page is https://blogs.vmware.com/cloud/2021/12/11/vmsa-2021-0028-log4j-what-you-need-to-know/.
Go to the Mitre.org page about CVE-2021-44228 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228 and look through the references to identify links to guidance from your firewall manufacturer or VPN provider, including Cisco and SonicWALL.
Search the web using the keywords Log4j or CVE-2021-44228 with the names of products and applications you use.
Know that your organization is NOT safe if you don’t intentionally use open-source tools. Many tools and services integrate Log4j. If your network connects to services or other organizations that use Log4j, then Log4j might run on your clients too.
Block LDAP access if possible. Last week, we discovered LDAP open to the public side, available to all the world, of a network at one of the organizations we’re auditing right now. We notified their highly qualified and experienced IT team leader, and they closed the port immediately. They explained, “We had used that some time ago for connecting LDAP to service now before using (an updated) service. I never went back to clean it up until (now).” Had we not discovered the problem, the port would still be open today. There is no shame to the IT Pro. Most executives have no idea of the deluge of information that falls on IT departments daily, and the team’s goal is to focus on fixing broken problems first. That exposure can exist at any organization.
Move vulnerable servers into filtered subnets or VLANs to help wall them off from the rest of your network. Filter all traffic to allow only essential ports, protocols, sources, and destinations.
If you must expose LDAP, limit LDAP traffic to trusted endpoints only to help mitigate the risks.
If you have internally developed software or a website with active code, ask your developers to upgrade your log4j library to the newest version ASAP. Apache released a new log4j v 2.15.0 on December 6, 2021.
Apache provides technical details to help protect against the log4j exploits at https://logging.apache.org/log4j/2.x/security.html
Search your providers for any references to Logj4 or CVE-2021-44228
Many providers are still in the process of evaluating their products.
Examples include:
Amazon – in the process of updating products
Cisco products: Search the web for keywords: Vulnerability in Apache Log4j Library Affecting Cisco Products
FortiGuard: Search the web for keywords: FortiGuard Apache log4j2 log messages substitution
Juniper Networks: Search the web for keywords: Juniper 2021-12 Out of Cycle Security Advisory
McAfee: Search the web for keywords: McAfee Enterprise coverage for Apache Log4j CVE-2021-44228 Remote Code Execution
Okta: Search the web for keywords: Okta’s response to CVE-2021-44228 Log4Shell
Oracle: Search the web for keywords: Oracle Security Alert CVE-2021-44228
SolarWinds: Search the web for keywords: SolarWinds Apache Log4j Critical Vulnerability (CVE-2021-44228)0
SonicWall: Email Security is affected, and perhaps other products. Search the web for keywords: SonicWall Apache Log4j Remote Code Execution Vulnerability Log4Shell CVE-2021-44228
Symantec – Including Endpoint Protection Manager
VMware: Heavily impacted – see https://www.vmware.com/security/advisories/VMSA-2021-0028.html
Ubiquiti: Search the web for keywords Ubiquiti UniFi Network Application 6.5.54
Kudos to these organizations and others addressing the issues related to Log4j.
Thank you for helping make the world a safer place to live and work!
More information for executives about Log4j:
Log4j could affect your firewalls, VPN, websites you access, your cloud providers, apps, and ultimately you. The safest stance is to assume attackers compromised your systems and behave accordingly. Don’t panic. There’s no way to predict how severe, or hopefully mild, the fallout will be at your organization.
Ask your IT team to watch for abnormal behavior on your websites, networks, and computers. IT Teams can scroll down to the bottom of this message for technical suggestions to protect your organization.
Over the next several days, software and hardware vendors will release patches and updates to block the attack. But some attacks will succeed.
The log4j vulnerability is so easy to exploit that it causes a massive problem that could plague e-commerce sites, cloud services, SaaS offerings, apps, and devices that use Apache’s Log4j for logging for a long time until servers, applications, and hardware is patched or replaced.
The potential impact increases exponentially because if a consumer or business user uses a program to access a cloud service, then there’s a good chance that Log4j is running on the client program or app running on the customer’s computer, phone, or tablet. Until they install the patch from Microsoft, Minecraft gamers are vulnerable to attackers using the locally installed Minecraft program to compromise the user’s computer through something as simple as receiving a text message. The stakes get higher if a user’s or company’s banking software accesses a bank server running a vulnerable version of Log4j. The SolarWinds attack only affected some companies that ran the SolarWinds software on their networks. In this case, any companies that use any software or services that use the Log4j logging tool from Apache are potentially susceptible to attackers running programs on their network.
Then there is the question of what attackers will do. Will they plant ransomware in businesses and governments worldwide and keep it dormant, dwelling inside networks, to launch future attacks? Will attackers take over computers and devices to create a botnet army, sometimes without the owner’s knowledge? Will attackers use their army of machines to launch Distributed Denial of Service attacks that flood other services with so much traffic the targets shut down? In August, attackers launched a DDOS attack against Microsoft’s Azure cloud blasting Azure with more than 2.4 Terabits per second of disruptive traffic intended to overload Microsoft’s cloud. Amazon’s AWS and Google experienced similar attacks.
Interestingly, a security company released a “vaccine” program for the Log4j vulnerability. The script uses the remote code execution attack to fix the problem. Some gray hat hackers launch unapproved “attacks” across the Internet designed to mitigate the security problem and block other attacks. The hackers provide a “public service” delivered by random individuals to unknowing organizations without permission. And there’s a valid concern that bad actors could modify the tool to launch malicious attacks.
Exploits against log4j are emerging events. Attacks against Minecraft game users are in the news, but this potential crisis affects more than video games. Hopefully, there is no significant fallout, but the potential is enormous.
Keep your network safe.