The Log4Shell Exploit Has Over 60 Mutations—Learn What to Do Next
It’s been a week since the Log4Shell exploit (tracked as CVE-2021-44228), was discovered. As expected, this actively exploited vulnerability in the widely used Apache Log4j Java-based logging library is impacting a staggering numbers of organizations, systems and services. Organizations such as SAP, Apple, Tesla, VM Ware, Cisco and many, many others have been scrambling to patch their software and roll-out patches to fix vulnerabilities in their products.
To give you an idea of how deeply your software, SaaS and app providers are impacted, Checkpoint found that there were over 60 mutations of the Log4Shell exploit in less than 24 hours and over 1.8 million attempts to exploit this vulnerability in the first few days following its announcement. SAP alone has already identified and released updates for 20 of their apps impacted by the Log4Shell exploit.
Due to the wide range of affected applications and the ease of exploitation, Log4Shell has already been dubbed “the worst computer vulnerability discovered in years.” It’s classified as a high severity threat with a wide range of applications that may be exploited and the large number of potential delivery mechanisms. To make matters even worse, Log4Shell requires very minimal skills to exploit this vulnerability. Let’s take a deeper look at the Log4Shell exploit, discuss patch and mitigation tips, and share how to reduce your risk of an attack through one of your suppliers or partners.
What is the Log4Shell Exploit?
Log4Shell is a very easily exploited Remote Code Execution (RCE) vulnerability which can allow an attacker to execute commands remotely on a targeted system to gain privileged access, deploy malware, move laterally to additional systems, and more. This vulnerability is in the Apache Log4j 2 Java-based logging library, which is widely used in on-premises software, cloud services, and web applications. There is publicly available exploit code and criminals are actively scanning for vulnerable systems. You should expect that this exploit and its impacts will likely continue to impact your software and suppliers well into the new year.
How Can an Attacker Use the Log4Shell Exploit?
Microsoft stated that they have observed multiple nation state actors from China, Iran, North Korea and Turkey using the Log4Shell exploit. Microsoft further reports that these groups are targeting a wide range of attacks from a “DNS service typically associated with texting activity to fingerprint systems.” Multiple sources are also seeing ransomware initial access brokers using this exploit to gather and sell initial access to environments. Criminals can use the Log4Shell exploit to:
- Gain full remote access to Internet-facing software and servers
- Steal data and other sensitive information
- Move laterally and gain access to systems throughout your network
- Install additional malware, add accounts or place backdoors in your network
- Detonate ransomware and hold your organization hostage.
What You Need to Do Next
Here is a checklist of next steps to protect your organization from the Log4Shell exploit:
- Immediately check and determine whether you are running software affected by the Log4Shell vulnerability. This includes Log4j versions 2.0-beta9 to 2.14.1, according to the CISA announcement which can be found here: https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce
- Upgrade affected devices to the latest version of Log4j, if possible. See: https://logging.apache.org/log4j/2.x/download.html
- If you cannot update to the latest release, reduce exploitation attempts by following Apache’s instructions for “mitigation,” which can be found here: https://logging.apache.org/log4j/2.x/security.html
- Be alert for vendor updates and immediately install the patches. Log4j code is used in many commercial applications. Quickly update all impacted applications as soon as the vendor provides a patch.
- Carefully monitor and respond to all alerts relating to affected software and systems.
- Use a web application firewall such as Cloudflare that is configured to automatically update and block attacks related to this vulnerability.
- Configure your endpoint detection and IDS/IPS systems to detect suspicious activity
- Ensure that your backups are working properly and can’t be overwritten in case ransomware hits. Make sure to backup server configuration files in addition to data repositories.
- Search affected systems for indicators of unauthorized access or data exfiltration. If indicators of compromise are found, initiate your incident response procedures.
Check Your Suppliers
One of the difficult aspects of this type of breach is that hackers can use the Log4Shell exploit to access software providers and worm their way into hundreds of thousands of customer environments. How can you limit this exposure? Start by proactively reaching out to key suppliers such as software vendors and cloud providers to assess your risk and take action if needed. Here is a checklist of next steps to limit your supply chain risks:
- Prioritize your suppliers based on their access to your sensitive data and/or network resources. Identify suppliers that store or process sensitive data on your behalf, or which have a high degree of access to your IT resources and focus on following up with these organizations first.
- Ask your suppliers to confirm whether their software uses an affected version of Log4j. If so:
- Determine whether the supplier has updated to the latest version of Log4j, or if not, what their timeline is for updating.
- Evaluate the risk that your sensitive data and/or IT resources could have been impacted due to the vulnerability.
- Ask your suppliers if they are actively assessing risk due to their supply chain, and if so, whether any evidence of compromise has been identified (fourth- and even fifth- party risks are real and have led to many data breaches and cybersecurity incidents).
- Make sure to give your suppliers a deadline for responding, so that you can coordinate your own response and public relations efforts.
If you don’t already have supply chain security policies, download our supply chain security checklist for tips, or contact our team for help with vendor vetting or supply chain security advice and assessments. We can also provide software patch management audits and updates to help your team quickly close known Log4j and other security gaps.
LMG will continue to monitor the developing situation and provide updates as they become available. If you have any questions or suspect that your network may have been compromised, please contact us immediately for assistance.