The Log4j exploit is the latest major cybersecurity breach taking over the headlines. However, there is a lot of confusion surrounding this issue, and this exploit is far different and much more complex than most others. In this blog, our goal is to inform about the Apache log4j vulnerability and what everyone really needs to know.
What is log4j?
Apache Log4j, also called Log4shell is a free, open-source, Java-based logging library used in various consumer and enterprise applications, software, and websites to track their server activities. Log4j is also used within multiple operational technology (OT) and IT platforms and products. It was developed by the Apache Foundation and is written in Java coding language. Exploitation of Log4shell (CVE-2021-44228) is reported to have begun on or around December 1st, 2021. It’s important to understand that this vulnerability is not a data breach, it is a code breach. The Log4j library is full of existing code used in servers across the world to log server activities and performance information. The vulnerability is a remote code execution (RCE) that malicious actors use to write a line of code that the server itself logs as activities and triggers the exploit, often to install botnet malware, ransomware, and for cryptomining. It should be noted that this vulnerability is specific to log4j-core, and does not effect log4net, log4cxx, or other Apache Logging Services packages.
How does the exploit work?
The exploit is a remote code execution (RCE). Log4shell (CVE-2021-44228) was discovered on December 10th. Attackers write a line of malicious code that gets logged by CVE-2021-44228 (Log4j versions 2.0-beta9 to 2.14.1). This code can tell the server to do practically anything, like ordering it to upload botnet malware, allow remote access to the server, crytptomining, etc. After this, the affected server itself does the rest. Through this line of code, the exploit is triggered and the attacker can take full remote control of the server and its connected systems. CVE-2021-45046 is a vulnerability discovered on December 13th that allows malicious actors to cause RCE or a Denial-of-service (DOS). CVE-2021- 45105 is a vulnerability discovered on December 16th that allows malicious actors to cause a DOS or other effects in certain conditions. According to CISA (The Cybersecurity & Information Security Agency) Log4Shell and CVE-2021-45046 are being actively exploited. Apache has released upgrades for each affected package and Java in response. The upgrades have turned off a setting in the system that controls whether the logging systems sees data as code automatically.
Why is it dangerous?
This vulnerability is especially dangerous because of Log4j’s extensive use across OT and IT products, how easy Java script can be exploited, and because of how resource and time-intensive mitigating this issue is. Log4j is a free open-source logging package that has been downloaded by millions of users. The code is written in Java, a broadly used coding language. Meaning anyone with the ability to code with this language can potentially use the exploit. Java is used across countless OT and IT platforms. Log4j is a library of existing code used to log activities on any given server. When an operating system has a security breach, it targets the users of the browser. In log4j’s case, the target is the server, specifically any server using log4j. With Apache, the company behind log4j, being the most widely used web server, the attack surface is incredibly vast. The danger of the log4j exploit also comes from how simple it is to trigger. Players in the video game Minecraft were seen triggering the exploit within in-game chat. Even some Twitter users were able to trigger the exploit by changing their names to malicious lines of code. This presents a dangerous situation where malicious agents can take remote control of vulnerable systems and networks, including OT systems, websites, applications, and entire servers.
What can my organization do to mitigate the vulnerability?
This situation is still ongoing and will certainly continue in the coming months. The Cybersecurity & Information Security Agency (CISA) has released a vulnerability guide with information on affected products and vendor information and mitigation details. The guide is updated with new information as it is discovered. CISA and the FBI urge you to immediately upgrade to Log4j 2.17.0 (for Java 8), 2.12.3 (for Java 7), and 2.3.1 (for Java 6) and monitor the vulnerability guide for new updates. It will take quite some time for this exploit to be fully mitigated. While there is ultimately nothing you can do if a server is taken down due to the exploit, you can take the necessary steps to protect your devices and systems from any fallout. Enforcing cybersecurity etiquette and best practices within your organization will be key to protecting your network from exploit fallout.
It is vital that you review your organization’s incident response plan and be sure your employees are made aware of and educated on the exploit. Ensure that everyone is doing their part to stay alert and avoid phishing scams. If not done already, invest in a trusted antivirus platform and strong firewalls. Any sort of malware may be planted through the exploit. If your organization becomes a victim of ransomware due to the exploit, it is recommended that you do not pay the ransom right away. Follow your incident response plan, alert the appropriate personnel, and immediately contact your local FBI office.
The use of log4j in OT and IT assets is incredibly pervasive and widespread. Many of your OT and IT assets may use Log4j. CISA and other national cybersecurity agencies in various countries have released a joint cybersecurity advisory that provides guidance for organizations with OT and Industrial Control Systems (ICS) assets. The advisory recommends prioritzing the patching of IT devices, especially those with internet connectivity, as these devices such as laptops and mobile devices are especially vulnerable. If OT/ICS devices are not fully segmented from the IT environment, exploitation of the IT devices may put the OT/ICS devices at risk. OT/ICS assets that are segmented from the IT environment and aren’t connected to the internet are less susceptible to the exploit. The main step the advisory recommends for OT users and owners is to review their operational architecture and identify the vulnerability status against current products alerts and advisories. Implement the steps listed in the guide and use a risk-informed decision making process to apply the latest upgrades and patches to affected systems. If not already done, locate remote devices and control systems networks and isolate them from other business systems while ensuring they do not have internet connectivity. Reach out to your cybersecurity team or vendor for more information and for more assistance, and be sure to consult the cybersecurity advisory and follow the vulnerability guide closely as the situation evolves. United States-based organizations should report any compromises to CISA and the FBI.
*Julie Security engineering and security teams continue to actively work on the analysis and any actions to assist our customers as long as the Log4j exploit persists. We are helping our customers with systems health checks and identifying exploitation of the vulnerability on their servers. Please contact us if you require any further information or guidance on this issue.*