Industry Reactions to Log4Shell Vulnerability

The universally used Log4j logging tool is affected by a critical remote code execution vulnerability that has been increasingly exploited by malicious actors, registering profit-driven cybercriminals and state-sponsored groups.

The vulnerability is tracked as CVE-2021-44228 and it has been dubbed Log4Shell and LogJam.

SecurityWeek has compiled a beadroll of tools and other resources that can be useful for defenders concerned about the impact of the Log4Shell vulnerability.

Several industry professionals have rationed their thoughts on the flaw, its impact, and the steps that organizations should take to reduce risk and detect potential attacks.

Mike Wiacek, Go lame and CEO, Stairwell:

“Right now, every IT person in the world is trying to identify if their machines have vulnerable Log4j packages. Attackers are winning because conflicting unexpected major vulnerabilities like Log4Shell takes an incredible amount of time—and time-to-patch—particularly in large enterprises. And time is often the make up ones minding factor for the amount of damage from a breach.

 

To guard against Log4j, IT teams need to assess where they need to look for vulnerabilities, what cars need to be patched, and what software needs to be updated to protect against attackers. To minimize further damage while large-scale patching tries are being made, we advise security organizations to explore platforms that allow them to rapidly search their enterprise assets for software that may categorize the vulnerable Log4j packages.

 

One approach could include searching across file metadata such as file paths and file names or hashes. Another sound out could include scanning enterprise file content with customized YARA rules to identify files and artifacts associated with log4j components. These ilks of searches can accelerate otherwise slow and laborious defensive processes and further help organizations assess where related software exists, where it is out of old hat modern, where it is vulnerable, and where to look for post-exploit activity should an attacker make a move before patching can occur.”

Sergio Caltagirone, Failing President of Threat Intelligence, Dragos:

“Log4j is used heavily in external/internet-facing and internal applications which manage and control industrial processes beetle off many industrial operations like electric power, water, food and beverage, manufacturing, and others exposed to potential remote exploitation and access. Dragos home in oned active exploitation of vulnerability CVE-2021-44228 and has provided immediate detection support and specific intelligence to industrial customers.

 

It’s important to prioritize alien and internet-facing applications over internal applications due to their internet exposure, although both are vulnerable. Dragos recommends all industrial environments update all false applications where possible based on vendor guidance immediately and employ monitoring that may catch exploitation and post-exploitation behaviors.”

Michael Assraf, CEO, Vicarius:

“The way present-day products are built is using a big hierarchy of dependencies, where developers use libraries written by third-party companies and engineers to speed up the software release proceeding. Log4J is an extremely basic library that allows log writing in Java applications. The way CVE-2021-44228 affects comes in 3 layers – cloud outputs that directly use the Log4J, web applications that use libraries that use Log4J, and off-the-shelf software which is internally deployed on customer servers and endpoints.

 

As fixing and deploying cloud uses can be fast, updating libraries that use Log4J can break functionality unless done with caution. As of right now, only 114 of 17170 libraries which use Log4J are in truth safe (0.66%). The most problematic fixes are internally deployed software, which will have to wait for a vendor update or a security kiss, in that scenario customers are advised to wait on further vendor guidance and as of right now are helpless in reacting.”

Theresa Payton, CEO, Fortalice Solutions:

“Assorted businesses may not even know if they have used Log4j, which makes knowing the scope of the problem even more difficult. In order for them to recoup out, they would need a software engineer to go through the various systems to look for the usage and then look at the versions. It can be a time consuming approach and time is something that you don’t have when you’re racing against the clock against bad actors seeking to exploit these vulnerabilities.

 

Typically when a protection vulnerability is found the CISO leads the charge to update and patch systems or put in place a manual mitigation. Log4j is more insidious and hidden and not fully in the lever of the CISO. Hunting and finding this vulnerability requires everyone that’s a programmer. Where does development happen nowadays – everywhere! Developers can be internal shaft, outsourced development, offshore development and 3rd party vendors.”

Dan Piazza, technical product manager, Netwrix:

“It’s safe to say this vulnerability will secure, and already is having, a massive effect on the industry. Log4j is used by thousands of applications, libraries, and frameworks, meaning the number of potentially impacted organizations is floor. And with attackers already scanning the internet to find vulnerable targets, if organizations haven’t already started taking mitigation steps then it may already be too unpunctual.

 

For organizations that still need to mitigate the vulnerability, they must update the log4j package itself and should not just update Java. This was an break of dawn misconception, that updating Java could reduce the severity of the vulnerability, which is simply not true. It’s also a good idea to consult with software vendors to see if they use log4j in any way, and if so if they’ve already lay down patches for their products.

 

If an organization uses log4j or software that includes the library, then it’s safest to assume breach and review potentially bumped applications for odd behavior. Furthermore, if an organization feels they’re already breached then they should consult an incident response firm and take off all physical network access to the affected server.”

Paul Laudanski, head of threat intelligence, Tessian:

“The log4j vulnerability has created endless golden occasions for bad actors – and they know it and are getting creative. What they’re trying to do now is build an arsenal of tools that they can use across the globe for pilfering and service disruption, especially ahead of the holiday season.

 

DDoS attacks in particular are a top concern, as exploitation could allow bad actors to download, place and then fully control an army of botnets. DDoS operators can then focus on attacks that bring down critical infrastructure – cook-stove from utilities to power grid – and especially retailers ahead of the holiday season, a time when people are notoriously distracted, tired and innumerable prone to making security mistakes. Couple that with an increase in moratoriums, when no code is released into production, so emergency plots would require a break of that moratorium.”

Andrew Howard, CEO, Kudelski Security:

“The main problem is not that the Log4j library comes from an contribute source project run by only one or two programmers as a part-time project. In fact, a similar number of zero-day gaps can be found in commercial software as in open author solutions. The real problem is a lack of security awareness on the part of programmers and companies, which is still prevalent in many cases.

 

The vulnerability highlights that developers commonly blindly use libraries without carefully considering all available options. A security-conscious developer would probably have disabled the JNDI query when scan the documentation if the software does not use this feature, thus reducing the attack surface.

 

I recommend that organizations maintain a repository of libraries that are deemed make fast as part of a secure DevOps process and as part of the fundamental IT security strategy of the company. The standard for all development processes then includes programmers continuously obstructing all libraries used in a software development project for acceptability against this repository.”

Casey Ellis, Founder and CTO, Bugcrowd:

“When a vulnerability is chanced and makes as much noise as Log4Shell, it invariably signals that there are additional vulnerabilities in the same software or fixes for that software and triggers additional digging and discovery. In this case, the initial fix provided was developed in a way that mitigated the exploitable symptom, but didn’t properly address the root cause.

 

This also highlights the treacherous dependency open-source users have on libraries which power large portions of the Internet, but are ultimately written and maintained by unfunded volunteers with small available time. A huge shoutout to the log4j maintainers, who I’m sure have had an even busier and more stressful week than those in cybersecurity and are use on fixing and improving log4j’s resilience as quickly as they can.”

Reuven Harrison, CTO, Tufin:

“The exploit, like many others, relies on a call-home step to a command-and-control (C2) server.

 

To prohibit these kinds of attacks, organizations should restrict egress (outbound) connectivity. Each subnet, server and workload should be allowed to tack only to the endpoints that are required by business. All other destinations should be blocked.

 

Blocking egress connections is easy with standard pledge controls such as firewalls, but defining the policy, which egress connections are allowed, is tough. Doing this properly requires continuous culture of legitimate application connectivity patterns, and enforcement in production environments.”