The latest threat to vulnerable systems is providing hackers with new opportunities for ransomware attacks.
UNIFY Solutions urges anyone who uses the Log4j/log4shell Java open-source logging library to update their systems to the latest version or apply mitigation immediately.
The log4j/log4shell vulnerability will be staying with us for a long time to come. Discovering systems that might be vulnerable using the java opensource logging library will be a challenge by itself, as will patching the systems.
Don’t use Java? Don’t be complacent and think you’re not exposed. It is still highly likely that at least one of your SaaS vendors/cloud hosting providers/webserver providers do.
Hackers are already actively searching the internet for vulnerable systems and quickly exploiting this vulnerability, and authorities are warning that ransomware attacks using this method are likely.
The popular gaming platform Minecraft was the first to be breached through the vulnerability; cybercriminals entered malicious text into a game chat window which allowed malicious players to take control of another player’s PC while playing on a Minecraft server.
We’ve seen the type of damage that can be wrought through flaws in open-source software like Apache before: the devastating 2017 breach of credit bureau Equifax – which saw the personal data of 148 million Americans and 15 million Britons compromised. This attack was perpetrated through a flaw in Apache Struts.
The following organisations have posted mitigation approaches to limit the exposure against this vulnerability on any system that uses Log4J:
Businesses are urged to update to the latest version of Log4Shell as soon as possible and use threat vulnerability management solutions to identify services/servers that might be vulnerable.
What is CVE-2021-44228, aka Log4j/Log4shell?
Apache Log4j2 beta9 through .12.1 and 2.13.0, are vulnerable to a remote code execution vulnerability. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
What systems are affected?
Systems and services that use the Java logging library, Apache log4j between versions 2.0-beta9 and 2.14.1 are affected.
How can I update or mitigate against the vulnerability?
The Apache Foundation has issued log4j version 2.16.0, which is not vulnerable to Log4Shell by default, according to the Australian Centre for Cyber Security.
Focus on patching these systems. The only solid mitigation would be to remove the device/server from the internet, but additional information can be found here.
UNIFY Solutions recommends the following steps in addressing the log4j/log4shell vulnerability:
- Invest or extend your management tools to help discover EVERY app, website, and system you own/use that talks to the internet. Including self-hosted installs of vendor products and cloud-based services.
Microsoft Defender for Cloud & Defender for Cloud Apps, combined with Defender For Endpoint and Microsoft Sentinel, are tools that will help you discover all these apps, websites and systems.
Focus on internet-facing systems that contain sensitive data and secrets and focus on older “legacy” vendors.
Once you finish assessing your hosted apps and vendor systems, move on to endpoint applications. Java-based apps like WebEx, Minecraft, JetBrains IDEs, Citrix, Filezilla FTP are all vulnerable. You need to patch, patch, patch. If no patch is available, uninstall.
Once you’re done with endpoint apps, make sure all your work-from-home staff update their personal devices and home routers.
Has UNIFY Solutions been impacted by CVE-2021-44228, aka log4j/log4Shell?
Like most companies globally, UNIFY has reviewed its systems since we became aware of the vulnerability. None of our products use Log4j, so they are not impacted by this vulnerability. We are working closely with the Government, our suppliers and industry partners to ensure co-ordination and management of any mitigation, should it be required.
I’m running Azure Sentinel. Can it detect log4j/log4shell?
Yes, for all UNIFYSecure clients, we have already enabled the detection. Microsoft has published an article on this.
For more, read Microsoft’s Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation.
I’m running Defender for the cloud. Can it find machines affected by log4J?
Yes, Microsoft has released an article detailing the steps, which can be found here; for all UNIFYSecure clients, we’ll be assisting in enabling the discovery.