Within a matter of days, the vulnerability to Log4j (versions 2.0 to 2.14.1), which provides Java library logging capabilities sent shockwaves through the corridors of businesses from the boardroom to the data center. The zero-day attack known as “Log4Shell” (CVE-2021-44228) is concerning on a number of fronts that differ from previous high-profile attacks.
The sheer scope is incredibly disconcerting, as it impacts the majority of Java-based enterprise apps and servers. “Log4Shell” is in essence, a shortcut along the cyber kill chain, providing a fast track to the exploitation phase. It accelerates an attacker’s journey, providing unfettered access to roam freely while allowing them to unload a variety of malicious payloads.
In short, this is a nasty incident, more so because of its far-reaching scope than sophistication. And its effectiveness is being realized more and more as each minute and hour passes. There have already been debilitating ransomware attacks against large enterprises and subversive crypto mining and password compromises that enabled damaging data exfiltration from lateral movement.
While “Log4Shell” will undoubtedly continue to reverberate, it reveals two fundamental truths. Firstly, it highlights the importance of diligence for maintaining proper system updates and rigorous patching. Secondly, it reinforces the sanctity of the IT supply chain and emphasizes the significance of fully grasping how various systems are intertwined, potentially leaving networks susceptible.
Since the revelation of the zero-day, Armor’s vulnerability scanners have been actively detecting “Log4Shell” and rules have been deployed through our intrusion detection system to alert our SOC and customers of malicious activities. This enables our threat team to automatically notify customers of attempts against specific applications and respond accordingly.
This is no doubt a tumultuous time but is also an opportunity for introspection to better understand how security posture can be improved to thwart future occurrences. We will continue to remain on high alert as “Log4Shell” continues to proliferate and will provide any necessary updates to ensure that Armor’s customers are both informed and protected.
Armor’s “Log4Shell” Snapshot:
- Details: “Log4Shell” is the zero-day attack that was identified in Log4j (versions 2.0 to 2.14.1), that allows remote threat actors to execute code on host servers.
- Response: Armor’s platform is not vulnerable to “Log4Shell”, and we are continuing to take action to detect and respond against the threat in our customer’s environments. Our platform is automatically alerting customers if attack attempts have been made.
- Recommendation: Customers should upgrade affected Log4j installations to at least 2.16.0+ in addition to monitoring the Armor Management Portal (AMP) for active “Log4Shell” security incident notifications and apply patches when applicable.
- Going Forward: Customers should closely monitor for new “Log4Shell” patches and remain vigilant in applying them as soon as possible. In addition, they should upgrade to log4j-2.1.50.rc2+ if the log4j library is used internally.
If you have any questions or concerns, feel free to reach out to customer support.