Log4j Is Still Causing Havoc: What We Learned From Log4Shell
If you knew you were at risk for diabetes or cancer, you’d take all the necessary precautions to avoid or delay onset. You’d go for routine checkups and tests to ensure that if signs of the disease appear, you could catch it early, treat it, and hopefully avoid a deadly outcome.
A company’s cybersecurity health is much the same. If you’re at risk of an attack – which should be the default mentality for every security professional every day – you’d proactively take steps to secure your environment. At the very least, that would include proactive measures such as constant monitoring, patching, and raising cyber awareness.
A set-it-and-forget-it mentality could have devastating or deadly consequences in both situations. One clean scan or test doesn’t mean you’re in the clear forever; Simply because a business hasn’t been an early target of a major attack doesn’t mean it won’t fall victim to that attack in the future.
It ain’t over till it’s over
The CYREBRO team has often seen SMBs lulled into a false sense of security when a new threat is publicized, and only massive enterprise companies are named as the victims. A frenzy ensues, and experts rush to develop and release a patch. Large security teams can address those vulnerabilities quickly by reallocating resources and deploying those patches almost immediately. SMBs, however, often mistakenly believe they aren’t a valuable enough target, so patching gets pushed to the back burner even though teams know unpatched systems are an ideal and common entry point for threat actors.
At some point, the news cycle moves on, the fanfare dies down, and teams focus on other activities, forgetting the attacks that just occurred. That’s the exact moment hackers wait for and the time they will strike.
We only have to look back at the past 12 months and the Log4j disaster to see this pattern in action. Although patches were available within days of the vulnerability’s discovery, the fact that Log4j is embedded, sometimes very deeply, into thousands of systems made it nearly impossible to find and patch every existence. That means that even a year ago, security experts should have understood that this pervasive vulnerability would be a long-term problem with consequences extending years into the future.
The Log4j trail of destruction
During the last week of November 2021, Alibaba’s cloud security team discovered a vulnerability in the widely used Apache Log4j Java-based logging library that allowed unauthenticated remote code execution (RCE) and a complete system takeover.
Here’s a closer look at the attack timeline:
December 10: A proof-of-concept was published on GitHub, and hackers sprang into action, scanning the Internet for vulnerable systems. The bug became known as Log4Shell and was tracked as CVE-2021-44228, earning a 10 out of 10 on the CVSS vulnerability scale and making it one of the most dangerous known threats. The UK’s National Cyber Security Centre (NCSC) published an alert about the vulnerability.
December 11-13: Apache quickly released Log4j 2.15.0, which contained a fix for the issue. The US Cybersecurity and Infrastructure Security Agency (CISA) publicly urged companies to take immediate steps to mitigate the issue.
December 14-17: Two more Log4j vulnerabilities were detected, and subsequent patches were released. By December 17th, the situation was looking grave; the TellYouThePass ransomware had been revived and distributed using the exploit, the Khonsari ransomware was used to target Minecraft servers, and the Conti gang gained access to VMware vCenter servers.
December 20: Threat actors were already exploiting Log4j to install Dridex and Meterpreter. That same day, Wiz and EY released a report stating that of the 200 enterprise cloud environments, 93% were at risk, and companies had only patched 45% of vulnerable resources.
January 10: Microsoft announced that attackers had begun exploiting the Log4j vulnerability in internet-facing systems running VMware Horizon a week earlier and that a China-based group had deployed the NightSky ransomware.
Over the next few months, headlines continued to pepper the Internet, pointing to new and ongoing attacks from state-sponsored threat actors. By the summer, news of the Log4j exploit had quieted down even though the threat persisted and was dubbed an endemic vulnerability by DHS’s Cyber Safety Review Board (CSRB). That was the calm before the (second) storm.
Iranian threat actors attack US federal agency
Log4Shell was thrust back into the spotlight in mid-November when the FBI and CISA announced that Iranian-backed threat actors exploited the vulnerability and hacked into the Federal Civilian Executive Branch (FCEB) via an unpatched VMware Horizon server. The group deployed the crypto-mining software XMRig and “moved laterally to domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on serval hosts to maintain persistence.”
This news came as quite a shock since federal agencies were ordered to patch any Log4j vulnerabilities in December 2021, and government agencies continued to issue warnings throughout 2022. The FTC even threatened to take legal action against companies that didn’t properly patch systems.
This recent incident shows that no entity is safe from an attack; even organizations with extensive cybersecurity teams and protocols can become victims if they take their eyes off the ball for just a minute. It also underscores the earlier point that a ‘one and done’ mindset for security is a recipe for disaster.
Every company is a target
In today’s hyper-connected, technology-dependent world, no company should ever believe they are 100% secure. That is a dangerous and unrealistic fantasy that will breed negligence. Taking a foot off the security gas pedal for even a second is equivalent to handing hackers an invitation to an IT environment.
Hackers are like lions. They are predators that patiently stalk their prey, waiting for it to lose focus and let down its guard, creating the perfect opportunity to pounce. Threat actors, like predators, know what tactics work and rely on proven attack methods.
Since most attacks exploit known vulnerabilities, hackers do not need to reinvent the wheel, particularly when so many companies knowingly leave themselves vulnerable. If teams lack the necessary bandwidth to handle the constant work in-house, it’s imperative for them to partner with a security company. That’s why CYREBRO scans and evaluates every investigation’s attributes by leveraging countless external and internal knowledge sources and analyzers, an automated task that SMBs cannot achieve otherwise. Identifying malicious attributes from known threats is invaluable knowledge that amounts to additional and powerful layers of offense and defense.
Avoid being named in the next news story
The Log4j attacks stunned the security community. It was all anyone could talk about for months, but memories are short-lived, and that’s exactly what hackers hope for. Hackers launched a fresh round of attacks as soon as the chatter died down and threats became less frequent, as we all knew it would but so did they.
Security teams need to be vigilant and stringent with their security practices. They must work methodically to close organizational visibility gaps, patch systems, and take other steps to strengthen security postures. Businesses that aren’t laser-focused on security at all times are bound to be the subject of the next news cycle.