What is Log4j?
Log4j is an open-source logging framework developers use to record activity within an application by logging security and performance information. The software, written in Java programming language, runs across many platforms including macOS, Windows, and Linux and touches a vast array of organizations, services and products.
The Log4J code is seemingly woven into the very fabric of the digital world, from consumer and enterprise services to websites and applications, and on to the operational technology products that monitor critical infrastructure (like power generation and food production) and which controls robots in industrial processes and manufacturing. Managed by volunteers in the Apache Software Foundation, Log4J powers everything from web cams to car navigation systems to medical devices, and it really is virtually everywhere: Twitter, Amazon, Microsoft, Minecraft, to name but a tiny few.
What is the Log4j / Log4shell vulnerability and how does it work?
The vulnerability offers something like a skeleton key to controlling the myriad systems operating on Log4J. The vulnerability allows a malicious actor to perform a remote code execution (CVE-2021-44228) attack on an affected platform, which ultimately lets users write code to execute whatever command they like and take control of those systems. It’s an easy exploit to execute; hackers just write in a malicious piece of code through the vulnerability, wait for it to get logged, and then enjoy control over that system.
Infosec teams at federal, state, and corporate levels are scurrying to patch the vulnerability and shut all the open doors through which hackers have entered. The first Apache patch, version 2.15, was followed by 2.16 and then 2.17, which protects against a denial of service attack, in which hackers block authorized users’ access to their network. Make sure you're always updated to the latest version to gain the latest protections!
The cybersecurity and infrastructure security agency, CISA, has ordered federal civilian agencies to apply patches before Christmas. Meanwhile, juggernaut tech companies like IBM, Cisco and VMware are burning the midnight oil to fix Log4j vulnerabilities in their products. The security flaw is rare for the outsized threat it poses compared to the rudimentary skills required to exploit it.
Is Hoxhunt affected?
The Hoxhunt platform is not impacted by the vulnerability. Hoxhunt services do not include any technology vulnerable to the Log4j (CVE-2021-44228) vulnerability. Some of Hoxhunt’s subcontractors do use Log4j, but based on our analysis and their response so far, they don’t use it in a way that would affect Hoxhunt
Are we safe? No, not yet.
We are in the detection and response phase of this massive attack. Cybersecurity teams are racing to detect what systems have been compromised and for how long, in order to calibrate their response. The vulnerability was reported to Apache by Chinese retail platform, Alibaba on Nov. 24, and the first patch was released two weeks later. But it’s unknown which organizations and which systems have been affected (here’s an ongoing list), how long attackers were able to creep around unseen, and what their ultimate intentions are. As of the winter holidays season, 2021-2022, we are bracing for the worst that’s sure to come.
It is expected that the Log4j hacking will come in waves. The initial hacks have involved cryptominers deploying malware into compromised systems to use them for the resource-intensive enterprise of mining cryptocurrency. But it’s known that state-sponsored hackers are involved in this attack, and extortion and ransomware attacks are anticipated in the next wave of attacks.
Forrester provides a freaky insight into the fact that Alibaba, as a Chinese company, was legally required to first disclose the vulnerability to the Chinese government, a hostile cyber adversary to the United States, before reporting the vulnerability to Apache in November. Basically, China at the state level had an unknown amount of time to figure out ways to exploit Log4J before it was even reported to Apache and the world. Yikes.
7 tips to protect your organization from the Log4j vulnerability
There is very little that end users can do to help defend against the Log4j threat. But infosec teams are likely to have their hands full in the coming weeks protecting themselves and their customers. Here are a few guidelines to protecting your systems from attack.
Apache Log4j immediately to the most recent version, which as of this writing is 2.17. As with all software updates, this version patches the known vulnerabilities hackers are using for their attacks.
Web application firewall (WAF) rules immediately to block malicious traffic attempting to exploit the vulnerability.
There are multiple detection tools you can use to find out if you’ve been compromised, such as Microsoft 365 Defender and a new Microsoft Sentinel solution added to Content Hub that provides a central place to install Sentinel specific content to monitor, detect, and investigate signals related to exploitation of the CVE-2021-44228 vulnerability.
Microsoft Azure Firewall Premium offers enhanced projection from Log4j RCE CVE-2021-44228 vulnerability and exploit. Likewise, Amazon AWS customers can use AWS Web Application Firewall to help protect themselves and limit exposure.
Your crown jewels with vendor relationship management. Identify critical, high-risk software for, e.g. customer and financial data and IP. Figure out which vendors associated with the protection and management of your critical assets. Together, prioritize a patching and testing schedule that will protect that data.
Must alert all end users of affected Log4J products and persuade them to update to the latest version ASAP.
Forrester provides a nice list of resources for detection and response:
- Methods to test your applications for the vulnerability from Thinkst Canary and Huntress Labs
- List of IPs to block by the Crowdsec community
- A very comprehensive list of YARA rules, SIGMA, hashes, Suricata, Snort, payload lists, etc. in this thread
- Remediations and mitigations scaled by difficulty in this reference guide
And finally: Laugh
The one upside to Log4j has been the epic rush of memes. With all the uncertainty and chaos surrounding the Log4j fiasco, seek out some good ol gallows humor where you can to relieve the stress and cope with the emergency. Here are a couple Hoxhunt memes courtesy of Hoxhunt's own Art Director, Rosanna Salminen keep up your holiday spirit.
How the Log4j vulnerability stole Christmas... from the infosec community