Advisory January 22, 2022

Dealing With the Fallout of the Log4j Vulnerability

Apache’s Log4j has been the target of one of the most significant cyber incidents in recent memory. If businesses are still unaware of the vulnerability, then the chances are that it is already too late. Simply put, Log4j is certain software that contains vulnerabilities within specific versions. Primarily, Apache’s software was used as a logging framework. This means developers can monitor or log digital events on a server. Internal teams can subsequently review those logs for typical operation or abnormal behavior.

Software should safeguard against data coming from untrusted users online. Still, the flaw allowed unauthorized users to gain an initial foothold into an organization. This gives unauthorized access to sensitive data and even the ability for users to manipulate the server’s options. If left unpatched, attackers could use this vulnerability to take over server applications, connected devices and infiltrate enterprise networks. There are already reports of malware ransomware, and other automated threats are actively exploiting this vulnerability. So practically every facet of enterprise is impacted, from datasets to AI.

Who Could Have Been Behind the Log4j Attack?

Opportunistic cybercriminals scanned businesses for shell vulnerabilities. Researchers initially disclosed the flaw to the Apache foundation as early as the 24th of November. Although it seems that it was already exploited before the exposure became widely known. Indeed, many threat actors have taken advantage of this simple exploit. Researchers have linked high-profile actors from Iran, North Korea, and Turkey to the initial vulnerability exploitation. However, lately, we have seen various groups of cyber criminals working together, collaborating to leverage this vulnerability. Because of the ubiquity of Apache’s software and the relative ease of the vulnerability’s exploitation, practically every bad actor from script kiddies to nation state-funded cybergangs has taken advantage of this vulnerability. This helps them get an initial foothold within an organisation to exploit it for monetary gain.

Was the Log4j Vulnerability the Victim of Irresponsible Disclosure?

While responsible disclosure is a key concept of cybersecurity, the amount of press coverage that this vulnerability received was detrimental. One could argue that the news coverage surrounding the Log4j incident led to more cybercriminals taking advantage of it. Despite it being a relatively simple vulnerability, the constant reporting brought it to the forefront of media attention. If businesses weren’t quick enough to patch the vulnerability, it alerted the cybercriminals, giving them an advantage.

Even responsible disclosure has risks. Apache released a patch following a proof of concept regarding exploiting this vulnerability. However, it was already in the public domain. Actors around the globe started to scan across all networks for vulnerable systems to try to exploit this vulnerability. As soon as the press covered the technical detail, malicious actors started exploiting it even more.

How can Obrela Security Industries Help?

The Obrela SOC as a service would help customers detect potential exploitations on time. Currently, almost all organizations struggle to identify and secure their vulnerable assets. Many organizations are struggling with identifying any vulnerable system within their environment. Businesses don’t have the proper software or asset management list in place. This means that many are unaware of potential vulnerabilities or viruses. If you do not have suitable mechanisms in place, Obrela can help. We implement the proper detection mechanisms to detect a possible exploitation attempt. If a vulnerability is exploited, we advise that our customers promptly restrict access to contain this incident. Suppose an attacker tries to exploit this vulnerability. In that case, Obrela will escalate it to the customer within 15 minutes. This gives the customer enough time to perform containment actions and prevent the intruder from accessing their network.

If you are unsure whether you have the proper mechanisms in place to prevent and protect against a cyberattack, contact Obrela.