Chris Swagler | December 15th, 2021

Log4j

If security teams don’t quickly update their network’s security, threat actors can exploit the Apache Log4j logging library vulnerability to launch attacks that will persist years from now. Log4j is an open-source Java logging framework maintained by the nonprofit Apache Software Foundation and part of the Apache Logging Services. It has amassed around 475,000 downloads from its Github project and is widely adopted for application event logging. Additionally, the Log4j is part of other frameworks, including Elasticsearch, Kafka, and Flink, which are used at enterprise levels in various applications and in many popular websites and services. A Forrester analyst explains that the sheer scale of this vulnerability and the threat’s potential persistence are extremely concerning and urges security teams to act swiftly while awareness of the issue is high.

Researchers discovered the first public case of the Log4j, or Log4Shell, vulnerability being used to download and install ransomware. The Java class from “hxxp://3.145.115[.]94/Main.class” is downloaded and executed by the Log4j application. Once the Java class is loaded, threat operators leverage the remote code execution (RCE) flaw to download an additional payload, a .NET binary, from a remote server to install the “Khonsari” ransomware and encrypt all the files with a “.khonsari” extension.

Apache released Log4j 2.15.0 addressing the maximum severity vulnerability and is tracking the vulnerability as CVE-2021-44228, Log4Shell, or LogJam. Because of its ubiquity, the Log4Shell will be exploited for years as over three billion devices run on Java, many of which use Log4j. Patching every single system isn’t going to be an easy task. Additionally, patching requires a huge awareness campaign guiding developers on how to address the vulnerability.

With most vulnerabilities, including Heartbleed and Shellshock, some systems and applications fail to get updated, leaving a hole for threat operators to exploit, even after public frenzy has died down. Even though the Apache logging product patch was released and the vulnerability has a Common Vulnerability Scoring System (CVSS) score of 10, most companies could struggle to locate instances running in their environment. This is due to multiple layers of dependencies existing in enterprise Java environments in the Java archive (JAR) file form. Any of these files can be hiding Log4j helping them log data.

A consulting firm confirms that the vulnerability will be with us for a long time and warns companies to prepare for a challenging process of identifying vulnerable products, waiting for the patches, applying the patches, and implementing mitigations. The problem for most vendors is they might not know how much Log4j they are using, what version they are using, or whether it’s included with the product. In some instances, the library may have been included in the overall addition and the vendor may not feature it. Additionally, developers might have altered the code in the Log4j to meet an application’s specific requirements. All of these issues make it difficult to determine if a product is vulnerable because each vendor has to review their code to see how exposed they may be, then develop and issue a patch customers can apply. However, current tooling might not be up to the task.

One mistake companies make when attempting to fix the issue is leaning too heavily on traditional vulnerability management tools. Traditional tools scan installed applications for any problems; however, if the Log4j framework was renamed or installed in a non-default path, there is a chance that the vulnerability management tools will miss it. That’s why it’s preferable to have a solution that analyzes configuration strings within files. The United States Cybersecurity and Infrastructure Agency (CISA) published a new web page containing vulnerability guidance, a community-sourced GitHub repository of public information, and vendor-supplied advisories about the incident.

The Log4Shell vulnerability is a severe security risk for many companies and presents an urgent challenge to network defenders. It’s important for companies to remain vigilant regarding the current threat landscape and for vendors to communicate with their clients so they can immediately patch and remediate any vulnerability. At SpearTip, our advisory services focus on real and imminent threats. We use our technical knowledge and experience to identify vulnerabilities, including the Log4j (Log4Shell), and offer pragmatic remediation steps to improve a company’s security posture. Our team examines a company’s entire security posture from top-down during our cybersecurity risk assessment process and assesses the gap between the company’s current cyber state and a mature security posture in order to provide a customized plan to best protect against persistent cyber threats.

f your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.