Log4j vulnerability advisory


The Log4j vulnerability has taken the world by storm and internal IT security teams have been caught off guard by the sheer magnitude of this threat to company systems. This “zero-day” remote code execution vulnerability allows attackers to run brute force attacks on vulnerable applications and remotely run malicious code without authentication. This could include malware such as cryptominers and ransomware. 

Log4j Zero-Day Vulnerability advisory

The  Log4j  vulnerability  has  taken  the world  by  storm  and  internal  IT  security  teams  have been  caught  off  guard  by  the  sheer  magnitude  of  this  threat  to  company  systems.  This “zero-day”  remote  code  execution  vulnerability  allows  attackers  to run brute force attacks on vulnerable applications  and  remotely  run  malicious  code  without  authentication. This  could  include malware  such  as  cryptominers and  ransomware. 

Cyber security  intelligence  providers,  Check  Point,  have  observed  800,000  exploitation attempts  in  the  first  72  hours  since  the  detection  of  this  issue.  This  means  that  the  time  to take  action  is  now,  as  threat  actors  continue  to  make  strides  in  understanding  this vulnerability  and  how  they  might  be  able  to  leverage  it  for  their  goals. 

In  Asia,  the  situation  is  no  different.  Over  the  past  two  weeks,  Blackpanda has  seen  a spike  in  inbound  cases,  many  of  which  cite  Log4j  as  the  principal  cause  of  concern. While  incident  response  services  can  and  should  be  sought  out  following  a  breach, taking  pre-emptive  steps  to  ensure  your  systems  safety  is  a  more  cost-effective  and defensive  measure  to  avoid  falling  victim  to  a  reactive  scenario. 

As a first  plan  of  attack  for  addressing  the  Log4j  vulnerability,  our  security  experts recommend the  following  three  steps: 

1.  Apply  the  latest  security  patches § § § § Follow  the  guidance  from  Apache  to  apply  their  latest  security  update  (2.15.0  at  the time  of  writing). Once patched, it  is  recommended  that  all  users  change  their  passwords. This  is  also  a  good  time  to  enable  multi-factor  authentication  if  you  have  not  already done  so. In  the  event  that  you  are  unable  to  apply  the  latest  patch,  please  follow  the  following recommended  mitigation  measures  located at https://logging.apache.org/log4j/2.x/security.html

2.  Scan  for  signs  of  compromise Have  a  suitably  qualified  member  of  your  IT  team  or  external  IT  vendor  search  for  any unauthorised  code  running  or  potential  unauthorised  access  to  systems. 

3.  Backup  data  and  store  offline It  is  sensible  practice  to  regularly  backup  data  and  store  offline.  Now  is  a  sensible  time  to validate  your  own  backup  process  and  ensure  that  you  have  done  so  recently  and  will continue  to  do  so  regularly.

Should  your  team  not  have  the  capabilities  to  perform  an  internal  audit  or  are  seeking the  support  of  seasoned  incident  response  experts,  Blackpanda also  offers  holistic compromise  assessment  services.

 Compromise Assessments 

Compromise  assessments  seek  to  find  attackers  who  are  currently  taking  a  foothold  in  an environment  or  that  have  been  active  in  the  recent  past.  In  a  similar  way  to  the  actions Blackpanda IR  specialists  take  in  the  event  of  a  breach,  compromise  assessments  are  an inside–out  investigation  and  security  audit  of  an  organization’s  internal  environment, applications,  infrastructures,  and  endpoints. In  aid  of  the  growing  concern  regarding  the  Log4j  vulnerability,  Blackpanda compromise assessments  offer  companies  peace  of  mind  by  checking  every  possible  point  of  entry while  specifically  targeting  Java  related  applications  and  use  cases  to  certify  the  safety  of an  internal  network.  With  threat  actors  leveraging  the  Log4j  exploit  at  an  alarming  pace, the  question  companies need  to  be  asking  themselves  should  no  longer  be  “Can  I  be hacked?”,  but  instead  “Have  I  been  hacked?”. 

This  is  an  extremely  urgent  matter  and  Blackpanda strongly  advises  organizations to  take appropriate  steps  to  protect  their  network  immediately.  If  you  have  any  questions  or concerns  related  to  this  advisory,  or  are  seeking  immediate  assistance  responding  to  a cyber  incident,  please  reach  out  directly  to  hello@blackpanda.com.

Sign Up to Our Newsletter

Our weekly Asia Cyber Summary is a snappy, non-technical overview of regional cyber security news that helps you stay informed. Test it today, you can always unsubscribe.