Log4j Zero-Day Vulnerability advisory
The Log4j vulnerability has taken the world by storm and internal IT security teams have been caught off guard by the sheer magnitude of this threat to company systems. This “zero-day” remote code execution vulnerability allows attackers to run brute force attacks on vulnerable applications and remotely run malicious code without authentication. This could include malware such as cryptominers and ransomware.
Cyber security intelligence providers, Check Point, have observed 800,000 exploitation attempts in the first 72 hours since the detection of this issue. This means that the time to take action is now, as threat actors continue to make strides in understanding this vulnerability and how they might be able to leverage it for their goals.
In Asia, the situation is no different. Over the past two weeks, Blackpanda has seen a spike in inbound cases, many of which cite Log4j as the principal cause of concern. While incident response services can and should be sought out following a breach, taking pre-emptive steps to ensure your systems safety is a more cost-effective and defensive measure to avoid falling victim to a reactive scenario.
As a first plan of attack for addressing the Log4j vulnerability, our security experts recommend the following three steps:
1. Apply the latest security patches § § § § Follow the guidance from Apache to apply their latest security update (2.15.0 at the time of writing). Once patched, it is recommended that all users change their passwords. This is also a good time to enable multi-factor authentication if you have not already done so. In the event that you are unable to apply the latest patch, please follow the following recommended mitigation measures located at https://logging.apache.org/log4j/2.x/security.html
2. Scan for signs of compromise Have a suitably qualified member of your IT team or external IT vendor search for any unauthorised code running or potential unauthorised access to systems.
3. Backup data and store offline It is sensible practice to regularly backup data and store offline. Now is a sensible time to validate your own backup process and ensure that you have done so recently and will continue to do so regularly.
Should your team not have the capabilities to perform an internal audit or are seeking the support of seasoned incident response experts, Blackpanda also offers holistic compromise assessment services.
Compromise assessments seek to find attackers who are currently taking a foothold in an environment or that have been active in the recent past. In a similar way to the actions Blackpanda IR specialists take in the event of a breach, compromise assessments are an inside–out investigation and security audit of an organization’s internal environment, applications, infrastructures, and endpoints. In aid of the growing concern regarding the Log4j vulnerability, Blackpanda compromise assessments offer companies peace of mind by checking every possible point of entry while specifically targeting Java related applications and use cases to certify the safety of an internal network. With threat actors leveraging the Log4j exploit at an alarming pace, the question companies need to be asking themselves should no longer be “Can I be hacked?”, but instead “Have I been hacked?”.
This is an extremely urgent matter and Blackpanda strongly advises organizations to take appropriate steps to protect their network immediately. If you have any questions or concerns related to this advisory, or are seeking immediate assistance responding to a cyber incident, please reach out directly to firstname.lastname@example.org.