The Log4j vulnerability has taken the world by storm and internal IT security teams have been caught off guard by the sheer magnitude of this threat to company systems. This “zero-day” remote code execution vulnerability allows attackers to run brute force attacks on vulnerable applications and remotely run malicious code without authentication. This could include malware such as cryptominers and ransomware.
Cyber security intelligence providers, including Check Point, have observed 800,000 exploitation attempts in the first 72 hours since the detection of this issue. This means that the time to take action is now, as threat actors continue to make strides in understanding this vulnerability and how they might be able to leverage it for their objectives.
In Asia, the situation is no different. Over the past two weeks, Blackpanda has seen a spike in inbound cases, and we have noticed that many of these are due to Log4j vulnerability exploitations. While incident response services can and should be sought out following a breach, taking pre-emptive steps to ensure your system’s safety is a more cost-effective and defensive measure to avoid falling victim to a reactive scenario.
As a first plan of attack for addressing the Log4j vulnerability, our security experts recommend the following three steps:
1. Apply the latest security patches
- Follow the guidance from Apache to apply their latest security update (2.15.0 at the time of writing).
- Once patched, it is recommended that all users change their passwords and ensure that these are complex and include at least one English uppercase character (A-Z),one English lowercase character (a-z), one number (0-9) and symbol (such as !, # or %) and are ten or more characters in total length.
- Enable multi-factor authentication if you have not already done so.
- In the event that you are unable to apply the latest patch, please follow the following recommended mitigation measures located at https://logging.apache.org/log4j/2.x/security.html.
2. Scan for signs of compromise
- Have a suitably qualified internal cyber security expert or external cyber security digital forensics firm conduct an active threat hunt for any signs of log4j vulnerability exploitation.
3. Backup data and store offline
- It is sensible practice to regularly backup data and store offline. You should have a regular backup process in place and, given the circumstances, you should ensure that you have done so recently.
- If your team does not have the capabilities to perform an internal audit or are seeking the support of seasoned incident response experts, Blackpanda also offers holistic Compromise Assessment services.
Compromise Assessments seek to find attackers who are currently taking a foothold in an environment or that have been active in the recent past. In a similar way to the actions Blackpanda IR specialists take in the event of a breach, Compromise Assessments are an inside–out investigation and security audit of an organization’s internal environment, applications, infrastructures, and endpoints.
In aid of the growing concern regarding the Log4j vulnerability, Blackpanda Compromise Assessments offer companies peace of mind by checking every possible point of entry while specifically targeting Java related applications and use cases to certify the safety of an internal network. With threat actors leveraging the Log4j exploit at an alarming pace, the question companies need to be asking themselves should no longer be “Can I be hacked?”, but instead “Have I been hacked?”.
This is an extremely urgent matter and Blackpanda strongly advises organizations to take appropriate steps to protect their network immediately. If you have any questions or concerns related to this advisory, or are seeking immediate assistance responding to a cyber incident, please reach out directly to email@example.com.