by Simon Walsh
Over the weekend, security teams across the globe have been racing against the clock to mitigate a newly discovered vulnerability. The bug is found in popular Apache logging system Log4j, and has been dubbed “Log4Shell”. It’s already being exploited in the wild.
Here we explain how attacks work and what your organisation should do.
As bad as it gets
The bug itself has been give a 10 out of 10 on the industry standard CVSS scoring system. That’s as bad as it gets. Why? For several reasons:
- Log4j is used by millions of Java applications—from little known corporate apps to software and organisations including iCloud, Cloudflare, Minecraft, Red Hat, Twitter, IBM, Steam, Tesla and Cisco
- It is relatively easy to exploit the underlying “improper input validation” flaw. It requires an attacker to force a vulnerable application to log a particular string of characters. As apps log many types of events, there are various ways to do this. It could be as simple as typing a message into a chat box
- Exploitation can lead to remote code execution on an impacted server, enabling attackers to download malware and advance attacks
- Attackers are actively scanning for vulnerable systems to exploit
Already attackers have been spotted exploiting the flaw to install coin miners, expose AWS keys, deploy Cobalt Strike for ransomware, and more. The UK’s National Cyber Security Centre (NCSC) and US Cybersecurity and Infrastructure Security Agency (CISA) have both released alerts.
What to do now
According to CISA, organisations should:
- Find where Log4j is running in their environment
- Patch immediately by upgrading to Log4j version 2.15.0, or apply vendor mitigations
- Enumerate any externally facing devices with Log4j installed
- Ensure security operations (SecOps) teams action every alert related to Log4j
- Install a web app firewall with rules that automatically update, to reduce the alert load on SecOps
Trend Micro is scanning all of its platforms to determine vulnerable versions of Log4j that need remediating or mitigating. More information is available here.