Log4Shell: a new critical security vulnerability

Log4Shell: a new critical security vulnerability

2021 has not been an easy year for IT and Cybersecurity teams. After the PrintNightmare and Proxysell vulnerabilities, the Log4Shell vulnerability was confirmed on December 10, 2021. This major security vulnerability forced organizations and governments to take drastic measures quickly. Some governments, such as the Quebec government, have even chosen to shut down all potentially impacted servers while they check for signs of compromise and apply all the recommended patches before putting them back in production.

What is Log4Shell?

Log4Shell is a security vulnerability related to Log4, a widely used logging utility on all Java systems. It’s a project of the Apache Foundation and is distributed as free software. Several Java-based software development projects are affected.

Detected on November 24, 2021, by a cybersecurity expert at Alibaba, Log4Shell has a severity level of 10 (the highest severity level) for a security vulnerability.

The vulnerability number assigned to Log4Shell is CVE-2021-44228.

The vulnerability concerns JAVA and not Apache web servers

There is some confusion in the market regarding the scope of the Log4Shell vulnerability. Note that the Log4Shell vulnerability affects JAVA and not Apache web servers for clarification purposes. You cannot be vulnerable to Log4Shell if you are not using JAVA.

Ability to execute arbitrary code remotely without needing valid network access

Log4Shell exploitation allows malicious code execution on the victim server. Usually, executing code on a machine requires the user to have a valid account log in with a password before executing code. With Log4Shell, the user doesn’t need to have an account on the victim machine.

Since it’s possible to execute arbitrary code remotely without authentication, there’s no limit to what an attacker can do. According to Microsoft, attempts to distribute ransomware via Log4Shell have already been observed.

Massive exploitation facilitated by the sharing of attack code (attack exploits)

Following the Log4Shell disclosure, several test programs, whose purpose is to show how the vulnerability can be exploited, have started to appear on the Internet. These programs are called Proof of Concept (POC) or attack exploits. Once attack exploits are available on the Internet, their use is within reach of everyone, including those with fundamental knowledge of cybersecurity or computer programming. Simply download them, adapt them and use them to launch attacks. An example of a Log4Shell POC can be found here.

Therefore, it’s important to react as soon as vulnerability POCs start to flourish on the Internet, as this is a sign that massive attacks are likely to be launched soon.

The age of automation is here - For better or worse

Today, the vast majority of cyberattacks aren’t launched by humans. They’re launched by automated bots/malware that scan the Internet 24/7 for vulnerable systems. They’re often zombie computers (on legitimate networks) that hackers control remotely to launch attacks. Hackers around the world exploit millions of zombie computers.

The exploitation of the Log4Shell vulnerability follows this paradigm. It is bots/botnets that are on the front line of exploiting this vulnerability. The bots are fast and don’t sleep, so it’s essential to act quickly to identify and fix vulnerable servers to avoid any exploitation attempt.

Continuously managing security vulnerabilities in your network

Managing security vulnerabilities is one of the most critical elements in cybersecurity. Here are our recommendations for managing your security vulnerabilities more effectively:

• Implement a formal security vulnerability management process.
• Perform a vulnerability scan regularly (once a month ideally) and fix the principal vulnerabilities identified
• Prioritize the patching of vulnerabilities that can be exploited across the network without authentication.
• If POC attacks start to appear, it’s urgent to fix the vulnerability.

Here are our recommendations to protect against Log4Shell

• Conduct a vulnerability scan of your IT assets to identify if you have any vulnerable systems. Focus primarily on your servers accessible on the Internet. Then, scan your internal servers. You can do this via tools such as NESSUS or our Streamscan CDS
• Migrate to version 2.17.1 of Log4J for java 8 or version 2.12.4 for java 7
• Deploy an intrusion detection system (IDS/IPS/NDR) in your network. Make sure your IDS/IPS/NDR has signatures to detect Log4Shell. This is the case with Streamscan's CDS technology. Our tool protects your network from attempts to exploit this vulnerability while you identify and fix the servers that have this vulnerability in your network.
• If you have found vulnerable systems in your network, extract and analyze their logs since November 1, 2021, to ensure that the vulnerability has not been exploited.

How can Streamscan help protect you?

The good news is that our CDS cyber threat detection technology has signatures and detection models that can detect and block attempts to exploit the Log4Shell vulnerability. Our CDS technology can also scan your network to identify if you have the Log4Shell vulnerability. Therefore, all organizations that use our CDS technology or our MDR security monitoring service are protected.

Our CDS technology continuously monitors your network for cyber attacks and abnormal or suspicious behavior. It protects your network 24/7 against cyber attacks.

While the vulnerability is being patched, our MDR analysts stay alert and proactively manage your network security, allowing us to alert you 24/7 in the event of a cyber attack. We analyze suspicious movements and attacks that target you and address them upstream to prevent them from becoming a problem. We act as an extension of your IT team and take care of your security.

Need help? StreamScan is here.

Whether you need help enhancing your cyber security, contact us at securitepme@streamscan.ai or call us at +1 877 208-9040.