3 Key Takeaways on Log4j and Zero-day Vulnerabilities
- Log4j is an open-source error-logging library application in many consumer-facing products, but it has several vulnerabilities leaving internet-connected devices open to remote attacks.
- Many companies still haven’t realized they’re at risk from Log4j, because they don’t know it’s part of their software package.
- Gaining a thorough understanding of their internal environment and making sure their software is up-to-date are the best ways for companies to protect against Log4j exploits and other web application vulnerabilities.
NetDiligence® President Mark Greisiger and CrowdStrike Director of Incident Response Yinan Yang discuss these takeaways and other aspects of Log4j, Log4Shell, and incident response plans in this continuing industry expert series. Read the synopsis below and watch the video above to hear the entire conversation.
Log4j Exploits: What You Don’t Know About Your Software Puts You At Risk
MG: Our insurance partners get nervous about the impact of cyber vulnerabilities on their policyholders when a major event occurs because they worry whether it will cause a loss across their book of business. Recently, Log4j and Log4Shell have been in the news. Could you explain what the issue is with Log4j?
YY: In December 2021, a series of vulnerabilities affected a specific Apache application called Log4j, version 2 of that particular application. What we call proof of concept code was made public on Twitter, as these things happen nowadays. But over a period of time, a number of vulnerabilities associated with the same package software were released. These events were collectively referred to as Log4Shell, and allowed a remote attacker to take control of a device on the internet if the device is running certain versions of Log4j.
MG: What do you think are the common challenges around Log4j and zero-days, as an example?
YY: One of the most common challenges is not only is it a zero-day situation in which there isn’t a patch available for that particular vulnerability, but also organizations can’t effectively mitigate the risk because they aren’t aware the Log4j package is in software they use.
If you’re using something like Microsoft Outlook, OneNote, or another application, you may not know that, under the hood, a component of that software is Log4j. It’s a back-end logging function. That’s why it’s challenging for organizations to understand if they have this risk in their environment. And even if they did, they weren’t sure if they would be able to tell if something was wrong before it was too late.
MG: What have we learned so far, and where do things stand today?
YY: Immediately after this information became public, we saw the typical exploitation was generally with the intent of creating crypto miners. [Cyber criminals are] scanning the internet, and if anything comes up, they’re going to exploit it and put a crypto miner on it because they want to consume that resource and generate some revenue.
Unfortunately, it was pretty quickly adapted into the toolkits of various bad actor groups, including targeted intrusion groups, who are leveraging this to get into organizations.
Ransomware groups are on top of most folks’ minds now. They’re leveraging this risk as a method to gain access to the environment. They also use this particular vulnerability as a post-exploit action, meaning once they’re in, they use it to pivot into something else, like other traditional phishing user click methods. An example is what we call Hypervisor Jackpotting.
MG: Let’s talk about preparing for the next inevitable zero-day event—the incident response planning that may be factored in, proactively working with your cyber insurance partners, and maybe even implementing retainers.
YY: This is not the first situation and, unfortunately, it’s not going to be the last in which an organization can be doing all the right things, and it’s not enough.
They’re patching and taking the proper mitigation steps, but ultimately, [the problem is] the result of a third-party risk in some situation within their own organization they then need to respond to.
What we have found across the board is that successful organizations that responded to this [threat] really excelled in the basics. Certainly, having tooling, visibility, and coverage in terms of prevention and detection helps. But the things that make a big difference are:
- Knowing if you have a thorough understanding of the internal environment and where your assets are.
- Doing things like [implementing] implicit deny network rules for internet-bound traffic.
- Having a coherent cross-functional communication strategy within your organization—not just the IT team talking to the IT team.
- Making sure the security team understands the right points of contact within an application development, or the DevOps team understands what they have in motion and what might be in the systems they’re leveraging.
- Understanding if you are exposed or not, and how [experts like those at CrowdStrike] can assist in responding to that exposure.
Additionally, something like a detection and response focus strategy for mitigation is absolutely more effective in situations where a high degree of uncertainty is expected. I would definitely include zero-day vulnerabilities or even supply chain compromises in that category.
Again, you can be doing all the things right within your organization. But ultimately, you cannot put all your eggs in the prevention basket because something like [the Log4j situation], that you don’t control, is going to lead to a compromise of your organization.
MG: Thank you for the great summary. Just talking about zero-day attacks, or in the cyber insurance industry, they talk aboutblack swan events—it’s the unknown. How do you plan for the unknown?
For us and the cyber insurance underwriting community, incident response planning is crucial, as we mention in Breach Plan Connect. We recommend clients list experts like CrowdStrike because something inevitable is going to happen. They need to be able to get to a person like you right away, even if it’s 10:00 on a Saturday night.
For more information, watch Mark and Yinan’s full discussion.
If you have further questions for Yinan, you can reach him at CrowdStrike, explore additional articles and insights in CrowdStrike’s Log4j Resource Center, or read the CrowdStrike 2022 Global Threat Report.
If you have any questions for Mark, you can reach him at NetDiligence.
Lastly, if you’re looking for a turnkey solution to help guide and coordinate your organization’s response to a cyber incident, click here to learn more about Breach Plan Connect® from NetDiligence.