Zero-day Exploit Affecting Java Applications

UPDATE

As the collective understanding and impact of the Log4Shell Vulnerability continues to build, Drawbridge is releasing updated information. Please read carefully to understand the impact this vulnerability may have on your systems, and recommended mitigating actions.

The first reports of attacks are appearing, with researchers confirming vulnerable systems on the Internet having crypto-mining malware and command and control beacons being installed. Vendors are being proactive with news of their implementation of fixes and updates; one such list of Vendor information is publicly available here:
https://github.com/NCSC-NL/log4shell/tree/main/software

Drawbridge has confirmed protection of the Connect Platform as of Friday December 10, 2021 and completed internal patching and updates on Sunday December 12, 2021.

We are currently pushing out updates to the Connect-R Vulnerability scanner to all clients to begin scanning of the vulnerability. These updates are likely to continue for several days as more information is discovered. We highly recommend clients review their Vulnerability scan results in Connect over the coming days as well as confirm they are configured to receive Alerts for newly discovered High-Risk Vulnerabilities.

Since log4j2 installations may be hidden from network services or processed away from client networks, Drawbridge strongly recommends Vendors be contacted for updates on their position with “Log4Shell.” Internal Development teams utilising Java must confirm their applications have been mitigated either with updates or configuration changes, too.

Defensive measures comprising an in-depth approach of all three security controls is especially important:

  • Request your Vendors update you on their efforts against Log4Shell.
  • Scan your networks for Vulnerable systems.
  • Confirm your IDS/IPS, Firewalls, and MDR systems can identify Log4Shell and monitor for alerts.

The Log4Shell Exploit

Log4j is a commonly used library that provides logging features to Java based applications. It’s use is widespread across websites, web-based applications, client and server side java applications and management portals of devices including network equipment. The exploit, nicknamed Log4Shell, is considered a critical risk because of the simplicity to execute and it is a “Remote Code Execution” (or RCE) vulnerability which can be triggered across a network, including across the Internet.

Threat intelligence indicates that scanning for vulnerable systems is already occurring across the Internet.

How to Protect Yourself

Given the breadth of the potential attack surface, we recommend firms review their asset inventory and contact their software Vendors to request if they use an affected version of the “log4j library” and whether they will be issuing a patch or configuration recommendations to mitigate “Log4Shell.”

Hardware Assets may also have java-based web management portals and should equally be reviewed. Some example Hardware devices under review include NetApp, SonicWALL, and Cisco:

“Intrusion Detection and Prevention Systems” and “Managed Detect and Respond systems” may offer overarching protections of systems while further investigations take place. We recommend discussing with your IDS/IPS/MDR providers as a priority.

  • Review asset inventory lists and contact software and hardware vendors to confirm their use of “log4j library”
  • Verify with Firewall, IDS/IPS, and MDR Vendors that they are actively able to capture and prevent/block any network activity related to the “Log4Shell” exploit.
  • Ensure your anti-virus and malware protection is up to date over Servers and PC

Find out more about Drawbridge’s ransomware and vulnerability management capabilities with Connect-R and PC Reporter.