On Dec. 9, 2021, a remote code execution (RCE) vulnerability in the popular Java-based logging package Log4j was disclosed. Submitting a specially crafted request to a vulnerable system allows an attacker to download and execute a malicious payload to perform additional functions such as data exfiltration, diverting funds, performing surveillance, or disrupting service. What many experts fear now is that the bug could be used to encrypt data and due to the discovery of this exploit being so recent, there are still many servers, both on-premises and within cloud environments, that have yet to be patched. Scanning activity for CVE-2021-44228 has actively begun on the internet with the intent of seeking out and exploiting unpatched systems. Apache Log4j versions <= 2.15.0 rc1 are vulnerable.
Given the seriousness of this vulnerability Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly released the following statement: “This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use. End users will be reliant on their vendors, and the vendor community must immediately identify, mitigate, and patch the wide array of products using this software. Vendors should also be communicating with their customers to ensure end users know that their product contains this vulnerability and should prioritize software updates. We continue to urge all organizations to review the latest CISA current activity alert and upgrade to log4j version 2.15.0, or apply their appropriate vendor recommended mitigations immediately.”
“To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action.”
The Apache Log4j RCE vulnerability will be one of the largest and most critical vulnerabilities in recent memory. In order to assist customers with identifying and remediating possible exposure, Presidio’s Managed Detection and Response (MDR) team has been working diligently to insert controls for customers and begin active investigations.
Some of the lessons we learned from shellshock are going to apply. While in some instances, simply employing the proper patch will mitigate our risk. In others, we will have to rely on mitigating controls such as segmentation, detection and response technologies, and more modern approaches to application development. When we are faced with a vulnerability this widespread, it will take the actions of the entire security community to mitigate the risk. Presidio is part of that community and is here to help.
Presidio’s MDR is taking the following actions for our managed security customers and suggests a similar approach for customers who manage their own security operations:
- Develop additional use cases within your Threat Framework to ensure exploitation attempts against your environment are detected. Detect the exploitation of the threat at both the host and network layer depending on the security control sending logs to the platform.
- Perform active threat hunts in your environments based on the latest Indicator of Compromise (IOCs)
- Perform both credentialed and un-credentialed scans, leveraging the latest Log4j plugins available to detect the existence of this vulnerability and notify appropriate parties.
- Update Endpoint (EDR) agents based on vendor recommendations to get active protection at the endpoint
- Reference a trusted source for ongoing updates such as CISA: https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance.
To learn more about how Presidio helps customers through vulnerabilities, visit our cybersecurity page.