Log4j requires cyber defense staying power

March 9, 2022
| No comments
Bitdefender_News

Share post

Log4j is and remains a dangerous vulnerability almost three months after its disclosure. And even if no attacks are running yet, IT security officers should assume that the cybercriminals have gained access to IT systems. By Cristian Avram, Senior Solution Architect at Bitdefender.

In order to effectively defend against imminent attacks, it will therefore be necessary in the coming months to immediately localize and close weak points and to monitor one's own IT and network traffic.

Log4j: a long-term load

Hackers can remotely execute code using the widely used Log4J login library. The CVE-9-2021 vulnerability, which was announced on December 2021, 44228, is particularly dangerous due to the widespread use of the de facto standard Log4J in a wide variety of web applications. Many companies do not know if and where they have implemented Log4j in their systems. As early as December 2021, Bitdefender Labs noticed specific actions by cybercriminals, for example to install cryptominers via botnets or to launch new ransomware attacks.

Even if the large wave of attacks has apparently not yet materialized, a highly dynamic risk situation can be assumed. Because it is so easy to install remote executable code via Log4j, the danger is imminent. The attackers also use Log4J as a gateway to gain access to the corporate network. It can be assumed that the actual attacks will follow, because hackers initially got a foot in the door of the company network as inconspicuously as possible. Many of the attacks now being prepared that will start in the near future may no longer be detected as a result of an intrusion via Log4j.

Uncertainty among manufacturers and companies

The Log4j library itself offers a very useful and simple function to log and process requests to systems. That is why it has become the de facto standard. As a versatile, cross-platform framework, it runs on various operating systems such as Windows, Linux, macOS and FreeBSD. Java – and thus Log4J – is used, for example, in webcams, car navigation systems, terminals, DVD players, set-top boxes, medical devices and even in parking meters. However, this creates a problem: Many IT administrators will not know which applications connect their company network to the Internet via Log4j. It is no coincidence that Bitdefender telemetry data, i.e. information from installed Bitdefender systems, shows that many security teams are tackling potential vulnerabilities themselves to see if they are affected.

And you are not alone with this lack of overview. Software providers or open source projects also do not know whether their products or projects contain the vulnerability. Like all companies, they have to get an idea of ​​the security status and are now informing their customers – or will continue to do so in the near future.

Five tips for the "Log4J marathon" of the coming months

In this unclear, constantly changing risk situation, IT security managers in companies and managed security providers must be very vigilant in the coming months in the service of their customers. The following advice will help to identify risks and block attacks in the short and long term:

  • 1. Patch and update immediately where the vulnerability is already known: Companies should immediately import all patches available for their applications in accordance with the instructions from the software provider. This principle applies now more than ever.
  • 2. Inventory IT infrastructure and software BOM: Administrators should audit their entire infrastructure and any software. This allows you to identify all systems that have implemented an Apache Lofj2 logging framework. The update to Log4j version 2.17.1 then follows.
  • 3. Check the software supply chain for updates: Once IT administrators know which systems are affected, they should keep themselves informed whether the respective open source software projects. Do the vendors of commercial software products provide patches. What measures do you recommend to close the gap?
  • 4. Don't forget systems without direct access to the Internet: Of course, applications and systems that are directly connected to the Internet have top priority in the security inventory. But many hackers only use this entry gate as a starting point for sideways movements to attack other systems. Therefore, those responsible for IT should be just as vigilant in monitoring and protecting systems without a direct connection to the Internet.
  • 5. Time for a defense in depth: Exploiting Log4j is the first step – launching an attack is the next. This may give IT administrators time to prepare and prevent a vulnerability from becoming an actual security incident. Telemetry data shows which cyber security modules prevent attackers from exploiting the vulnerability. It starts with protection at the network level: Threat Intelligence provides information on the reputation of URLs or IP addresses. But the static malware is also doing its bit and has installed cryptominers or known malicious payloads. This not only offers protection against these attacks. Administrators and managed security providers should also assume that these attacks will continue to spread. Extended Detection and Response (XDR) detects sideways movements from one system to the next. Advanced threat detection techniques identify suspicious behavior in processes. External experts from a managed detection and response (MDR) service help to identify risks and attacks.

Defending against attacks via Log4j will be a long-term task. Administrators should monitor access to their network and what is happening on the network very carefully in the coming months. Every anomaly needs to be checked. In particular, IT administrators and managed service providers should take any sign of reverse TCP shell seriously.

More at Bitdefender.com

 

About Bitdefender

Bitdefender is a leading global provider of cybersecurity solutions and antivirus software, protecting over 500 million systems in more than 150 countries. Since it was founded in 2001, the company's innovations have consistently ensured excellent security products and intelligent protection for devices, networks and cloud services for private customers and companies. As the supplier of choice, Bitdefender technology is found in 38 percent of security solutions deployed around the world and is trusted and recognized by industry experts, manufacturers and customers alike. www.bitdefender.de

 

Matching articles on the topic

Report: 40 percent more phishing worldwide

The current spam and phishing report from Kaspersky for 2023 speaks for itself: users in Germany are after ➡ Read more

BSI sets minimum standards for web browsers

The BSI has revised the minimum standard for web browsers for administration and published version 3.0. You can remember that ➡ Read more

Stealth malware targets European companies

Hackers are attacking many companies across Europe with stealth malware. ESET researchers have reported a dramatic increase in so-called AceCryptor attacks via ➡ Read more

IT security: Basis for LockBit 4.0 defused

Trend Micro, working with the UK's National Crime Agency (NCA), analyzed the unpublished version that was in development ➡ Read more

MDR and XDR via Google Workspace

Whether in a cafe, airport terminal or home office – employees work in many places. However, this development also brings challenges ➡ Read more

Test: Security software for endpoints and individual PCs

The latest test results from the AV-TEST laboratory show very good performance of 16 established protection solutions for Windows ➡ Read more

FBI: Internet Crime Report counts $12,5 billion in damage 

The FBI's Internet Crime Complaint Center (IC3) has released its 2023 Internet Crime Report, which includes information from over 880.000 ➡ Read more

HeadCrab 2.0 discovered

The HeadCrab campaign against Redis servers, which has been active since 2021, continues to successfully infect targets with the new version. The criminals' mini-blog ➡ Read more

Bitdefender, Short news