Why Is a Log4Shell Exploit Considered a Serious Risk to Enterprises?
Apache Log4j is used in thousands of enterprise applications across the stack and appliances with a web interface. Log4j is also an embedded component of many Java-based OT/ICS hardware and software components. Billions of IoT devices built on Java may also be susceptible to the Log4Shell vulnerability, as are many networking appliances. Multiple Apache Log4j versions are affected by Log4Shell. Log4Shell also affects many systems that are internal to enterprise networks. APTs/attackers that are already inside the network may leverage the Log4Shell vulnerability of the internal systems.
The vulnerability is severe enough for CISA, FBI, and NSA to release a joint Advisory stating “Log4j vulnerabilities present a severe and ongoing threat to organizations and governments around the world; we implore all entities to take immediate action to implement the latest mitigation guidance to protect their networks.”
Successful exploitation of Log4Shell on a system can enable the threat actor to take full control of the system.
Mass scanning attempts by threat actors to identify vulnerable systems are ongoing. In addition, botnets like Mirai, remote access toolkits, and reverse shells such as Meterpreter have expanded to leverage the Log4Shell vulnerability. Threat actors are also finding new ways to exploit this vulnerability by, for example, exploiting internal systems in the enterprise and leveraging these systems to conduct post exploitation activity.
Patching Log4Shell vulnerable versions of various systems and applications will take a long time. Patching may not even be possible for certain embedded systems. Existing detection methods rely on signatures and threat actors have started circumventing such simple detection methods by using payload obfuscation.
What Can IT Security Teams Do to Protect Against Log4Shell Exploits?
To protect against Log4Shell attack attempts, IT Security teams should apply the patches released by the Apache Software Foundation and by the vendors of software and hardware that are affected by the Log4Shell vulnerability. For systems that cannot be patched and for systems for which patches will take a while to be released, IT Security teams should follow the IMMA approach:
(I)solate: This step involves segregating the vulnerable systems to reduce pathways from those systems to other parts of the network.
(M)inimize: This step refers to minimizing the attack surface that an attacker can use to reach vulnerable systems. This can be done by, for example, disabling unnecessary services or reducing privileges.
(M)onitor: This step involves closely watching system logs and network traffic for signs of a Log4Shell exploit attempt.
(A)ctive Defense: This step involves implementing measures like using deception technology to detect attackers and deflect them away from vulnerable systems.
What Capabilities Does Acalvio ShadowPlex Provide to Counter the Log4Shell Vulnerability?
Acalvio ShadowPlex provides the following Active Defense capabilities to effectively counter the Log4Shell vulnerability:
1. Gain visibility into Log4Shell vulnerable assets
2. Actively protect Log4Shell vulnerable assets
3. Generate Threat Intelligence
The first step in combating the Log4Shell vulnerability is to gain visibility into affected systems. Acalvio ShadowPlex provides a reliable, safe, and easy-to-deploy capability to automatically discover Log4Shell vulnerable assets across IT, Cloud, IoT, and OT environments. A single click from the ShadowPlex Admin Console will discover the Log4Shell vulnerable assets. There are no scripts to run manually, and no cloud services are required for the setup.
Unlike traditional vulnerability scanners, Acalvio ShadowPlex does not require access to the asset’s filesystem. The Acalvio approach works for any kind of remote service, device, or application without requiring any special asset access, firewall changes, or sensitive login credentials.
Most vendors need time to create and test Log4Shell vulnerability patches. Also, application of patches can be very challenging in many mission-critical environments such as OT/ICS networks. Acalvio ShadowPlex provides the ability to leverage deception deployment on and around vulnerable assets to quickly detect Log4Shell exploit attempts.
A malicious actor needs to attempt an exploit to determine whether a system is vulnerable. This provides an excellent opportunity to leverage Acalvio’s active defense and just-in-time deception platform to detect and respond to exploit attempts from inside the organization’s IT, OT, IoT, and Cloud environments.
Generate Threat Intelligence
The Acalvio ShadowPlex platform can be leveraged to generate Threat Intelligence (TI) using deception technology. This TI is specific to Log4Shell exploits and covers new obfuscation techniques and attacker-controlled IPs that can be blocked. This TI can be very useful for MDR solutions, and large enterprises to get ahead of Log4Shell exploit attempts.
Frequently Asked Questions
Is Log4Shell still a threat?
Yes, IT Security teams still consider Log4Shell a threat. Researchers have noticed a steady stream of attacks attempting to exploit the Log4j vulnerability. At the same time, several attacks that leverage Log4Shell may be going unnoticed.
What is vulnerable to Log4Shell?
The Log4Shell vulnerability primarily affects systems that use the Apache Log4j library. Here are some types of systems that could be vulnerable:
- Servers and Web-based Applications: These are the most vulnerable systems as they often use the Log4j library for logging purposes.
- IT Systems: IT systems that use software applications and online services incorporating the Log4j library are at risk.
- OT Systems: Operational Technology (OT) systems such as SCADA (Supervisory Control and Data Acquisition) systems and IoT (Internet-of-Things) devices are also at risk.
Does Log4Shell affect personal computers?
Personal computers, laptops, and mobile devices may be using software that includes the Log4j library, but they are not generally at risk unless they are running server-like processes. However, certain PC users who are running a Java environment or playing games like Minecraft Java Edition could potentially be affected.
What are the steps for Log4Shell detection on my system?
To determine if your system is affected by the Log4Shell vulnerability, you can follow these general steps:
- Identify Usage of Log4j: Check if your applications or services are using the Apache Log4j library. This can be done by reviewing the application’s dependencies or by performing a software composition analysis.
- Check the Version: The vulnerability affects Apache Log4j versions from 2.0-beta9 to 2.14.12. If your application is using these versions of Log4j, it may be vulnerable.
- Scan for Vulnerabilities: Acalvio ShadowPlex provides capabilities that enable a Security team to gain visibility into applications and services that carry the Log4Shell vulnerability. For more information, see Visibility.
Are there any examples of Log4Shell exploits?
The following are some Log4Shell exploit examples:
- Malware Exploitation: Certain malware families like Bazarloader and Mirai, as well as various Cryptocurrency Mining Software, have been observed exploiting Log4Shell.
- Spring Boot Web Application: A sample vulnerable Spring Boot web application was created to demonstrate how Log4Shell can be exploited. The exploitation process involves using a malicious LDAP server and triggering the exploit using a specific curl command.
- Minecraft PoC: A proof of concept (PoC) was demonstrated using Minecraft, which is known to use the Log4j library.
How can I detect Log4Shell attacks?
Deception technology powered by Acalvio ShadowPlex is an effective way of detecting Log4Shell attacks. For more information, see Asset Protection.