Call
Ask an Expert
Tel: +1-281-673-2800
Find an Office
Email
Email Us
Insight

ABS Group Global Cybersecurity Alert: The Log4j Vulnerability

Log4J

The Log4j Vulnerability: What it is, What Organizations are at Risk and How You Can Protect Yourself

A serious cyber risk has been identified in a widely used software by Apache called Java Log4j. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has rated the cyber vulnerability with a score of 10 out of 10.  This vulnerability is now the most high-profile risk on the internet, with CISA ordering civilian federal agencies to implement security updates by December 24.

Executive Takeaways

  • A serious vulnerability was discovered in Log4j, a widely used Java library
  • Log4j runs across many platforms — Windows, Linux, Apple’s macOS — and is present in hundreds of millions of devices.
  • The flaw lets internet-based attackers easily seize control of everything from industrial control systems to web servers
  • Security pros say it’s one of the worst computer vulnerabilities they’ve ever seen
  • The Solution: Device discovery and patching; CISA has released recommendations leading a global response
  • Weeks of active monitoring are to follow as organizations must ensure their critical IT and OT networks and devices have not been compromised

Background: About Apache’s Log4j Software Library

Log4j is used by software developers to record user activity and the behavior of applications. Since its original distribution by the Apache Software Foundation, Log4j has been downloaded millions of times and is one of the most widely used tools to collect information across corporate computer networks.  

Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system. –CISA.

The Log4j vulnerability allows attackers to easily take full control over vulnerable systems without having to go through any security measures and remain undetected by users. Cyber threat actors have already begun to use malware and other penetration tools to gain access to usernames and passwords.

What Specific Devices are at Risk?

According to ZDNet, “Any device that's exposed to the internet is at risk if it's running Apache Log4J, versions 2.0 to 2.14.1." This affects both IT and Operational Technology (OT) networks. Since the released security risk, many OT vendors have published notifications stating that they use Log4j and are uncertain if the critical vulnerabilities impact their OT systems.

What Action Can Your Cybersecurity Teams Take Now?

Addressing the Log4j vulnerability will likely be a challenge for most organizations. While original reports stated that there were only a few hundred detection attempts at exploiting Log4j, the tide has shifted, with new data now revealing thousands of attempts every single second. Hundreds of millions of devices have likely been affected. The process of securing all of these devices could realistically take months, if not years.

“[This vulnerability] is one of the most serious I’ve seen in my entire career, if not the most serious. We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damage.” –Jane Easterly, CISA Agency Director

Top cybersecurity experts are urging organizations to apply security updates for the latest version of Log4j to minimize the chance of being comprised. Log4j is deeply embedded, making it difficult to know if the application is even running within systems. It should also be noted that even if you have applied the patch, it’s possible you may already be comprised.

Vulnerabilities like the log4j zero-day require both mitigations to remediate the software and mitigations to modify the application and network environments. A zero-day is a computer-software vulnerability either unknown to those who should be interested in its mitigation, or known and a patch has not been developed.

For an IT network, the system administrators will enact an emergency patching process that involves: (1) research for notifications from software vendors on their websites, (2) locating all the vulnerable applications via an automated script or scan tool, and (3) scheduling an immediate maintenance period to patch or mitigate the vulnerability.

In an OT environment, this is not as simple because the vendors don’t always release their vulnerabilities; vulnerability scanning tools can compromise the integrity of OT systems communications, and unsupported patching of vulnerabilities can temporarily cripple essential services.

Guidance to Limit Impacts on Most OT Systems

  1. Identify and secure your critical OT systems. In the example of Log4j, you will follow a procedure similar to the one described above to mitigate the vulnerability. In order to protect them, it is critical to ensure they cannot be exploited from the internet and business networks first.
  2. Develop isolation and manual control workarounds that limit the number of operational impacts that could occur if a vulnerability like the Log4j is discovered. Many OT systems have outgoing communications for monitoring, metering, diagnostics, etc. Log4shell can directly compromise those outgoing communications if the system is vulnerable and allow malicious threat actors to remotely execute code. This means if there is any possibility that a shell can be established, your OT systems can be taken over.
  3. Ensure backups and backup procedures exist. Having stable backups and images for OT systems is a good way to ensure systems can be brought online as quickly as possible after an incident. However, they have to be current and functional. Additionally, restoring from a backup image to a lab environment can also be a good way to perform a controlled scan for Log4j.
  4. Require the OEM vendors to be more pragmatic when it comes to vulnerabilities in general. Some major OEMs are already doing this but there are many that still fall short leaving vulnerabilities unresolved.

The Log4j JNDI Attack

Figure 1: Steps of a Log4j JNDI attack and suggested mitigations (Source: Swiss CERT)

eBook - A Beginner's Guide to Cybersecurity

If you don't have a strong industrial cybersecurity program protecting your OT networks, you are at risk. Download our eBook to learn the top three (3) concerns your organization should consider for protection against cyber threats.

Request Access

Understanding Key Recommendations from CISA

If your organization is running products with Log4j, CISA recommends the following actions:

  1. Review Apache’s Log4j Security Vulnerabilities page
  2. Apply available patches immediately
  3. Conduct a security review
  4. Consider reporting compromises immediately

CISAwill continue to provide ongoing guidance for Log4j security vulnerabilities, with recommendations and resources available by the hour. In addition, Carnegie Mellon has posted information, including an up-to-date software list.

Recommendations for Immediate Action and Future Prevention

The Log4j vulnerability will likely continue for several months, or potentially years, as companies work to identify the extent of exposure, develop solutions and implement resolutions. Implementing a comprehensive vulnerability management and network monitoring program will help mitigate the risk of this vulnerability and detect if an exploit has occurred. It will also help address the potential for future exploits and attacks. This is particularly important for the industrial networks (OT), as those tend to be less cyber mature. 

Specific recommended capabilities include:

  • Asset Inventory and Management
  • Vulnerability Management
  • Configuration Management and Monitoring
  • Network Monitoring
  • Incident Response

Resources:


Why ABS Group? 

We're the Experts 

Our team is highly skilled in understanding how to manage cyber risk – and address it as an operational safety issue – across diverse industries and market sectors. From assessing and planning, to developing network protections, to managing your detection and incident response, ABS Group will work with you to understand and reduce your cyber risk.

Dr. Dennis Hackney - Head of Industrial Cybersecurity Services Development

Dr. Dennis Hackney

Senior Technical Advisor of Industrial Cybersecurity

With over 20 years of experience in cybersecurity, Dennis specializes in the development and deployment of IT and OT cybersecurity products and services. Dennis designs new services and deliverables for a diverse range of industries, executing programs that address cybersecurity needs in specialized and industrial environments and supporting the advancement of compliance and technology solutions. Dennis holds a PhD in Information Security, as well as degrees in Electronic Systems Applied Sciences and Business Administration.

 

Kyle Tobias - Principal Sales Engineer - Industrial Cybersecurity

Kyle Tobias

Senior Cybersecurity Assessor 

With over 18 years of OT cybersecurity experience in planning, operations, training and audits in the maritime, energy, banking, finance and telecommunications industries, Kyle has successfully achieved client goals across the globe, including in the Americas, EMEA and Australia. His strategy includes having a clear plan of action and maintaining open communication between all parties. Kyle holds a BA from Olgethorpe University and a MS in Cybersecurity from the Georgia Institute of Technology.

Back to top