Over the past few days, organizations have been dealing with the fallout from the recently disclosed zero-day Log4j vulnerability, tracked as CVE-2021-44228. The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency expressed concerns that threat actors would exploit vulnerable systems, including those powering critical infrastructure. Those fears have proven accurate, as several organizations have experienced intrusions connected to the Log4j vulnerability, with outcomes ranging from malicious cryptocurrency mining to the attempted installation of malware and the red-teaming framework Cobalt Strike.
The Log4j library is a popular Java library used in many web applications and hundreds of significant enterprise products, both on-premises, and cloud-based.
The Log4j vulnerability allows any remote attacker to take control of an Internet-connected device if it is running Java software that uses one of the affected Log4j versions. Over the years, we’ve seen a wide array of similar vulnerabilities from Heartbleed to Bluekeep and many others. The Log4j vulnerability isn’t the first and won’t be the last. However, it is quickly proving to be one of the worst. Given the scope of how many devices and systems use the Log4j library in their code, this vulnerability can potentially impact a previously unheard-of variety of devices, tools, and security infrastructure systems across cloud and hybrid networks in organizations across the globe.
Unknown vulnerabilities magnify impact
Although much of the focus is on the newest vulnerability, the impact is magnified when an organization faces additional unknown vulnerabilities. In July of 2021, CISA published a list of Top Routinely Exploited Vulnerabilities. The list demonstrates how often threat actors will weaponize publicly disclosed flaws to exploit any business with exposure in their networks. It also shows that they are routinely leveraging older vulnerabilities that remain exploitable. For example, suppose a threat actor gains access to a system using a newly disclosed exploit like the Log4j vulnerability. In that case, they may achieve lateral movement and further exploitation utilizing any number of previously disclosed flaws.
Steps to strengthen security posture
While the risk of exploits can never be eliminated, organizations can take some critical steps to strengthen their security posture before the inevitable happens. They also need to be prepared to respond quickly when vulnerabilities are discovered, determine how to quickly evaluate where they are exposed, and protect their businesses from potential exploits. Many teams had their plans tested this week because of the Log4j news and may need to adjust their processes.
When vulnerabilities are discovered, enterprises need to equip their IT and security organizations to accomplish the following objectives, quickly and decisively:
- Evaluate whether the organization has products (including hardware and software) within their networks potentially impacted by a vulnerability.
- Analyze where those products are located and whether these products are exposed and accessible.
- Identify the specific products that are exposed, exploitable, and deployed in areas of the network where the business may be at risk.
- Develop a rapid and targeted remediation plan that addresses the business risk, including applying mitigating controls, compensating controls, configuration changes, patches, and upgrades.
No organization can prevent all cyberattacks from happening, but they can reduce the potential fallout from the inevitable by taking a proactive approach to security posture management. By focusing on and prioritizing the reduction of exposure to vulnerabilities throughout their infrastructure, organizations can build more robust defenses against further privilege escalation, lateral movement, and exploitation by threat actors using the latest and greatest zero-days.