What is Log4Shell, and why are we panicking about it?

What is Log4Shell, and why are we panicking about it?

Scanning under way, more to follow

As with any newly disclosed zero-day, the vast majority of activity around Log4Shell to-date has been scanning for vulnerable systems, according to Microsoft’s Threat Intelligence Center (MSTIC) team, which was among those putting in overtime at the weekend.

However, they added, they are also now observing full exploitation and post-exploitation activity, and based on the nature of the vulnerability, this activity can take a multitude of forms, from the deployment of simple illicit cryptominers, to the use of everyone’s favourite Cobalt Strike to enable credential theft and lateral movement, and data exfiltration. It goes without saying that ransomware attacks will follow.

As a matter of course, security teams must immediately apply the software update already released by Apache in Log4j2. But beyond that, Log4Shell presents a substantially different kind of challenge for security teams, according to Sophos senior threat researcher Sean Gallagher. “Many software vulnerabilities are limited to a specific product or platform, such as the ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange,” he said. “Once defenders know what software is vulnerable, they can check for and patch it. 

“However, Log4Shell is a library that is used by many products. It can therefore be present in the darkest corners of an organisation’s infrastructure, for example, any software developed in-house. Finding all systems that are vulnerable because of Log4Shell should be a priority for IT security.

“Sophos expects the speed with which attackers are harnessing and using the vulnerability will only intensify and diversify over the coming days and weeks,” he said.

“Once an attacker has secured access to a network, any infection can follow. IT security teams need to do a thorough review of activity on the network to spot and remove any traces of intruders, even if it just looks like nuisance commodity malware.”

Read more about cyber security

Defenders with systems that cannot be updated immediately can also apply a newly released fix developed by Cybereason, which can be downloaded from GitHub and requires only basic Java skills to implement.

Ellis at Bugcrowd said the Cybereason vaccine was a great option of last resort. “Many organisations are currently struggling to inventory where Log4j2 exists in their environment and updating a component like this necessitates a dependency analysis in order to avoid breaking a system in the pursuit of fixing a vulnerability.

“All of this adds up to a lot of work, and having a ‘fire and forget’ tool to clean up anything that may have been missed at the end of it all seems like a scenario that many organisations will find themselves in in the coming weeks.

“Another scenario in which it could be useful is rapid emergency prevention, such as if a self-propagating piece of malware like WannaCry appears before patching is completed,” he added.

This content was originally published here.

Laat een reactie achter

Het e-mailadres wordt niet gepubliceerd.