What Happened
Hackers including state-backed groups have launched more than 840,000 attacks on companies globally since Friday, December 10th, according to researchers, through a previously unnoticed vulnerability in a widely used piece of open-source software called Log4J.
The flaw in Log4J allows attackers to easily gain remote control over computers running apps in Java, a popular programming language.
Basically any device that’s exposed to the internet is at risk if it’s running Apache Log4J, versions 2.0 to 2.14.1. NCSC notes that Log4j version 2 (Log4j2), the affected version, is included in Apache Struts2, Solr, Druid, Flink, and Swift frameworks.
Additionally Mirai, a botnet that targets all manner of internet-connected (IoT) devices, has adopted an exploit for the flaw. Cisco and VMware have released patches for their affected products respectively.
If left unpatched, the bug in the Java-logging library Apache Log4j could be used by cyberattackers to take over computer servers, potentially putting favorite online services, as well as popular consumer devices, at risk of failure.
Apache is widely used in devices like smart TVs, DVR systems and security cameras. Many of these have not received security updates, with millions more still in boxes at retailers and in transit. These are all vulnerable to attack the moment they are connected.
How WootCloud Is Mitigating Risk for Its Customers’ Compromised Infrastructure
Shortly after the Log4J vulnerability was posted on Suricata, the leading open-source intrusion detection system (IDS) and intrusion prevention system (IPS) , WootCloud started to see dozens of servers being exploited via our Security Operations dashboards.
WootCloud is purpose-built to identify anomalous behavior and is valuable for spotting infiltration and attacks in the moments of compromise, persistence during attacks, and exfiltration attempts by devices both managed and unmanaged.
WootCloud was able to automatically alert on the threat and recommend customers upgrade Log4j versions early in the attack.
Multiple alerts fired by WootCloud for customer with exposure to Log4j exploits.
Alert detail on Log4J exposure.
Additional Resources
CISA’s main advice is to identify internet-facing devices running Log4j and upgrade them to version 2.15.0, or to apply the mitigations provided by vendors “immediately”. But it also recommends setting up alerts for probes or attacks on devices running Log4j.
“To be clear, this vulnerability poses a severe risk,” CISA director Jen Easterly said Sunday. “We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action.”
Additional steps recommended by CISA include:
- enumerating any external facing devices with Log4j installed
- ensuring the security operations center actions every alert with Log4j installed
- and installing a web application firewall (WAF) with rules to focus on Log4j.
Microsoft lists immediate actions for Microsoft Defender and Linux users in the post here.
The perfect cybersecurity storm has arrived. Consider intelligent, automated device and infrastructure security today.
To learn more in a zero touch, no obligation Demo or POC, please contact us.