Log4j: How to protect yourself from this security vulnerability

2 years ago 458

As cybercriminals scan for susceptible servers, determination are steps you tin instrumentality to mitigate this captious vulnerability.

Security breach, strategy   hacked alert with reddish  breached  padlock icon showing unsecure information  nether  cyberattack, susceptible  access, compromised password, microorganism  infection, net  web  with binary code

Image: Getty Images/iStockphoto

The Log4j security vulnerability known arsenic Log4Shell is shaping up to beryllium 1 of the worst information flaws of the year, perchance affecting millions of applications and coating a bullseye connected unpatched systems that hackers tin compromise and control. Fortunately, determination are steps you tin instrumentality to marque definite your ain systems are protected.

SEE: Patch absorption policy (TechRepublic Premium)

Revealed past week but reported to Apache successful November, Log4Shell is simply a zero-day vulnerability successful the company's Log4J utility, which is utilized by developers and organizations astir the satellite to log requests and mistake messages for Java applications. Since Java is specified a ubiquitous programming language, the flaw impacts a immense fig of applications, systems and servers.

Designated arsenic CVE-2021-44228 by The National Institute of Standards and Technology (NIST), the bug besides is casual to exploit, requiring small oregon nary programming skills. And though Apache has released an updated and patched mentation of the tool, affected users whitethorn not beryllium capable to upgrade rapidly enough. For that reason, hackers are hungrily looking for unpatched systems that they compromise. If successful, an attacker tin past summation power of a server to instal malware, bargain confidential accusation oregon excavation integer currency.

"It's harmless to accidental this vulnerability volition have, and already is having, a monolithic effect connected the industry," said Dan Piazza, method merchandise manager for Netwrix. "Log4j is utilized by thousands of applications, libraries, and frameworks, meaning the fig of perchance impacted organizations is staggering. And with attackers already scanning the net to find susceptible targets, if organizations haven't already started taking mitigation steps past it whitethorn already beryllium excessively late."

No existent breaches person officially been announced yet, according to information supplier Cloudflare. But information researchers are seeing plentifulness of attempts.

In a blog station published Tuesday, Cloudflare said that its researchers are presently watching astir 1,000 attempts per 2nd actively trying to exploit the flaw. Fellow information steadfast Bitdefender said it's observed real-world attacks connected machines outfitted with its endpoint extortion product. Specifically, the steadfast has discovered respective attacks trying to exploit the bug with the intent of launching crypto jacking campaigns erstwhile server entree has been achieved.

One botnet spotted by Bitdefender successful the effort is Muhstik, a menace that takes vantage of vulnerabilities successful web applications. Also trying to exploit the Log4Shell flaw has been XMRIG miner, which uses computing resources to excavation integer currency without the owner's cognition oregon permission. Of course, ransomware is ne'er acold down successful a flaw similar this. A caller ransomware household named Khonsari seems to beryllium targeting Linux servers, according to Bitdefender.

Security supplier Check Point Software said it has discovered much than 1.2 cardinal attempts to exploit the vulnerability, stretching crossed 44% of firm networks astir the world. One circumstantial onslaught seen by Check Point deed 5 victims successful finance, banking, and bundle crossed the US, Israel, South Korea, Switzerland and Cyprus. In this one, cybercriminals capable to exploit the flaw tin instal a Trojan malware, which downloads an executable record that past installs a cryptominer.

SEE: NIST Cybersecurity Framework: A cheat expanse for professionals (free PDF) (TechRepublic)

Recommendations

Organizations affected by the Log4Shell flaw are urged to upgrade Log4j to mentation 2.16.0, released by Apache connected December 13. Initially, the institution deployed mentation 2.15.0 to mitigate the bug, but that mentation was itself flawed successful that it could fto idiosyncratic execute a denial of work attack. Anyone inactive utilizing Java 7 should upgrade to the Log4j 2.12.2 release, according to Apache.

Despite erstwhile advice, conscionable updating Java is not capable to combat the bug, Piazza said.

"For organizations that inactive request to mitigate the vulnerability, they indispensable update the log4j bundle itself and should not conscionable update Java," Piazza said. "This was an aboriginal misconception, that updating Java could trim the severity of the vulnerability, which is simply not true. It's besides a bully thought to consult with bundle vendors to spot if they usage log4j successful immoderate way, and if truthful if they've already provided patches for their products."

Third parties besides person been speedy to motorboat their ain patches and tools to combat the vulnerability. Cisco, Oracle and VMware person rolled retired patches and fixes. Open root information supplier WhiteSource released a escaped developer instrumentality called WhiteSource Log4j Detect that organizations tin tally to observe and resoluteness Log4j vulnerabilities.

"If an enactment uses log4j oregon bundle that includes the library, past it's safest to presume breach and reappraisal perchance impacted applications for unusual behavior," Piazza said. "Furthermore, if an enactment feels they're already breached past they should consult an incidental effect steadfast and region each carnal web entree to the affected server."

As hackers proceed to look for susceptible systems, however, organizations request to enactment accelerated to support themselves from this flaw being utilized against them.

"This vulnerability, due to the fact that of the complexity successful patching it and easiness to exploit, volition enactment with america for years to come, unless companies and services instrumentality contiguous enactment to forestall the attacks connected their products by implementing a protection," said Lotem Finkelstein, caput of menace quality astatine Check Point Software. "Now is the clip to act. Given the vacation season, erstwhile information teams whitethorn beryllium slower to instrumentality protective measure, the menace is imminent. This acts similar a cyber pandemic — highly contagious, spreads rapidly, and has aggregate variants, which unit much ways to attack."

Cybersecurity Insider Newsletter

Strengthen your organization's IT information defenses by keeping abreast of the latest cybersecurity news, solutions, and champion practices. Delivered Tuesdays and Thursdays

Sign up today

Also see

  • Hiring Kit: Cybersecurity Engineer (TechRepublic Premium)
  • Security threats connected the horizon: What IT pro's request to cognize (free PDF) (TechRepublic)
  • How cyberattacks exploit known information vulnerabilities (TechRepublic)
  • Ransomware attacks are progressively exploiting information vulnerabilities (TechRepublic)
  • Google, Microsoft and Oracle amassed the astir cybersecurity vulnerabilities successful the archetypal fractional of 2021 (TechRepublic)
  • Why organizations are dilatory to spot adjacent high-profile vulnerabilities (TechRepublic)
  • How to support your on-premises databases from information vulnerabilities (TechRepublic)
  • Cybersecurity and cyberwar: More must-read coverage (TechRepublic connected Flipboard)  
  • Read Entire Article