The Persistence of Log4j
The legacy of the Log4j Vulnerability is Alive (and Not So Well)
On Wednesday, November 16, 2022, the Cybersecurity & Infrastructure Security Agency (CISA) in collaboration with the Federal Bureau of Investigations (FBI) released a Cybersecurity Advisory (CSA) alert about an Iranian government-sponsored advanced persistent threat (APT) actor that was able to compromise a federal network by exploiting the Log4j vulnerability in an unpatched VMWare Horizon server.
The initial exploitation of the federal network lasted a total of 17.6 seconds back in February 2022.
Once on the compromised server, the threat actors added an exclusion to the antivirus rules to avoid detection, installed crypto mining software, accessed a domain controller where they were able to harvest credentials and create a rogue domain administrator account, and with the new privileged account were able to move laterally and compromise servers at will.
They installed reverse proxy tool which allowed continuing access persisting across reboots of the servers with all external remote sessions looking like innocent outbound https connections on port 443.
But All Federal Servers Were Patched, Right?
The Log4j vulnerability was initially identified almost a year ago in November 2021, and due to the pervasiveness of this library, CISA issued an emergency directive that required all federal agencies to apply patches before December 23, 2021.
This breach happened over a month later, so clearly these servers weren’t patched by the deadline.
Is My Organizations at Risk?
The Apache Log4j library is used extensively throughout the software industry.
The likely question isn’t whether you’re using a product that has the library, but how many products are you using that have the library.
As delineated by the timeline laid out for this breach, if your organization didn’t patch the Log4j libraries in a timely fashion back in late 2021, you may have been compromised and just don’t know it yet.
Current Advisory Alert: The Hunt for Log4j
The advisory alert from CISA and FBI contain a detailed chronology of the breach on the federal systems and some direct guidance and recommendations to take to ensure you’re not (or confirm you are) affected by the Log4j vulnerability.
Take the time to review all systems in use within your enterprise to identify whether Log4j is a part of the software stack.
Many of the recent APT attacks are installing the groundwork for an attack and then going into stealth mode, waiting for the most opportune time to initiate an attack.
Given this, a deep investigation is well worth the effort, if only for peace of mind that you’re not a victim in waiting.
Cloud Computing continues to expand throughout 2022 and is being adopted broadly across the enterprise.
The options available to enterprises on where to run workloads have never been greater, so understanding these options is critical for making the right choices on where to run your unique workloads.
Join Craig Kennedy, on December 13, 2022, where he will discuss the current and future state of Cloud Computing and when it makes sense for the digital enterprise.
This webinar will cover:
- Key trends in Cloud Computing in 2022 and Beyond
- Cloud Pitfalls to Avoid
- Cloud Best Practices to Embrace
This blog is a part of the Digital Operations blog series by Aragon Research’s Sr. Director of Research, Craig Kennedy.
Missed an installment? Catch up here!
Blog 9: IBM Quantum: The Osprey Is Here