Cyber attack threat from Log4j Java software

December 22, 2021 |

The ubiquitous use of some software coupled with their vulnerabilities makes for a massive cyber security headache as the Australian’s article Millions face cyber attack via compromised Log4j Java-based software makes clear.  Log4j Java is installed on more than 100,000 devices, apps etc..  In cybersecurity terms it is a story that has been around for a while.  On 11 December Kaspersky reported on the vulnerability.  The Google Security blog put out a post, Understanding the Impact of Apache Log4j Vulnerability on 17 December. 

The Australian article provides:

Millions of Australians face a “cyber security ticking time bomb”, with children, parents and businesses under threat of being “hunted” and attacked by sophisticated cyber actors exploiting new software vulnerabilities across more than 100,000 devices, apps and online games.

The Australian Cyber Security Centre and law enforcement agencies have launched “around the clock” monitoring of cyber attacks linked to the compromised Log4j Java-based software and stepped up high-level co-operation with US cyber security counterparts.

After the software vulnerability was publicly identified by Chinese company Alibaba on December 10, ACSC acting head Jess Hunter confirmed that cyber actors had already successfully breached Australian devices.

“In my experience, this is the most serious cyber risk Australia has faced. We consider the Log4j a cyber security ticking time bomb. The fact that it is so commonly used is what makes this a big deal,” Ms Hunter told The Australian.

“It’s a big deal for mums and dads who are opening presents on Christmas Day, all the way through to large corporations who are running a series of capabilities for their whole customer set. The vulnerability could affect every sector of the economy and it is so easily taken advantage of.

“Examples are in the Minecraft game … it’s as easy as typing one line of code into the public chat box and then your device is owned by malicious cyber actors.”

The ACSC and Assistant Defence Minister Andrew Hastie have ramped up calls for Australians to urgently patch not only their devices but also other software impacted by the cyber threat, including emails, cloud accounts and online games.

After US Cybersecurity and Infrastructure Security Agency chief Jen Easterly described the Log4j vulnerability as one of the “most serious” threats in her career, ACSC officials are in talks with local software developers and the private sector to fast-track unique security patches.

Ms Hunter said the ACSC had already seen a “wide impact including sophisticated cyber actors hunting for vulnerable Australian citizens who have not been patched against this flaw and in some cases have been successful in gaining access to those devices”.

“The vulnerability will be continued to be exploited, this is not the end of it. So after Christmas we will continue to be focused and alert on Log4j and, even after patching, the ACSC anticipates more vulnerabilities will be identified or exploited,” she said.

“This issue is not going away quickly. We are already seeing impacts across all of Australia and we anticipate the impact will be felt for many months to come. We cannot discount that … there will continue to be serious breaches many years down the track.”

Mr Hastie said malicious cyber adversaries were conducting “thousands of scans in search of the Log4j software vulnerability”.

“This is a serious vulnerability in affected systems, akin to leaving every door and window in your home unlocked on Christmas Eve. It is absolutely critical that Australian businesses and households patch their systems and networks urgently before going on holidays,” Mr Hastie said. “Not doing so will give our cyber adversaries an early Christmas present. Cyber criminals don’t take a holiday for the Christmas season. They are ruthless and opportunistic.”

Mr Hastie said if not fixed, cyber attackers could “break into an organisation’s systems, steal user passwords and login details, extract sensitive data and infect its networks with malicious software causing widespread business interruption”.

“This requires immediate action. I am calling on all Australian businesses and households to ensure their applications and products are patched and up to date, and to follow the ACSC advisories. Even after patching, organisations must continue to monitor to see if any attackers are still lurking in their systems,” he said.

Ms Hunter, the ACSC head of cyber threat intelligence and cyber security services, said she had asked companies creating cyber security patches to “reach out to every one of their Australian customers and make sure that their customers are alert to this and are taking action”.

“These are systems used everyday by millions of Australians. The best advice … take this seriously. When your device asks whether it needs to be updated or patched … don’t delay, patch now.”

“Check the vendor list, to see if the products in your family, in your business, in your corporation are on that list and are vulnerable.”

Vulnerabilities will continue to be an endemic and inevitable problem with software.  The key is having a viable cybersecurity system and an ability to respond to notices of vulnerabilities as and when they arise.  That is far from inevitable. 

The Australian Cyber Security Centre yesterday released advice on the remote code execution vulnerability found in the Log4j library.  It relevantly provides:

What is Log4j?

Log4j is a key software building block found in a wide variety of Java applications. It provides logging functionality in many products ranging from messaging, productivity and video conference applications, to webservers and video games. Over 100,000 products from hundreds of vendors – and in house developed software – may contain Log4j.

What is the impact?

The Log4j vulnerability – otherwise known as CVE-2021-44228 or Log4Shell – is trivial to exploit, leading to system and network compromise. If left unfixed malicious cyber actors can gain control of vulnerable systems; steal personal data, passwords and files; and install backdoors for future access, cryptocurrency mining tools and ransomware.

Who is affected by this?

Individuals should update all applications as soon as vendor patches become available. Make sure your devices and applications are secure by updating regularly and setting automatic updates where possible.

Organisations should follow the prioritised mitigations in this Advisory: contact their vendors, implement suggested mitigations, and update their applications as soon as vendor patches become available. Organisations that have developed in house software should check for use of Log4j and upgrade to the latest version of Log4j, or consider disabling the JndiLookup class. Even applications which do not appear affected, or are not written in Java may need updating if Log4j is used in a backend system.

Vendors should follow the prioritised mitigations in this Advisory: identify their use of Log4j and update to the latest version, consider disabling the JndiLookup class, and work to develop the required patches or mitigation advice to assist customers remediate the vulnerability.

Vendors and organisations should continue to monitor their systems and networks for compromise or suspicious activity, even after remediation steps or patching has been completed, and remain alert to future advisories.

Vulnerability Details

The Log4j Java logging library is one of the most widely used Java-based logging utilities globally. Due to its widespread use in popular software and hardware platforms – such as messaging and productivity applications, mobile device managers, teleconference software, web hosting, and even video games – a large number of third-party applications may also be vulnerable to exploitation. Google estimates that more than 35,000 Java packages may be affected, 80 times more than the median Java vulnerability.

    • CVE-2021-44228: Is a vulnerability in versions of Log4j prior to 2.15 which allows a malicious actor to download a payload through an encapsulated Java Naming and Directory Interface (JNDI) request, resulting in remote code execution (RCE). The Common Vulnerability Scoring System (CVSS) rates this vulnerability as Critical, with the highest possible severity score of 10.0.
    • CVE-2021-45046: Similar to CVE-2021-44228, this enables a remote attacker to cause RCE, a denial-of-service (DoS) condition, or other effects in certain non-default configurations. This vulnerability affects all versions of Log4j from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0. Patches for CVE-2021-44228 may not mitigate against this vulnerability and an additional patch may be required depending on the vendor. The CVSS rates this vulnerability as Critical, with a severity score of 9.0.
    • CVE-2021-45105: Similar to CVE-2021-45046 but affecting Log4j versions 2.8.0 to 2.16.0, in some deployment scenarios. This vulnerability can allow a malicious actor to deliberately or inadvertently trigger a denial of service while attempting to obfuscate exploitation of CVE-2021-44228. The CVSS rates this vulnerability as High, with a severity score of 7.5.

Given the current focus on Log4j by both the security research community and malicious actors, additional vulnerabilities may be discovered within Log4j. Australian organisations are strongly encouraged to remain aware of any emerging vulnerabilities and available patches.

Exploitation and post-exploitation activities

The ACSC is aware of widespread scanning and reconnaissance activity against Australian organisations by malicious actors to identify the Log4j vulnerability. The ACSC has observed successful exploitation of the Log4j vulnerability and the compromise of systems and networks within Australia and globally, across all sectors of the economy.

An observed string substitution obfuscation technique which seeks to obscure exploitation of the remote code execution vulnerability can cause an infinite recursion resulting in a denial of service condition in versions of Log4j between 2.8.0 and 2.16.0.

The ACSC is also aware of reporting that malicious cyber actors have patched Log4j on systems after exploitation and compromise to avoid detection by security teams.

Given the widespread use of Log4j, patterns of post-exploitation activity are still emerging.

Mitigation and detection recommendations

Affected products

Australian organisations should check whether products they use or products developed in-house are affected by the Log4j vulnerability. The following links are helpful resources for identifying affected products:

ACSC recommended prioritised mitigations

Individuals should update all applications as soon as vendor patches become available.

In accordance with the Essential Eight (E8)Patch Applications, organisations should contact their vendors and apply the latest patches immediately where Log4j is known to be used. Upgrade to the current release of Log4j 2.17.0, which disables the vulnerable functionality and mitigates against the known string substitution denial of service condition.

Organisations should also check internally developed or in-house software for use of Log4j and upgrade to the latest version of Log4j (version 2.17.0 as of publication), or consider disabling the JndiLookup class.

Software vendors should work to identify their use of the Log4j logging library in their products, and develop the required patches including the latest available version of Log4j to assist their customers to remediate the vulnerability on their systems.

Where upgrading is not possible, organisations should apply the hardening advice to disable the JndiLookup class.

For software that organisations directly manage, mitigation advice on how to disable the JNDI points has been published in many places. A useful summary is in this post from Cloudflare.

As a last resort, organisations may implement network segmentation and segregation of affected hosts, noting that this presents only a partial mitigation for potential activity;

    • Specifically for these vulnerabilities, configure network access rules to prevent vulnerable hosts from initiating requests to all JNDI related naming services;
    • If practical, disable outbound connections from the vulnerable hosts to the internet, especially outbound Lightweight Directory Access Protocol (LDAP) and Domain Naming System (DNS) requests to untrusted networks;
    • Isolate hosts running vulnerable applications to prevent lateral movement.

ACSC Detection recommendations

Regardless of how quickly patches are applied, organisations should assume a malicious actor may have compromised their systems or networks, and take steps to continually monitor and investigate for indictors of exploitation and compromise. The ACSC is also aware of reporting that malicious cyber actors have patched Log4j on systems after exploitation and compromise to avoid detection by security teams. As initial investigative activity, the ACSC recommends the following methods for detecting further malicious activity, on any system running Log4j.

Further Information

There are already useful open source information sources on Log4j vulnerability. For example:

The ACSC encourages organisations to verify if their software is vulnerable by actively monitoring vendor notifications or authoritative lists of known vulnerable software platforms. 

Assistance / Where can I go for help?

The ACSC is monitoring the situation and is able to provide assistance and advice as required. Organisations that have been impacted or require assistance can contact the ACSC via 1300 CYBER1 (1300 292 371). 

Related alert
Critical remote code execution vulnerability found in the Log4j library

 

Leave a Reply





Verified by MonsterInsights