Log4j Vulnerability Response
Despite CISA’s comments regarding the observed lack of significant intrusions due to the log4j vulnerability thus far, organizations are encouraged to continue assessing and addressing their environments for vulnerable instances of the Java logging library. While there are threat groups (including ransomware groups) attempting to use log4j in recent attacks, threat actors are likely to continue exploiting this flaw for years to come, thus taking advantage of unpatched assets. Whether this lack of significant intrusion is due to face value (truly a lack of significant intrusions), lack of reporting, or lack of organizations’ ability to identify vulnerable instances – this flaw still impacts hundreds of millions of devices - including an estimated several million OT software packages - and over 2800 products. Therefore, is important for water and wastewater sector entities to continue assessing their networks for the presence of the vulnerable log4j library and monitoring for potential exploitation.
Recent updates:
- No Significant Intrusions Related to Log4j Flaw Yet, CISA Says
- Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability (January 11 recap)
- Night Sky ransomware uses Log4j bug to hack VMware Horizon servers
- Ransomware: Hackers are using Log4j flaw as part of their attacks, warns Microsoft
- EoL Systems Stonewalling Log4j Fixes for Fed Agencies
Key guidance resources for assessing and addressing log4j:
- Joint Cybersecurity Advisory (CSA) AA21-356a.
- CISA GitHub log4j-scanner page. Note: The information and code in this repository is provided "as is" and was assembled with the help of the open-source community and updated by CISA through collaboration with the broader cybersecurity community.
- CISA’s webpage on Apache Log4j Vulnerability Guidance.
- GitHub repositories for CISA and NCSC-NL for tracking vendor-supplied product advisories.
January 6, 2022
The log4j vulnerability continues to be a concern for all organizations. From national-level efforts, to ICS/OT impacts, and potential for FTC fines if vulnerabilities are not remediated. Members are encouraged to keep assessing their environments and addressing any vulnerable instances of log4j, including ICS/OT systems.
- According to supply chain cybersecurity provider aDolus, an estimated several million OT software packages use log4j.
- SecurityWeek is tracking available advisories for many ICS/OT products, including those used in the water and wastewater and energy sectors. Current advisories include: ABB, Emerson, Honeywell, Johnson Controls, Moxa, Phoenix Contact, Rockwell Automation, Schneider Electric, Siemens, Sierra Wireless, and WAGO.
- Likewise, several ICS companies report that their products are not impacted, including Inductive Automation, VTScada, and COPA-DATA.
- Members are encouraged to regularly review current vendor statements and directly reach out to system integrators, ICS/OT, and IoT manufacturers whose statements have not been made publicly available.
Notable log4j updates:
- FTC warns companies to remediate Log4j security vulnerability. The FTC is taking a firm stance on response efforts to log4j to reduce the likelihood of harm to consumers. The FTC states that it intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future. The FTC has not been hesitant to use their legal authority in the past when it issued a fine of $700 million to Equifax after exposure of personal information of over 140 million consumers for failing to patch a known vulnerability (in Apache Struts).
- Peters Convenes Committee Briefing with Top Cybersecurity Officials on Log4J Vulnerability. The log4j vulnerability is a national-level concern, as such the Homeland Security & Government Affairs Committee convened a briefing by officials Jen Easterly, the Director of the Cybersecurity and Infrastructure Security Agency, and National Cyber Director Chris Inglis.
- Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability. In a January 3 update, Microsoft reminds us why log4j response requires ongoing and sustainable vigilance. “By nature of Log4j being a component, the vulnerabilities affect not only applications that use vulnerable libraries, but also any services that use these applications, so customers may not readily know how widespread the issue is in their environment.”
Key guidance resources for assessing and addressing log4j (Members are encouraged to continue referencing):
- Joint Cybersecurity Advisory (CSA) AA21-356a.
- CISA GitHub log4j-scanner page. Note: The information and code in this repository is provided "as is" and was assembled with the help of the open-source community and updated by CISA through collaboration with the broader cybersecurity community.
- CISA’s webpage on Apache Log4j Vulnerability Guidance.
- GitHub repositories for CISA and NCSC-NL for tracking vendor-supplied product advisories.
Important reminders:
- Log4j usage is ubiquitous among enterprise, cloud services, Internet-of-Things, and SCADA systems. CISA estimates hundreds of millions of devices are impacted by this vulnerability.
- Given widespread usage, it is important for water and wastewater sector entities to assess their networks for the presence of the vulnerable log4j library.
- For use of the vulnerable log4j library within your environment, it may be necessary to reach out to system integrators, and ICS and IoT manufacturers.
December 28, 2021
While it seems threat actors surprisingly took a holiday from poking around the internet for vulnerable log4j libraries, that doesn’t mean the threat has abated. According to Sophos, they detected a 40% decrease in scanning for log4j over the Christmas weekend, hitting its lowest levels in more than two weeks. Sophos also suggests scanning may be low around January 7, 2022 – the date celebrated in Russia for Orthodox Christmas. This seems like a great opportunity for defenders to get a jump on identifying and patching vulnerable instances with less distractions before scanning activity resumes.
Furthermore, identifying vulnerable log4j instances is key, as Tenable reports that one in ten assets are likely vulnerable. That’s “One in 10 of nearly every aspect of our digital infrastructure has the potential for malicious exploitation via Log4Shell.” However, 30% of organizations haven’t even begun looking despite worldwide urging from national governments and the global cybersecurity community. In spite of the reduced staff during this time, members are encouraged to determine impact and respond accordingly to this threat.
Key guidance resources for assessing and addressing log4j (Members are encouraged to continue referencing):
- Joint Cybersecurity Advisory (CSA) AA21-356a.
- CISA GitHub log4j-scanner page. Note: The information and code in this repository is provided "as is" and was assembled with the help of the open-source community and updated by CISA through collaboration with the broader cybersecurity community.
- CISA’s webpage on Apache Log4j Vulnerability Guidance.
- GitHub repositories for CISA and NCSC-NL for tracking vendor-supplied product advisories.
Important reminders:
- Log4j usage is ubiquitous among enterprise, cloud services, Internet-of-Things, and SCADA systems. CISA estimates hundreds of millions of devices are impacted by this vulnerability.
- Given widespread usage, it is important for water and wastewater sector entities to assess their networks for the presence of the vulnerable log4j library.
- For use of the vulnerable log4j library within your environment, it may be necessary to reach out to system integrators, and ICS and IoT manufacturers.
December 22, 2021
As the response continues for assessing and addressing vulnerable Java log4j logging libraries, here are some of the latest developments, tools, and other resources to keep in mind:
- A joint Cybersecurity Advisory (CSA) on Mitigating Log4Shell and Other Log4j-Related Vulnerabilities (AA21-356A) was finally released. CISA, FBI, NSA, ACSC, CCCS, CERT NZ, NZ NCSC, NCSC-UK collaborated to provide mitigation guidance on addressing vulnerabilities in Apache’s Log4j software library.
- CISA posted a log4j-scanner page on GitHub. This repository provides a scanning solution for the log4j Remote Code Execution vulnerabilities (CVE-2021-44228 & CVE-2021-45046). The information and code in this repository is provided "as is" and was assembled with the help of the open-source community and updated by CISA through collaboration with the broader cybersecurity community.
- Members are encouraged to continue referencing:
- CISA’s webpage for updates on its Apache Log4j Vulnerability Guidance.
- GitHub repositories for CISA and NCSC-NL for tracking vendor-supplied product advisories for assessing impact within their environment.
- Special offer - In the interest of discovering vulnerable assets, during a CISA Stakeholder call on Monday, Eric Byres from aDolus offered assistance at no cost to organizations struggling to determine impact of log4j vulnerabilities from vendor products within their environments. Visit the aDolus log4j page for more information and to request assistance.
Other information and updates:
- Log4j: Panic or Lesson? (aDolus)
- Two Weeks into Log4J – What’s the Takeaway for OT Networks? (Otorio)
- Log4j Flaw: 10 Questions you need to be asking (ZDNet)
- Q&A with Flashpoint and Risk Based Security (Flashpoint)
Important reminders:
- Log4j usage is ubiquitous among enterprise, cloud services, Internet-of-Things, and SCADA systems. CISA estimates hundreds of millions of devices are impacted by this vulnerability.
- Given widespread usage, it is important for water and wastewater sector entities to assess their networks for the presence of the vulnerable log4j library.
- For use of the vulnerable log4j library within your environment, it may be necessary to reach out to system integrators, and ICS and IoT manufacturers.
Additional Resources:
(December 21, 2021) Continued Response to Log4j Vulnerabilities
As the response continues for assessing and addressing vulnerable Java log4j logging libraries in your environment, here are some things you should know from the latest developments:
- CISA issues Emergency Directive (ED22-02) to mitigate log4j vulnerability. While ED’s directly apply to federal agencies, as always all organizations are encouraged to follow the guidance.
- CISA continues to update its webpage on Apache Log4j Vulnerability Guidance and community-sourced GitHub repository of vendor-supplied advisories.
- Apache issued a new update (2.17.0, at the time of this post) to fix issues on-going issues with prior updates that have been determined to be incomplete.
- Note: if you’ve already started applying the first patch (2.15.0) to your internet facing devices, it is recommend that you continue addressing those most at risk – internet facing – devices. For example, complete 2.15.0 first before “backtracking” to apply the latest (2.17 as of this writing) patch. According to CISA, thus far active exploitation has only been observed on the issue originally addressed by 2.15.0, not on the issues addressed by subsequent patches.
- Vendor-supplied product advisories can be tracked at GitHub repositories for CISA and NCSC-NL. Members are encouraged to review these resources when assessing impact to their environment. Short of an asset inventory and a software-bill-of-material (SBOM), the repositories are a great starting point to determine impacted products.
Other information and updates:
- Conti ransomware seems to be the most active ransomware exploiting log4j. Conti is reportedly using log4j to compromise VMware vCenter servers. Threatpost has a succinct post on how Conti is using the full attack chain.
- The most exploit attempts are being observed from Russia and China. Sophos has the details.
- aDolus, Tenable, Flashpoint, Verve, and Kaspersky have good “explainers” and other intelligence on the log4j vulnerability for those looking for more information.
Important reminders:
- Log4j usage is ubiquitous among enterprise, cloud services, Internet-of-Things, and SCADA systems. CISA estimates hundreds of millions of devices are impacted by this vulnerability.
- Given widespread usage, it is important for water and wastewater sector entities to assess their networks for the presence of the vulnerable log4j library.
- For use of the vulnerable log4j library within your environment, it may be necessary to reach out to system integrators, and ICS and IoT manufacturers.
(December 17, 2021) Log4j Vulnerabilities – The Initial Panic is Over, but the Response Continues
Members are encouraged to continue assessing and addressing the current log4j vulnerabilities.
What you should know:
- Apache has released another update 2.16.0 to address the original vulnerability (CVE-2021-44228) and another recently discovered vulnerability (CVE-2021-45046) that could result in a denial-of-service condition.
- There continues to be widespread mass scanning using publicly available exploit code and more customized exploits and targeted attacks, including from APT actors. Some groups are also deploying ransomware on compromised systems.
- CISA continues to update its webpage on Apache Log4j Vulnerability Guidance and community-sourced GitHub repository of vendor-supplied advisories – members are encouraged to regularly review CISA’s guidance.
- Log4j usage is ubiquitous among enterprise, cloud services, Internet-of-Things, and SCADA systems, CISA estimates hundreds of millions of devices are impacted by this vulnerability.
- Given widespread usage, it is important for water and wastewater sector entities to assess their networks for the presence of the vulnerable log4j library.
- For use of the vulnerable log4j library within your environment, it may be necessary to reach out to system integrators, and ICS and IoT manufacturers.
For more information, background, and recommendations, visit Mandiant.
Additional Resources:
- Advisory: Water and Wastewater Utilities Urged to Mitigate Log4j Vulnerability Immediately (WaterISAC)
- OT/SCADA Security – Why the Log4j Vulnerability Matters to OT (WaterISAC)
- Apache Log4j Vulnerability Guidance (CISA)
- Log4j Detection and Response Playbook (TrustedSec)
- Critical RCE Vulnerability: log4j - CVE-2021-44228 (Huntress)