Blog

Go Beyond Log4Shell and See the Entire Attack Path

We understand the facts: The most common open-source library (Java) has already been identified with 3 CVEs and counting, with over 3 million attacks already confirmed in the wild. The industry anticipates the largest ransom wave to hit organizations across the world. The attacker is already inside! What’s Next?

What is Log4Shell (aka Log4j 2.x)
  • Apache Log4j 2.x is an open source project which allows developers to log and monitor errors and faults within the Java application
  • It consists of both implementation and API methods (2.x and above) that can be used by external applications
  • This is a foundational software package that is being used by thousands of applications, sometimes without knowing explicitly it is part of the app
  • Apps and products can range from a helicopter aboard the Mars rover and up to simple command and control applications for SCADA control

Key Log4j statistics:

46% of corporate networks have incurred intrusion attempts related to Log4j
4 million attempts to exploit the vulnerability have been made so far
Over 60 variations of the original Log4j exploit were introduced over a 24 hour period
7,000+ open source projects rely on Log4j as a dependency

Why is this so critical?

There are 3 Critical Vulnerabilities that have been identified with critical severity (CVSS score of 10) and expecting more to follow.
CVE-2021-45105
CVE-2021-45046
CVE-2021-44228

The exposure allows attackers to either deny the service or run code on the exposed server remotely and get control inside the network to begin moving laterally. In specific cases, it can be outside of the network using a simple web socket to break in. Deadly combination of 3 factors:

  1. Mass distribution of vulnerable library across thousands of commonly used applications
  2. Easily exploitable with a simple send command
  3. Difficult to identify and close security gaps in a timely manner
XM Cyber and Log4j – How we have helped

XM Cyber Exposure Management Platform can help reduce and fix the exposure to Log4j centric attacks in 4 simple steps:

1. Identify

All instances and assets that has log4j packages

2. Context

Which instances are part of attack path towards critical assets

3. Focus

Prioritize which instances to fix first based on risk, use choke point remediation to quickly disrupt possible attacks

4. Guide

Provide detailed guidance how to fix and remediate

Stop focusing on the vulnerability and identify where the risk of exploitation exists

Most likely the attacker is already inside the network, due to the zero-day exposure. The best way to disrupt the attack is during the attackers’ network propagation stage and identify all the attack paths from breach points towards the compromise of critical assets before they attempt to move laterally and do severe damage. When it comes to remediation, what is the most efficient and cost-effective way to mitigate all the risks of the Log4Shell vulnerability? Our security teams must focus on what needs to be fixed first – and that will come from spotting the hidden connections between vulnerabilities, misconfigurations, and user behavior as it relates to an exploitable attack path, and how attackers move laterally. This will give us our key intersections where most attack paths converge where we can quickly go in and apply the remediation immediately – proactively cutting off the threat before the vulnerability is exploited.

XM Cyber offers a free assessment for Log4J – contact us for a 30-day assessment to see if there are any hidden exposures in your network, or alternatively request a personalized demo.

Fig. 1: Attack path exploit with Log4Shell from breach point to compromise of critical asset
mxcyber

Find and fix the exposures that put your critical assets at risk with ultra-efficient remediation.

See what attackers see, so you can stop them from doing what attackers do.