We understand the facts: The most common open-source library (Java) has already been identified with 3 CVEs and counting, with over 3 million attacks already confirmed in the wild. The industry anticipates the largest ransom wave to hit organizations across the world. The attacker is already inside! What’s Next?
What is Log4Shell (aka Log4j 2.x)
- Apache Log4j 2.x is an open source project which allows developers to log and monitor errors and faults within the Java application
- It consists of both implementation and API methods (2.x and above) that can be used by external applications
- This is a foundational software package that is being used by thousands of applications, sometimes without knowing explicitly it is part of the app
- Apps and products can range from a helicopter aboard the Mars rover and up to simple command and control applications for SCADA control
Key Log4j statistics:
46% of corporate networks have incurred intrusion attempts related to Log4j
4 million attempts to exploit the vulnerability have been made so far
Over 60 variations of the original Log4j exploit were introduced over a 24 hour period
7,000+ open source projects rely on Log4j as a dependency
Why is this so critical?
There are 3 Critical Vulnerabilities that have been identified with critical severity (CVSS score of 10) and expecting more to follow.
The exposure allows attackers to either deny the service or run code on the exposed server remotely and get control inside the network to begin moving laterally. In specific cases, it can be outside of the network using a simple web socket to break in. Deadly combination of 3 factors:
- Mass distribution of vulnerable library across thousands of commonly used applications
- Easily exploitable with a simple send command
- Difficult to identify and close security gaps in a timely manner
XM Cyber and Log4j – How we have helped
XM Cyber Exposure Management Platform can help reduce and fix the exposure to Log4j centric attacks in 4 simple steps:
All instances and assets that has log4j packages
Which instances are part of attack path towards critical assets
Prioritize which instances to fix first based on risk, use choke point remediation to quickly disrupt possible attacks
Provide detailed guidance how to fix and remediate
Stop focusing on the vulnerability and identify where the risk of exploitation exists
Most likely the attacker is already inside the network, due to the zero-day exposure. The best way to disrupt the attack is during the attackers’ network propagation stage and identify all the attack paths from breach points towards the compromise of critical assets before they attempt to move laterally and do severe damage. When it comes to remediation, what is the most efficient and cost-effective way to mitigate all the risks of the Log4Shell vulnerability? Our security teams must focus on what needs to be fixed first – and that will come from spotting the hidden connections between vulnerabilities, misconfigurations, and user behavior as it relates to an exploitable attack path, and how attackers move laterally. This will give us our key intersections where most attack paths converge where we can quickly go in and apply the remediation immediately – proactively cutting off the threat before the vulnerability is exploited.