By Tom McVey, Sales Engineer EMEA, Menlo Security
In December 2021 the cybersecurity industry could be found reflecting on another difficult year, defined by further spikes in both the sophistication and volume of threats used by attackers.
Following on from a similar pattern in 2020, attackers continued to capitalize on growing digital footprints and new vulnerabilities – a trend that has only continued to accelerate since the pandemic first induced a rapid increase in digitalization efforts.
Amidst such reflections, Log4Shell emerged as one of the most threatening vulnerabilities facing companies to date.
Log4j is a weak point that was discovered in the Log4j Java logging library (CVE-2021-44228). It is a widespread piece of software typically used to record events such as errors and routine system operations. The 404 error message that is received when clicking on a bad link is one such example of Log4j in action, both telling the user that the webpage doesn’t exist and recording the event in a log.
Log4Shell works by abusing a specific feature in Log4j that allows users to specify custom code for formatting a log message. The challenge lies in the fact that this code can be used for more than just formatting log messages. Indeed, Log4j allows third-party servers to submit software code that can perform all kinds of actions on the targeted computer, opening the door to a range of nefarious activities.
Ease of exploitation and HEAT
A major problem with Log4j is not just the potential to cause immense damage…. Equally, it is relatively simple to exploit using Log4Shell.
Given this combination, the National Institute of Standards and Technology (NIST) gave it a rare 10 out of 10 rating on its Common Vulnerability Scoring System (CVSS). With such a low bar for using the exploit, it can be leveraged by a wide range of attackers with malicious intent.
This is demonstrated by the sheer volume of attacks that occurred once the vulnerability was made public. With the first exploitation attempt recorded within just nine minutes, a further 830,000 were made in the three days thereafter, prior to a patch being released.
What is equally concerning is the fact that a proof-of-concept attack using the Log4j vulnerability had been detected eight days earlier, suggesting that the vulnerability was both known and possibly exploited prior to this time.
Indeed, the evidence points to one outcome – that multiple attackers have successfully infiltrated various enterprise servers through the Log4Shell exploit.
It is likely that they won’t have given away any obvious sign of their successes. Instead, they will be probing networks and identifying where they can obtain the most value – or, in the eyes of their victims, inflict the most damage.
This is a common trend amongst attackers, allowing them to extract the most value possible from their exploits. The infamous and devastating SolarWinds attack affecting US government agencies and various Fortune 500 firms is a prime example, with the attackers having gained access to the company network nine months before an attack had been identified.
Therefore, we expect to see several attacks stemming from the Log4j vulnerability to emerge throughout the entirety of 2022 and even beyond, with Highly Evasive Adaptive Threats (HEAT) being a critical tool in the arsenal of attackers that will enable them to conduct their works under the radar.
HEAT attacks present many challenges of its own to security professionals. Several HEAT attack characteristics actually serve useful purposes, and therefore can’t be blocked altogether. Instead, work arounds are needed to ensure that HEAT attacks are prevented.
Zero trust and isolation
Between Log4j being both highly accessible and potentially hugely costly, a rising tide of attackers driven by a thriving ransomware-as-a-service landscape and the growing prevalence of HEAT attacks; the task facing security teams is difficult.
However, there are some steps that can be taken to remedy such scenarios. This needs to start with a shift in mindset away from post-breach detection and mitigation to prevention with a zero trust approach.
With a zero trust approach, organisations can work to stop threats in their tracks before they reach the endpoint – something that is entirely necessary today given the evasive actions of modern attackers. It recognises trust in a network as a vulnerability and therefore advocates that all traffic, from emails and documents to websites and videos, should always be verified.
At Menlo, we recommend that organisations abandon traditional detect and respond approaches to cybersecurity and implement a zero trust approach powered by isolation – a technology that ensures that no active content from the internet is ever executed on the user’s endpoint.
Critically, this protects IT infrastructure from ransomware and other HEAT attacks regardless of patch status. Shutting off any access to the endpoint is the only way to stop these attacks with 100 percent certainty.
About the Author
Tom is a Solution Architect at Menlo Security for the EMEA region. He works closely with customers to meet their technical requirements and architects web and email isolation deployments for organisations across different industries. Prior to Menlo Security, Tom previously worked for LogRhythm and Varonis.