With Log4j vulnerability, the full impact has yet to come

Hear from the CIO, CTO and other C-level and senior executives on data and AI strategies at the Future of Work Summit on January 12, 2022. Learn more


There is no way to sugarcoat it: the widespread vulnerability in Apache Log4j will be used for worse cyber attacks than the cyber attacks we have seen so far. And the worst of them could be months – or even years – in the future.

Sophisticated attackers often create a back door to the exploited server, enabling them to bypass security equipment as they re-enter and exit. So even if an organization has patched a vulnerability in Log4j, known as Log4Shell, it can continue to approach the attacker.

If it sounds scary – well, it probably should.

“In many cases, the attackers break into the company, gain access to networks and credentials, and take advantage of it to carry out large-scale attacks months and years later,” said Rob Gurziev, co-founder and CEO of Psychognito.

New players

The vulnerability in the widely used Log4j logging library was made public a week ago, and according to Checkpoint, there have been more than 1 million attack attempts. The company’s researchers said they had observed exploitation attempts on more than 44% of corporate networks worldwide.

Casey Ellis, founder and chief technology officer of Bugcrode, said most of the malicious attacks in the past week have involved amateur or solo operators. But evidence has emerged that more sophisticated attackers are beginning to exploit vulnerabilities in Log4j – such as early access brokers affiliated with ransomware-as-a-service groups.

Compared to amateurs, these attackers are like a multinational enterprise, Ellis said.

“Their business model is built on the scale and reliability of infiltration as opposed to the more opportunistic bias of ‘small fish’,” he said. “Sophisticated attackers don’t want to get caught before they’re done, so they tend to develop techniques and management practices that make them quieter and more difficult to see.”

Civilized attackers use this time to survey users and security protocols to execute the full effect of their attack, said Hank Slase, senior manager of security solutions at Lookout.

“Doing so helps them strategize how to most effectively avoid existing security practices and tools while also identifying which parts of the infrastructure will be most effective for encrypting ransomware attacks,” Slace said.

Other activities may include gradual data exfoliation – so slowly that it will not normally be blocked or detected, Gurziv said.

Avoid search

Hackers can certainly be found in this situation, but they are constantly improving their tactics to make sure they are not detected, said Asaf Karse, chief technical officer for security at JFrog. “We’ve already seen the use of ambiguity to avoid investigations,” Cars said.

In the case of Sony’s 2014 breach, for example, the New York Times reported that the attackers spent two months mapping the company’s systems and identifying key files. (“They were incredibly cautious and patient,” one person told the Times, referring to the attackers.

“If the intent is to steal sensitive information, you really have to keep quiet and just listen and steal the data as it is coming,” said Sonali Shah, chief product officer of Invicti.

But once the breach comes to light, it’s not always clear how the attackers actually came to be – especially if a lot of time has passed. And that could very well be the case with any major attacks arising from vulnerabilities in Log4j, Gurziv said.

“We can learn about attacks in months or years from now, so correlation can be difficult,” he said.

‘Sky is the limit’

Researchers say they expect more serious attacks, such as ransomware, to result in vulnerabilities in Log4j. Many applications and services written in Java are potentially vulnerable to Log4Shell, which may enable remote execution of code by unauthorized users. Vendors including Bitdefender and Microsoft have already reported attempts at ransomware attacks using vulnerabilities in Log4j.

When it comes to remote code execution, “the sky is the limit for what an attacker can achieve as a result as they pivot and execute commands on other apps, systems and networks,” said Michael, a technical evangelist at Salt Security. Isbitsky said.

Due to the widespread nature of the defect, “the long tail on this vulnerability will be very long,” said Andrew Morris, founder and CEO of Granois Intelligence. “It may take some time for this to clear up. And I think it’s going to be a little bit before we start to understand the measure of impact from this. “

Response attempt

The good news is that in some ways, at least, businesses are now in a better position to avoid disasters than in the past. This is 2021, many businesses are more prime to respond quickly – as evidenced by the quick response from security teams last weekend, many of whom worked until the weekend to secure their systems.

Meanwhile, key techniques for defenders to root out attackers sitting in their networks could include web application firewall (WAF) and intrusion prevention system (IPS) technologies, Ellis said.

“A motivated attacker will find a bypass for them, but the noise produced by each person will be rejected in the process, making it easier to see their activities,” he said.

For large organizations, “the big thing is to do everything you can to find out where Log4j is or is likely to be in your environment, then log everything and look at it – especially internally – like a falcon, and these systems Treat suspicious attacks like this one, though they were successful, “said Ellis.

For smaller organizations that may lack the key calculations to do this, “working on a ‘valid breach’ basis and using honeypots and honeytoks is a low-noise, high-signal way of detecting post-exploitation activity,” he said. Honeypots are fake “sensitive” servers intended to catch attackers in the act, while HoneyTocks offer the same concept but for data.

Ultimately, getting a handle on all the assets and systems the organization has is a crucial first step, Gurziv said.

“You can’t protect what you don’t know,” he said. “But once you know, you can set compensatory controls, close the gaps and take other steps to reduce customer risk and business risk – which should be everyone’s top priority.”

Venturebeat

VentureBeat’s mission is to become a digital town square for technical decision makers to gain knowledge about transformative technology and practices. Our site delivers essential information on data technologies and strategies so you can lead your organizations. We invite you to access, to become a member of our community:

  • Up-to-date information on topics of interest to you
  • Our newsletters
  • Gated idea-leader content and discounted access to our precious events, such as Transform 2021: Learn more
  • Networking features and more

Become a member

Similar Posts

Leave a Reply

Your email address will not be published.