In late December of 2021, a vulnerability was discovered affecting Log4j, a widely used logging solution software. Affecting millions of systems worldwide, it has drawn comparisons to the Shellshock and Heartbleed attacks in terms of its reach.
The Log4j vulnerability was assigned the highest possible score in terms of its severity. This is attributable to its allowance of remote code execution, meaning a remote attacker can execute code on a vulnerable system. This in itself wasn’t all that unusual, but what was unique was the very large number of systems it affected.
This created a feeding frenzy for attackers, resulting in a rush to identify “back doors” into the affected systems. In vulnerabilities like this one, once such a hidden entry point has been discovered, the attacker will often patch the system so no one else can enter. Those who find these hidden entry points will often sell access to them to hackers who can then in turn further monetize their presence there by deploying ransomware, etc. Once created, such entry points can remain accessible by threat actors even after the system is patched for the vulnerability.
How did Proact react once the vulnerability was discovered?
Upon receiving the news about the vulnerability and its high score, it was imperative to determine which systems were impacted. Quite often, vulnerabilities are attached to specific products or vendors, but this one affected a variety of systems. Therefore, Proact was somewhat dependent on vendors determining whether their products were vulnerable and then publicising it.
It’s also important to note that this was a “zero-day vulnerability”, meaning it is known and actively exploited before a patch is available and before the vulnerability is commonly known. In most cases such as this one, one of the primary tools is vulnerability scanners. However, with a zero-day vulnerability like Log4j, the detection script which identifies the vulnerability hasn’t been written in the initial response stage, although the vulnerability itself is already being exploited.
Because of the nature of this vulnerability, Proact was aware our systems and our customers’ systems were probably affected. The challenge was finding out what was affected and how to remediate it. Thus, each potentially vulnerable system was carefully monitored for any indicators of compromise.
How did Proact go about looking for vulnerable systems? What tools were used?
Situations like this one highlight the importance of configuration management databases (CMDB) and inventory databases. A good asset management system was vital here in terms of providing a holistic overview. Aside from the tools, being prepared with processes and recommended practises in place was invaluable. It’s essential that these be well established and widely known before anything happens, and this was the case for Proact.
What could be done once a system was identified as being vulnerable?
This varies. Sometimes, as in this case, a workaround is recommended. The workaround reduced the risk but didn’t completely fix the problem. Nevertheless, it was quickly implemented where possible. There were then subsequent vulnerabilities found in Log4j and subsequent patches, which meant that all systems had to be revisited multiple times to apply different levels of patch as the situation unfolded.
How can Proact’s reaction be evaluated?
In short: Positively. The time we’ve put into preparing for something like this and establishing standard processes has definitely paid off. Everything which could be done to remedy the situation even slightly was done as quickly as possible. The key here was to constantly monitor for indicators of compromise as they became known. This was made easier with Proact’s 24/7 security operations centre (SOC), which was ready to monitor for indicators of compromise.
What have did Proact learn from this experience and what could be useful for others?
While awareness of these kinds of vulnerabilities is becoming heightened outside of the tech sphere as well, it is vital for all organisations to understand that these types of threats exist. Next, a plan should be created to deal with them. This plan should definitely include organisations outfitting themselves with the proper tools or proper partner to help them cope if the worst should happen.
In a situation like this, it can be invaluable for organisations to work with a partner who has an SOC that can scan for vulnerabilities and determine which ones are severe and require immediate action.
Proact’s SOC features a team of cybersecurity experts who look for anomalies around the clock. We work on behalf of our customers to defend their organisations 24/7. We help mitigate attacks, help our customers understand the impact to their business and provide advice on how to respond. Watch the video below or check out our brochure to find out more about how we can support your security posture.