Global cybersecurity agencies flag growing concerns about Log4j software, including in OT sector
A transnational joint cybersecurity advisory (CSA) was issued on Wednesday in response to multiple vulnerabilities in Apache’s Log4j software library. The advisory also addresses affected organizations with OT (operational technology) and industrial control systems (ICS) assets.
The U.S. Cybersecurity and Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), the Australian Cyber Security Centre (ASCS), the Canadian Centre for Cyber Security (CCCS), the Computer Emergency Response Team New Zealand (CERT NZ), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) assessed that exploitation of Log4j vulnerabilities, especially Log4Shell, is likely to increase and continue over an extended period.
“CISA and its partners strongly urge all organizations to review AA21-356A: Mitigating Log4Shell and Other Log4j-Related Vulnerabilities for detailed mitigations,” according to the CSA. The Log4j is a Java-based logging library used across various consumer and enterprise services, websites, applications, and OT products. These vulnerabilities, CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 especially Log4Shell, have been rated as ‘severe.’ Apache has rated Log4Shell and CVE-2021-45046 as critical and CVE-2021-45105 as high on the Common Vulnerability Scoring System (CVSS).
These vulnerabilities in the Log4j software library are likely to be exploited over an extended period. CISA, the FBI, NSA, ACSC, CCCS, CERT NZ, NZ NCSC, and NCSC-UK strongly urge all organizations to apply recommended mitigations. The agencies also encourage leaders of organizations to review NCSC-UK’s blog post, ‘Log4j vulnerability: what should boards be asking?,’ for information on Log4Shell’s possible impact on their organization as well as response recommendations.
Given the evolving situation, and as new vulnerabilities are being discovered, the CISA, FBI, NSA, ACSC, CCCS, CERT NZ, NZ NCSC, and NCSC-UK will update this CSA ‘as we learn more about this exploitation and have further guidance to impart,’ it added. This means that global security agencies still don’t have a complete assessment of the vulnerabilities found in the Log4j software.
Hackers have been actively scanning networks to potentially exploit vulnerabilities in the Log4j software. According to security experts, Log4Shell and CVE-2021-45046 have been rated as critical vulnerabilities by Apache and are severe because Java is used extensively across IT and OT platforms. These two loopholes are “being actively exploited,” as they are easy to breach, and applying mitigations is resource-intensive.
The joint CSA also said that the FBI assesses that this vulnerability in the Log4j software library may be exploited by sophisticated cyber threat actors and incorporated into existing cybercriminal schemes that are looking to adopt increasingly sophisticated obfuscation techniques.
According to reports, CVE-2021-45046 is also being actively exploited as well.
Due to the pervasiveness of the Log4j software library and the integration of the library in operational products, the joint CSA advises OT asset owners and operators to review their operational architecture and enumerate the vulnerability status against current product alerts and advisories. If a product does not have a security advisory specifically addressing the status of the vulnerability, treat it with additional protection. The security agencies also urge patching or deployment of mitigations to reduce the risk of the threat of these vulnerabilities.
In addition, the agencies recommend prioritizing patching IT devices, especially those with internet connectivity. Affected internet-facing devices, as well as laptops, desktops, and tablets, are especially susceptible to the exploitation of these vulnerabilities. OT/ICS devices, if segmented appropriately from the IT environment, do not face the internet and, as such, have a smaller attack surface to this vulnerability. The exploitation of IT devices may affect OT/ICS devices if there is insufficient network segmentation that prevents lateral movement.
CISA, in collaboration with industry members of its Joint Cyber Defense Collaborative (JCDC), previously published guidance on Log4Shell for vendors and affected organizations. At the time, CISA recommended that affected organizations immediately apply appropriate patches, or apply workarounds if unable to upgrade, conduct a security review, and report compromises to CISA or the FBI.
CISA also issued an Emergency Directive directing U.S. federal civilian executive branch (FCEB) agencies to immediately mitigate Log4j vulnerabilities in solution stacks that accept data from the internet. The joint CSA expands on the previously published guidance by detailing steps that vendors and organizations with IT and/or cloud assets should take to reduce the risk posed by these vulnerabilities.
The CISA also released on Wednesday an open-sourced log4j-scanner, derived from scanners created by other members of the open-source community. “This tool is intended to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities,” according to the agency’s Twitter message.
The joint CSA calls upon OT/ICS asset owners and operators to review operational architecture and enumerate the vulnerability against current product alerts and advisories, and implement the steps to identify and isolate vulnerable assets in the OT/ICS environment. These asset owners and operators must also use a risk-informed decision-making process to apply the latest version of hotfixes or patches to affected devices as soon as is operationally feasible. If patches cannot be applied, mitigations provided by the product’s manufacturer or reseller should be deployed.
The alert also calls for minimizing network exposure for all control system devices and/or systems, and ensuring that they are not accessible from the internet. In addition, organizations must take steps to locate control system networks and remote devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. The joint CSA also reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
The Log4j vulnerabilities had a significant global impact similar to previous major threats, such as Wannacry, Heartbleed, and Shellshock, Fortinet researchers wrote in a blog post on Tuesday.
“Because it is deployed so widely, the after-effects of this vulnerability are expected to last for some time as so many enterprise applications and cloud services require updating. While the world has not yet seen any massive malware delivery events (i.e., a major ransomware outbreak, wormable events) that leverage the Log4j vulnerabilities, history tells us not to let our guard down, especially since the holiday season, when threat-actors typically become more active, is fast approaching,” it added.
Amit Yoran, CEO of Tenable, is concerned that history is repeating itself, but this time the damage could be uncontainable. Speaking about the dangers posed, Yoran wrote in an emailed statement that “while EternalBlue wrought significant attacks, such as WannaCry, the potential here is much greater because of the pervasiveness of Log4j across both infrastructure and applications. No single vulnerability in history has so blatantly called out for remediation.”
Yoran added that Log4Shell has “been identified as one of the biggest cybersecurity risks we’ve ever encountered, yet many organisations still aren’t taking action. According to our data, 30% of organisations haven’t begun assessing their environments for Log4Shell, let alone started patching.”
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
