CISA
Critical infrastructure
News
Vendors

Log4j code scare widens, as CISA implores critical infrastructure organizations to act

December 16, 2021
Log4j code

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has asked critical infrastructure owners and operators to take immediate steps to strengthen their computer network defenses against potential malicious cyber attacks, as preparations for the holiday season begin and in the light of persistent and ongoing cyber threats. The agency stopped short of detailing what these ongoing threats are, but given the heightened threat environment, it is most likely that they are largely referring to the Log4j code scare. 

The CISA has also directed all federal civilian agencies to take care of the initial critical log4j code vulnerability by Christmas Eve. “In accordance with BOD 22-01, federal civilian executive branch agencies must mitigate CVE-2021-44228 by December 24, 2021,” it said. The Binding Operational Directive (BOD) 22-01 applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency’s behalf.

“Sophisticated threat actors, including nation-states and their proxies, have demonstrated capabilities to compromise networks and develop long-term persistence mechanisms,” CISA said on Wednesday. “These actors have also demonstrated capability to leverage this access for targeted operations against critical infrastructure with potential to disrupt National Critical Functions.”

Executives and senior leaders can proactively take steps to prepare their organizations should an incident occur, the agency said. It recommended implementing the cybersecurity best practices it provided that can help guide leaders to strengthen operational resiliency by improving network defenses and rapid response capabilities, CISA added.

The security agency identified that organizations with OT/industrial control systems (ICS) assets can also improve their cyber posture and functional resilience. It suggested that such organizations identify and secure critical processes that must continue uninterrupted, develop and regularly test workarounds, or manual controls. This will help ensure that critical processes and the ICS networks that support them can be isolated and continue operating without access to IT networks if needed. 

CISA also urged critical infrastructure agencies to ensure backup procedures are implemented and regularly tested, and that backups are isolated from network connections.

Commenting on the CISA move, Tim Erlin, vice president of strategy at Tripwire, wrote in an emailed statement that, “It’s tempting to point out that these insights aren’t particularly insightful, but it’s important to remember the intended audience. 

“For information security practitioners, reminders to ‘increase organizational vigilance’ and ‘implement cybersecurity best practices’ might seem like milquetoast recommendations, but for critical infrastructure leaders who have responsibility, but lack expertise, these are important actions to take,” according to Erlin. “Getting leadership on board with the basics is a key component to changing the defensive landscape in critical infrastructure,” he added.

To assist critical infrastructure owners and operators dealing with the Log4j code vulnerability, industrial cybersecurity vendor aDolus Technology has created a separate Log4j resource page that gives an explanation of the vulnerability, potential mitigation steps, and a list of helpful links for OT operators. It also covers the new VEX (Vulnerability Exploitability eXchange) concept that plays a crucial role within the Software Bill of Materials (SBOM) and vulnerability management space.

The NTIA has described the VEX concept as a ‘companion artifact’ to an SBOM, making it ideal for product manufacturers and software suppliers to discover vulnerabilities within third-party dependencies of their products and preemptively assess the exploitability of these vulnerabilities.

The European Commission, the EU Agency for Cybersecurity (ENISA), CERT-EU and the network of the EU national computer security incident response teams (CSIRTs network) have been closely following the development of the Log4Shell code vulnerability since Dec. 10.

“As this is a developing situation, we strongly recommend all organisations to regularly check the guidance provided by the CSIRTs Network Members and CERT-EU for the latest assessment and advice and to take actions as needed,” according to a joint statement released by ENISA. “The Agency and all relevant EU actors will continue to monitor this threat to contribute to the overall situational awareness at the Union level.”

Since its discovery last week, a critical severity unauthenticated remote code execution vulnerability, called Log4Shell, was identified, which impacts multiple versions of the Apache Log4j 2 utility, and was publicly disclosed. The Apache Software Foundation (ASF) released Log4j 2.15.0 to resolve the vulnerability. 

However, another vulnerability was detected in the Log4j code library, a Java logging software that is used across both enterprise apps and cloud services. It was found that the incomplete patch to address the initial log4j code vulnerability included certain non-default configurations which could allow attackers “to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack.” 

Since then, the Log4j 2.16.0 was released to fix the issue by removing support for message lookup patterns and disabling JNDI functionality by default, the NVD advisory added.

But, on Wednesday, researchers at security firm Praetorian pointed out that the second log4j vulnerability “as described states that Log4j 2.15.0 can allow a local Denial of Service attack, but that impacts are limited. However, in our research we have demonstrated that 2.15.0 can still allow for exfiltration of sensitive data in certain circumstances,” Nathan Sportsman, CEO at Praetorian, wrote in a company blog post. “We have passed technical details of the issue to the Apache Foundation, but in the interim, we strongly recommend that customers upgrade to 2.16.0 as quickly as possible.”

The Log4j code is a logging utility used in a large number of applications used in operational technology networks across industries. Industrial automation vendors have responded to the critical vulnerability, and released patches. Siemens has issued details about its affected product lines, including Industrial Edge Management. Prosys has updated its OPC UA Simulation Server, Modbus Server, Historian, Browser, and Monitor products that were affected. 

As organizations have converged their IT and OT operations, it would not be the first time where an attack has migrated between IT and OT, Marty Edwards, vice president of OT Security at Tenable, wrote in a company blog. “Even if your facility is fully air-gapped, there is a better than average chance that you may be ‘accidentally converged.’ Without taking definitive steps to secure the OT infrastructure, your operation may be at risk,” he added. 

To secure the OT environment against Log4j attacks, Edwards asked organizations to follow official guidance, do an asset inventory and know what assets they have, run a targeted scan of IT assets, understand the wider OT exposure, and be proactive in reducing risk.

Longer-term, the entire manufacturing and critical infrastructure community needs to improve its understanding of what is being used within systems in order to achieve the deep situational awareness required to address new threats as they emerge in the wild, according to Edwards. “The Software Bill of Materials (SBOM) initiative was directed by Executive Order issued in May 2021. An SBOM can provide end users the transparency required to know if their products rely on vulnerable software libraries,” he added.

In the wake of the Log4j code vulnerability disclosure, financially motivated attackers involved in cryptocurrency mining were among the first to exploit targets en masse, Mandiant said in a blog post on Wednesday. “We anticipate that additional financially motivated actors will increasingly exploit the vulnerability in operations, leading to various monetization activities. This includes data theft, ransomware deployment, and multifaceted extortion, as these actors are known to incorporate zero-day and one-day exploits into their operations rapidly.”

Given the ease of exploitation of this vulnerability, “some early attacks have included the installation of crypt-mining software on vulnerable machines, or the botnets co-opting vulnerable computers,” Claroty’s Team82 researchers observed in a post on Tuesday. “Ransomware attacks are not out of the question with this flaw, as are other code-injection attacks,” they added.

“The CVE-2021-44228 vulnerability being used by multiple tracked nation-state activity groups originating from China, Iran, North Korea, and Turkey,” the Microsoft Threat Intelligence Center (MSTIC) said in a post. “This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives,” the post added.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market