Log4j is a common software utility that’s commonly found on many web services. Its intended use is for logging the health and activity of those web services for administrators, providing insights into the services’ health, performance, and utilization. A vulnerability has been discovered which can turn log4j into a connection to a malicious external web service. Learn more about what Log4j is and what the vulnerability is.
1. Contact Your SaaS Vendors
If you haven’t already heard from them, contact your Software-As-A-Service (SaaS) vendors. Each cloud software vendor is investigating and addressing log4j within their own systems, and has likely already fixed the vulnerability, if it was present. It’s helpful to have that reassurance from their official announcements, and to understand if any of the features of their services are temporarily unavailable while they validate.
For example, here’s Microsoft’s own Security Research Center statement regarding Microsoft’s cloud services: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/; the Microsoft 365 services so many businesses rely upon are not affected by the log4j vulnerability.
2. Think Through Commonly Overlooked Internet-Facing Devices
Now is the time to think about the other devices you use that are connected to the Internet – security camera systems, HVAC environmental control systems, Internet-connected alarm or access control systems, and industrial monitoring or process control systems. If you’re using these in areas of your organization, and you have the convenience of accessing or controlling them directly via the Internet, contact the vendors who manage or installed these solutions.
Many manufacturers used the log4j software utilities in their products – the log4j logging tools are useful for their purpose, broadly available, and broadly adopted. Unfortunately, hardware devices that are Internet-accessible that incorporated the log4j software could now be vulnerable to the log4j compromise. A compromised device may stop working, or it may be used by a remote attacker to try to gain access to the device’s information, or it could be used as a jumping-off point by an attacker to try to locate other vulnerable services within your organization’s connected network. Remediating vulnerable devices often starts with ensuring they’re not visible to the Internet at large, sometimes includes updating the software that runs inside these devices, and may include having to replace older devices that are vulnerable but don’t have manufacturer support or software updates available.
3. Look at Network Devices
Some network devices may have the exploitable log4j software – devices like network switches, older network firewalls, and even some network printers could also be vulnerable. The risk for these devices (devices not accessible from the Internet) is much smaller, since an attacker would have to already be inside your network to exploit them.
In the months and years ahead, we do expect to see attackers use log4j as a stepping stone inside organization networks – if they manage to compromise one person’s computer inside a network, the attacker could use that computer to scan the network for vulnerable internal devices with log4j. If a vulnerable log4j device is found, the attacker could then move to that device, leaving the original computer behind and untouched, and could then conduct further attacks from the compromised log4j device. We’ll be helping our clients keep their core network infrastructure equipment current and managed to reduce these potential future vulnerabilities.
Security companies are already responding to the log4j vulnerability. The Aldridge Endpoint Detection and Response (EDR) next-generation antivirus (NGAV) solution, deployed as a standard to our clients’ Windows-based workstations and servers, can detect and prevent log4j exploitation (remote code execution) on protected computers. In the coming months, we’ll see log4j vulnerability detection incorporated into even more security products and environment assessment tools, helping us all identify obscure and outlier devices in organization networks that need to be considered for updating, removal, or replacement.
If you need help considering what may be Internet-facing in your environment, please contact your Aldridge IT service team. For sites, devices, and Internet connections we’re managing for you within your IT services, we can review that information together.