The new Apache Log4j 2 vulnerability (CVE-2021-44228) is hopefully the last major issue of 2021 (though there’s still a couple of weeks left). Even if it is the last attack we see this year, the impact has the potential to stick around well beyond the holiday season. Threat actors and adversaries can potentially execute their own code on your systems, which means they can disrupt operations and could potentially access data. This vulnerability can be exploited to enable remote code execution on servers all around the globe, including a variety of major technology brands and services that have been using Log4j as part of critical infrastructure.
While we may not know how long the threat actor community knew about the vulnerability, we do know that large-volume scanning for the flaw by threat actors began nearly instantly after public disclosure of it. In the time it took most organizations to begin patching/upgrading efforts, there were recorded incidents of the vulnerability being used to compromise systems.
Apache log4j 2 is an open-source java-based logging package. While its primary purpose is to provide logging methodologies for java web apps, it has been utilized to provide functionality in a large variety of platforms. No matter how it's implemented, a specific transmitted payload can cause the log4j library to perform Remote Code Execution (RCE). Such an RCE can allow an un-authenticated threat actor to perform operations on the system running Log4j.
The vulnerability specifically exists in the Java Naming and Directory Interface (JNDI) implementation and can be triggered using an malformed LDAP request, making it easy for an attacker to retrieve a payload from a remote server and execute it locally. Here is a common example of such a command:
While this particular vulnerability became highly publicized very quickly, it is a good reminder that any flaw in an operating system or critical software platform can become a major threat without much warning. In many cases, the threat isn’t even due to the actions of your organization; but rather programming code and packages provided by a third party, and outside your direct influence. There are a couple of major takeaways from events like this:
Cymulate takes all vulnerability notifications seriously, and immediately takes action both internally and within the Cymulate Platform:
Learn more about Threat Informed Defense and operationalizing the MITRE ATT&CK framework to validate your security posture is immune to immediate threats.
Our highly experienced and diverse researchers are fluent in security intelligence practices, combining expertise in private security, military, and intelligence experience. Continuously examining the cyber-threat landscape, our experts deliver in-depth visibility into today’s threats and the actors behind them.