Original copy sent to IT services clients on 12/13/21, with updates made since then. Last updated on 3/3/21.
The updated version 2.17.1 has addressed all problems.
If you do not remediate the vulnerability to protect consumer data, the FTC says there will be legal repercussions.
On Friday, December 10th, a bug was found within a Java-based server function software called Log4J. Because Java-based code is so widely used on corporate networks, this is one of the biggest risks in recent years. It has been assigned a CVSS score of 10, which is the maximum severity rating possible. “We’ve wondered what a CVSS score of 10 might look like. We need wonder no longer.” “It’s one of the most significant vulnerabilities I’ve seen in a long time,” said Aaron Portnoy, chief scientist at the security firm Randori.
Why is it such a big deal? This bug can be used by hackers to break into corporate networks, allowing them to turn “log files that keep track of what users do on computer servers into malicious instructions that force the machine to download unauthorized software,” says Tom Loftus with WSJ’s CIO Journal. With zero authentication needed, they can gain uncontrolled access to your entire system. Sensitive data can be installed and back doors can be put in place, putting your network at risk even after patches are installed. “Use any of these [Apache] products are indirectly vulnerable to the Log4Shell exploit, even if some may not be aware of it because Log4j is buried deeply in their infrastructure.”
Some top names affected include Apple, Amazon, and Twitter, among thousands more most likely. You can become a victim very easily as well. On Minecraft, all that was necessary is a specific message sent in the chatbox. For Apple and Tesla, changing the device’s name to something malicious was all it took. “Once the attacker has full access and control of an application, they can perform a myriad of objectives–installing coin miners, [enabling] credential theft and lateral movement, and exfiltrating data from compromised systems.”
Although this is an extremely severe threat, our Managed IT Services team is remaining calm for quite a few reasons. The past few days have been spent going down our list of vendors to see if we, and therefore you, are in danger. In short, no–but there are contingencies. We’ve included a breakdown below:
- Our utilization of 2FA and MFA increases our security immensely.
- Our Ticketing system: Has not been affected.
- Both systems we use for Backups: Neither were compromised and are not vulnerable to the exploit. Additionally, all of your backups are encrypted before they even leave your site. Therefore, the hosts, nor the hackers, can’t even read them.
- One of our Antivirus systems: They are aware of several malicious actors running exploitative campaigns. GravityZone Cloud’s mitigations have been deployed, with no required action from clients. GravityZone On-Premises’ was unaffected.
- We are still waiting to hear back from our other Antivirus.
- To note, for both of our Antivirus systems, our clients don’t use their portals, which is what was affected.
- We are still waiting to hear back from our other Antivirus.
- One of our DNS vendors: Of their 150+ products, 23 were found to be non-susceptible. To see both lists, visit Vulnerability in Apache Log4j Library Affecting Cisco Products: December 2021.
- To note, Duo is a Cisco product that was affected but remediation has been completed.
- To learn more about DNS, visit here: What is DNS? | How DNS works | Cloudflare
- Firewall: The majority of their products were not impacted. None of the specific firewalls we use were. To view the whole list, visit here: Security Advisory (sonicwall.com).
- Microsoft:
- Email: No risk identified
- LinkedIn: Risk identified and being addressed.
- Minecraft: This is where the issue was first discovered. It is being addressed.
What you should look into:
- Any hosted services you use that utilize Java. To do so, check each of your vendor’s websites for updated status’ regarding the issue. If they haven’t posted anything, place a ticket or give them a call.
- We recommend going in order of most client-sensitive to least client-sensitive.
- In your discussions with vendors, ask them if they’ve upgraded to the latest firmware. Continual upgrades are necessary as hackers are utilizing this vulnerability repeatedly.
- We also want to point out the following vulnerability: Vendors that make up your key infrastructure could be affected. How will that change your business’ workday(s)? If you’d like to talk through a plan with Bill, schedule it here.
- Because we are unaware of any clients that use a payment method on their website, this isn’t as much of a worry. Still, be ready to act quickly if you notice anything abnormal on your website.
Of course, this issue is fluid as those affected continue to act accordingly and become aware of what’s secure and insecure. We will keep you updated!
Updates since 12/13/21:
- Internally:
- Our other Antivirus is currently investigating and reassessing as the days go on.
- Our SOC was not affected.
- Our VoIP was not affected.
- Our other DNS vendor was not affected in any way that impacts us/our clients.
- To test your vulnerability, visit here: https://grc.sc/
- To see an extensive list of software’s vulnerability status, visit her: log4shell/README.md at main · NCSC-NL/log4shell · GitHub
- Externally:
- December 13: “‘Hundreds of millions of devices are likely to be affected,’ said Jay Gazlay of CISA’s vulnerability management office in the call with critical infrastructure owners and operators.” He also said “It’s a mistake to think anyone is ‘going to be done with this in a week or two.'”
- December 14: Researchers are increasingly worried about Log4J-induced ransomware attacks in the immediate and distant future. They have already seen advantageous attacks occurring in China, Iran, Turkey, and North Korea. “By Tuesday evening, the cybersecurity firm Check Point Software Technologies Ltd. had counted close to 600,000 attempts to exploit the Log4j bug by malicious cybercriminals.” The worry is, indeed, prolonged because it’s easy to exploit, difficult to find every point of entry for hackers, and organizations may “be slow to update their systems or might neglect to do so entirely.”
- December 14 & 17: The Department of Homeland Security is going after vulnerabilities caused by the Log4j software, including $500 to $5,000 incentives to find and patch them. The Cybersecurity & Infrastructure Security Agency has also ordered federal agencies to identify, patch and mitigate Log4j vulnerabilities within their networks. Learn more here.
- December 15: Over 1.8 million attempts to exploit the Log4j vulnerability have been recorded so far.
- December 17: As unfortunately expected, this vulnerability is being taken advantage of. The original fix (firmware update 2.15.0) was “incomplete in certain non-default configurations” (David Spark, Cyber Security Headlines email 12/17). You see, the original Log4J feature (not an accidental bug…) enabled the ability to “parse and interpret logs that contain requests to remote servers.” This unfortunately meant any user could control some part of the log, including communication with any certain remote server and forcing certain actions between the app and the server. The new vulnerability has taken advantage of that by directing the Log4J tool to look up a certain variable they set, repeatedly, leading to Denial of Service. Thankfully, there is already an update to stop this attack. Firmware update 2.16.0 no long allows look-ups. We suggest that you upgrade immediately, even if you already updated to 2.15.0. As more attacks inevitably occur, stay on top of your updates!
- December 22: The “Five Eyes intelligence alliance (US, Canada, UK, Australia, and New Zealand) released a joint Cybersecurity Advisory in regards to Log4j. Nation-state and ransomware gangs are continuing to exploit vulnerable systems across the globe.
- December 23: The CISA posted a Log4j scanner here.
- January 12: The battle is unfortunately not over. As early as January 4th, ransomware hackers are continuing to exploit the Log4j flaw as part of their attacks. They’re installing malicious Java files, impacting internet-facing software. Additionally, they’re using double extortion–encrypting AND threatening to leak the company data. Unfortunately, this issue proves it’s difficult to identify which systems are impacted by the Log4j vulnerability. Both applications and the services that utilize said applications can be affected. If you’re still unsure of your network’s security, contact us immediately. This flaw is predicted to impact companies for years to come.
- March 3: Despite version 2.17.1 addressing all problems, many systems continue to run older versions and therefore are vulnerable to exploitation, as they are excellent targets. The volume of attacks has remained constant, including malware payloads, DDoS, and crypto miners. Be sure you update to 2.17.1, as well as keep all web applications up-to-date. Most noteworthy, “…malware targets publicly exposed network cameras, routers, and other devices and enlists them into a botnet of remotely controlled bots…[Hackers then] control this botnet to perform DDoS attacks against a specific target.” To learn how to protect publicly exposed devices, learn about network segmentation here.
As always, email/call/text us with any questions or concerns.