Microsoft: “Assume Logging Flaw is a ‘Real and Present Danger”
In an update to its Apache Log4j vulnerability guidance, Microsoft says exploitation attempts and testing for vulnerable systems and devices remained “high” through late December. This comes after security leaders have identified several sophisticated and even state-backed cyberattacks or attempts targeting vulnerable devices in recent weeks.
Microsoft’s Threat Intelligence Center reminds Windows and Azure users that the “Log4j vulnerabilities represent a complex and high-risk situation,” as the open-source component is widely used “across many suppliers’ software and services.”
On the latest attack patterns, Microsoft says exploitation attempts and testing did not cease in the waning days of 2021 – in fact, the opposite occurred. The firm says it has “observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin-miners to hands-on-keyboard attacks.”
In a stark warning, Microsoft security experts say: “At this juncture, customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments.” The company also says remediation – which will have a “long tail” – will require “ongoing, sustainable vigilance.”
Latest Version and Sufficient Mitigation
The Apache Software Foundation, the nonprofit that manages Apache’s open-source projects, continues to push out semi-regular updates for its logging library – the latest being 2.17.1, to address another, less-severe RCE vulnerability, CVE-2021-44832 – disclosed late last month by the firm Checkmarx. CVE-2021-44832 carries a “moderate” CVSS score of 6.6.
The vulnerability was first reported Dec. 9, after allegedly being detected by Alibaba’s cloud security unit. It subsequently put security teams on high alert heading into the holiday season.
“Frankly, we will be cleaning up after the Log4j vulnerability well into 2022,” warns Yaniv Bar-Dayan, former head of the Israeli Defense Forces’ Cyber and Intelligence Analysis Team.
Bar-Dayan, who is the CEO and co-founder of the security firm Vulcan Cyber, adds, “As an industry, we need to get better at sufficient mitigation of known vulnerabilities or we will see more of what we saw with the SolarWinds exploit, but with the new ‘vulnerability of the day’ used instead.”
“Microsoft has laid out several methods for detecting active exploit attempts utilizing Log4j, however, identifying the vulnerable version before an attack would be ideal,” Ray Kelly, a fellow at the firm NTT Application Security, also advises. “This will be a continuing battle for both consumers and vendors going forward in 2022.”
Other security experts say patching or mitigation should have been priority number one in the latter half of December.
“Any organization asking today what they need to do regarding Log4j almost certainly has an incident on their hands,” says Jake Williams, a former member of the National Security Agency’s elite hacking team and currently the co-founder and CTO of the firm BreachQuest. “Being exploited through an internet-facing system running vulnerable Log4j at this point is a leadership failure, not a technical one.”
Understanding Its Scope
In its update, Microsoft continues: “By nature of Log4j being a component, the vulnerabilities affect not only applications that use vulnerable libraries, but also any services that use these applications, so customers may not readily know how widespread the issue is in their environment.”
The tech giant also warns that “sophisticated adversaries (like nation-state actors) and commodity attackers alike have been observed taking advantage of these vulnerabilities. There is high potential for the expanded use of the vulnerabilities.”
Last week, ONUS, one of Vietnam’s largest cryptocurrency platforms, reported that it fell victim to a ransomware attack that has been traced to Apache’s RCE vulnerability via third-party payment software. And CrowdStrike last week said that a China-linked espionage group, tracked as AQUATIC PANDA, attempted to leverage the Apache flaw in VMware’s Horizon Tomcat web server service. Its threat hunting unit said it denied the attempted attack on “a large academic institution”
In recent weeks, Microsoft has added a Log4j scanner to its Microsoft 365 Defender software to provide a “consolidated view” of an enterprise’s exposure to the flaws.
The U.S. Cybersecurity and Infrastructure Security Agency, or CISA, and several private tech firms have also released comparable resources.
On Tuesday, open source security firm WhiteSource also announced a Log4j “remediation preset” for its commercial product and GitHub developer tool. Researchers at the firm also say Log4j has been used in over 52% of applications used across top 2000 organizations in the software development industry.
In a joint Log4j advisory from Five Eyes nations released just before the holidays, CISA Director Jen Easterly said, “These vulnerabilities are the most severe that I’ve seen in my career, and it’s imperative that we work together to keep our networks safe.”
In an event on Dec. 28 with ISMG’s CyberEdBoard, a members-only community of security executives and thought leaders, Eric Goldstein, executive assistant director for cybersecurity at CISA, stressed the significance of Log4j (see: CISA, Vendors Refine Scanners for Log4j Vulnerabilities).
“This vulnerability can [also] be trivial to exploit,” Goldstein said during the session. “We have seen a proof-of-concept of an exploit as small as 12 characters that can be triggered through a chat message, through a text message or through an email header.”
In the wake of this explosive flaw, he added, federal officials will continue to advocate for software bills of materials, or SBOM, so security teams can almost immediately understand which elements make up their software and thus avoid time-consuming manual identification processes.
SBOM was included in President Joe Biden’s May 2021 executive order on cybersecurity, which required developers selling to the federal government to provide a list of software components; the National Telecommunications and Information Administration then published a document housing the minimum elements of an SBOM.