What Is Being Attacked Using Log4J Exploits
There are already active examples of attackers attempting to leverage Log4j vulnerabilities to install cryptocurrency-mining malware, while there also reports of several botnets, including Mirai, Tsunami, and Kinsing, that are making attempts to leverage it.
Researchers at Microsoft have also warned about attacks attempting to take advantage of Log4j vulnerabilities, including a range of cryptomining malware, as well as active attempts to install Cobalt Strike on vulnerable systems, something that could allow attackers to steal usernames and passwords.
A Chinese hacking group known widely is using a vulnerability in Log4j to go after a large academic institution. Crowdstrike researchers observed linux commands as they targetted VMware Horizon publicly available on the internet. The second stage of the attack showed the group trying to harvet credentials for further exploitation.
We also know many internal services are highly vulnerable for example VMware vCenter has multiple CVE just not Log4J, Palo Alto and Fortinet have various Critical CVE, UniFI Network Hardware, Tomcat Application Server. This raises many concerns that todays threat landscape is complex and rich with exploits if your a red teamer or deeply concerning for the Blue Team.
Is your Enterprise Protected against Log 4J?
This will be a small informal intro into a series of blog articles in the following quarter about enterprise security. The goal is to provide fundamental understanding to protect organizations against cyber threats.
One main issue seen regularly is permitter security where organizations don’t have an accurate inventory of services exposed publicy and current patch level. The second very common theme is layer security which means mulitple layers of protection. Security weak points aren’t acceptable and for some reason industry experts still accept MFA exceptions for User “A” and WAF or IPS exceptions for legacy application “B”
Ask yourself have you taken a measured approach or isolated single approach to resolve the current fire?
- LIst of Public Services with Versions and Application Library
- IPS Inbound and Outbound Traffic Filtering for all traffic
- SSL Traffic Inspection
- DNS Filter and Blocking
- Web Application Firewall
- Multi Factor Authentication for VPN and public Services
- Vulnerablity Management Program
- Staff Cyber Security Awareness
The is just the beginning of a multipart blog series titled: Layed Security for all Enterprises
Reference Links
https://cyber.gc.ca/en/alerts/active-exploitation-apache-log4j-vulnerability