Industrial networks are among those which are vulnerable to the recently disclosed zero-day in the Log4j2 Java logging library, security researchers have warned.
The vulnerability (CVE-2021-44228) was disclosed on December 9 and allows remote code execution and access to servers. Log4j is used in a wide range of commonly used enterprise systems, raising fears that there’s ample opportunity for the vulnerability to be exploited.
Within hours of the vulnerability being publicly disclosed, cyber attackers were already making hundreds of thousands of attempts to exploit the critical Log4j vulnerability to spread malware and access networks.
Each day on from its disclosure, more is being learned about the flaw and now cybersecurity researchers have warned that it could have significant implications for operational technology (OT) networks which control industrial systems – and for a long time.
“Given that Log4j has been a ubiquitous logging solution for Enterprise Java development for decades, Log4j has the potential to become a vulnerability that will persist within Industrial Control Systems (ICS) environments for years to come,” said a blog post by cybersecurity researchers at Dragos.
And given how easy it is to exploit the vulnerability, combined with the potentially large number of affected applications, researchers recommend an “assume-breach mentality” and active hunting for post-exploitation activity.
Dragos says that it has seen attempted and successful exploitation of the Log4j flaw – and has already coordinated a takedown of one of the malicious domains used in these attacks.
Several cybersecurity researchers have already noted that some attackers are exploiting Log4j to remotely run Cobalt Strike – a penetration testing tool that’s often used in ransomware attacks.
Many industrial organisations struggle with visibility into their networks due to their complex nature, but it’s important for those running operational technology to know what their network looks like and counter the possibility of attacks attempting to exploit the vulnerability as a matter of urgency.
“It’s important to prioritize external and internet-facing applications over internal applications due to their internet exposure, although both are vulnerable,” said Sergio Caltagirone, vice president of threat intelligence at Dragos,
“Dragos recommends all industrial environments update all affected applications where possible based on vendor guidance immediately and employ monitoring that may catch exploitation and post-exploitation behaviors,” he added.
Researchers suggest that applying the Log4j patch can help prevent attackers from taking advantage of the vulnerability – although the ubiquitous nature of Log4J means that in some cases, network operators might not even be aware that it’s something in their environment which they have to think about.
MORE ON CYBERSECURITY
- Attacks against industrial networks will become a bigger problem. We need to fix security now
- Log4j flaw puts hundreds of millions of devices at risk, says US cybersecurity agency
- Log4j update: Experts say log4shell exploits will persist for ‘months if not years’
- Log4j flaw: Attackers are making thousands of attempts to exploit this severe vulnerability
- Log4j RCE activity began on December 1 as botnets start using vulnerability