'Hack DHS' Program Expanded to Include Log4j Bug HuntersAlso, CISA Has Published an Open-Source Log4j Scanner to Aid Defenders
A week after announcing a new bug bounty program called "Hack DHS," intended to safeguard the federal agency's systems, U.S. Department of Homeland Security Secretary Alejandro Mayorkas announced that DHS is expanding the scope of the program to include finding and patching Log4j-related vulnerabilities in the systems.
The Hack DHS bug bounty program is scheduled to have a phased introduction that will stretch across the entire fiscal year 2022 and will soon be adopted across different levels of the government (see: US DHS Announces New Bug Bounty Program to Safeguard Systems).
In response to the recently discovered log4j vulnerabilities, @DHSgov is expanding the scope of our new #HackDHS bug bounty program and including additional incentives to find and patch log4j-related vulnerabilities in our systems.— Secretary Alejandro Mayorkas (@SecMayorkas) December 21, 2021
In a tweet, CISA Director Jen Easterly welcomed this move and thanked the global research community for participating in the program, especially since the Apache Log4j vulnerability is now a global-level threat.
UPDATE! We opened our #HackDHS bug bounty program to find & patch Log4j-related vulnerabilities in our systems. Huge thanks to the researcher community taking part in this program. Log4j is a global threat & it’s great to have some of the world’s best helping us keep orgs safe. https://t.co/lXcQ2nOH3a— Jen Easterly (@CISAJen) December 22, 2021
During a press briefing on Dec.14, CISA Executive Assistant Director for Cybersecurity Eric Goldstein said that, to date, there have been no confirmed compromises of any federal agencies due to Log4j, but he called the situation "extremely concerning," according to Federal News Network.
Why Include Log4j?
The announcement that Log4j will be included in the bug bounty program comes after the report of the Belgian Ministry of Defense falling victim to a cyberattack that was linked to the exploitation of the widespread Apache Log4j vulnerability (see: Log4j: Belgian Defense Ministry Reports It Was 'Paralyzed'). The ministry confirmed that the affected systems had been isolated, but did not reveal any information on the attacker or the type of cyberattack.
Reports allege that nation-state actors from potentially hostile nations such as China, Iran, North Korea and Turkey are also trying to gain maximum benefit from the Apache Log4j vulnerability, and they appear to have actively attempted to abuse it, according to cybersecurity experts (see: Nation-State Attackers Wielding Log4j Against Targets).
An Appropriate Approach
Some experts see the use of bug bounties to catch Log4j flaws as an appropriate approach. Chris Clements, vice president of solutions architecture at security firm Cerberus Sentinel, tells Information Security Media Group the Log4j vulnerabilities are pernicious because "they are difficult to detect with traditional vulnerability scanners, are embedded in numerous applications that you might not expect, and affect systems and applications downstream from primary operational flows that are nonobvious."
He says the most effective form of detection requires scanning all files on systems to look for the vulnerable versions of the Log4j library. While there are many open-source tools to accomplish this, he says, it can be difficult for many organizations to do it at scale.
"All of these factors make these vulnerabilities ones that benefit tremendously from having more eyes available looking for potential vulnerable systems. Bug bounty programs can be especially effective at attracting exactly this volume of scrutiny by establishing a virtuous cycle aligning incentives between organizations and outside security researchers," Clements says. But he warns that detection is only the first step and says organizations must create mitigation and remediation plans to ensure that they are protected from being attacked through these vectors.
Eliminating the need to onboard resources is a particular benefit of this approach, according to James McQuiggan, security awareness advocate at KnowBe4 and education director of the Florida Cyber Alliance. "Using experts in the community alleviates the need to hire, onboard and just use [employees] as 'arms-length' contractors with a one-time payment," he says.
CISA-Recommended Log4j Scanner
CISA has published an open-sourced Log4j scanner on GitHub that has been built based on several scanners created by members of the open-source community, according to a tweet from CISA.
We published an open-sourced log4j-scanner derived from scanners created by other members of the open-source community. This tool is intended to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities: https://t.co/af8uszW8K4— Cybersecurity and Infrastructure Security Agency (@CISAgov) December 21, 2021
"This repository provides a scanning solution for the Log4j remote code execution vulnerabilities (CVE-2021-44228 and CVE-2021-45046)," the GitHub post says. It says that the information and code in the repository is provided "as is" and was assembled with the help of the open-source community and updated by CISA through collaboration with the broader cybersecurity community.
CISA credits the scanning solution to several researchers. Mazin Ahmed is one of the names that appears in the credit section of the GitHub post. Ahmed is the founder of cybersecurity startup FullHunt.
FullHunt released a detection scanner on Dec. 13 for what was then the only known Apache Log4j RCE vulnerability, tracked as CVE-2021-4428.
CISA, in its GitHub post, says that it has "slightly modified" that open-source scanner and has used "two additional projects to avoid using third-parties."
FullHunt has not yet responded to ISMG's request for information about these modifications.
For the latest news and mitigation strategies from ISMG's reporting on the Log4j vulnerability, visit the updated thread, here.