How to Patch Log4j Now That Version 2.16 Has Been ReleasedRansomware Being Dropped by Attackers to Exploit Widespread Apache Software Flaw
Security and IT teams racing to mitigate the threat posed by the ubiquitous Log4j vulnerability are facing a new problem: Which version of the patched software should they deploy - 2.15.0 or the newly released 2.16.0?
The question comes as attackers are targeting prior versions of the widely used Java logging library, which is included in Apache web servers and many other types of technology. Multiple versions have a flaw that attackers can directly or indirectly exploit to remotely execute code, potentially allowing them to take over systems and gain access to corporate networks. Attackers are already scanning for vulnerable systems and targeting the flaw to deploy ransomware and other malware, including cryptocurrency miners and remote access Trojans, researchers warn.
Details of the critical vulnerability became widely known Thursday, following the nonprofit Apache Software Foundation, which maintains the software, having released version 2.15, with a fix for the problem, on Dec. 8.
New Flaw Found in Log4j Version 2.15
On Monday, however, Apache released Log4j version 2.16, to fix yet another problem, designated CVE-2021-45046. The latest version of Log4j also addresses the vulnerability introduced in 2.14, described by security firm Tenable as involving "insufficient protections on message lookup substitutions," by eliminating support for message lookups. The new version also makes the Java Naming and Directory Interface inactive by default.
The U.S. Cybersecurity and Infrastructure Security Agency has urged all organizations, as a matter of priority, to identify all vulnerable technology, set security operations center alerts to monitor for attack attempts, deploy web application firewalls as a defense, and test and deploy available updates as quickly as possible (see: CISO Playbook: Dawn Cappelli on Mitigating Log4j Zero-Day).
"Millions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string," security researcher Marcus Hutchins has warned about version 2.14, meaning it's remarkably easy to exploit.
Already, attackers have been targeting the flaw to try and deploy numerous types of malicious code.
"While most of the attacks observed so far seem to be targeting Linux servers, we have also seen attacks against systems running the Windows operating system. For these attacks, we have detected the attempt to deploy a ransomware family called Khonsari," which is new, Martin Zugec, technical solutions director for security firm Bitdefender, writes in a Monday blog post. He says the ransomware arrives as a ".NET binary file."
Separately, Hutchins warned Tuesday that among other attempts to exploit the vulnerability, one recently spotted campaign traces back to "a Russian bulletproof host popular with more serious criminal groups, and could be ransomware-related."
Cybersecurity firm CrowdStrike warned that an Iranian-sponsored advanced persistent threat group, with the code name Nemesis Kitten, appears to be trying to target the flaw.
Likewise, cybersecurity firm Mandiant says it's seen both Chinese and Iranian state-sponsored advanced persistent threat groups attempting to exploit the flaw. "The Iranian actors who we have associated with this vulnerability are particularly aggressive, having taken part in ransomware operations that may be primarily carried out for disruptive purposes rather than financial gain," says John Hultquist, Mandiant's vice president of intelligence analysis. "They are also tied to more traditional cyberespionage."
Which Version to Deploy?
The question now facing already overworked teams attempting to identify software and hardware that might have the flaw, test and deploy patches, and mitigate any attempts to exploit their systems before such fixes can be deployed, is now: What to do about there being yet another version of Log4j to deploy?
Thankfully, the CVE-2021-45046 flaw fixed in version 2.16.0 "doesn't seem to permit remote code execution or data exfiltration; it's merely a denial-of-service attack that might cause the affected process to hang," says Paul Ducklin, principal research scientist at Sophos, who's been tracking how to best remediate this problem.
Unfortunately, any of the temporary fixes that teams might be making to version 2.14 to mitigate the JNDI flaw until they can patch won't block the new CVE-2021-45046 flaw, Ducklin tells Information Security Media Group. For that, a move to version 2.16.0 will be required.
"My recommendation is that if you're halfway through patching, don't go back to the beginning again yet. From now on, upgrade to 2.16.0, so that you get everything to at least 2.15.0 as quickly as you can," he says. "Then go back and patch any 2.15.0 versions, so you have the same version everywhere."
Catalog What's Vulnerable
Efforts are underway to catalog all vulnerable software, to help organizations better determine the risk they face as well as track the availability of patches from vendors shipping affected hardware and software.
"We are taking urgent action to drive mitigation of this vulnerability and detect any associated threat activity," CISA Director Jen Easterly said Monday. "We have added this vulnerability to our catalog of known exploited vulnerabilities, which compels federal civilian agencies - and signals to nonfederal partners - to urgently patch or remediate this vulnerability. We are proactively reaching out to entities whose networks may be vulnerable and are leveraging our scanning and intrusion detection tools to help government and industry partners identify exposure to or exploitation of the vulnerability."
Security researcher Kevin Beaumont says he's working with CISA "to produce a validated list of third-party products using vulnerable Log4j."
Defenders against Log4shell
I have been working with @CISAgov to produce a validated list of third party products using vulnerable Log4j
find out your exposure and how to fix it
This is work in progress
Bookmark and track situation changeshttps://t.co/iQNJYsRQVC— Kevin Beaumont (@GossiTheDog) December 14, 2021
Also, Trend Micro has released a web-based Log4j vulnerability testing tool to help identify any server-based applications that might be vulnerable. Security firm Cybereason has released a tool to help organizations temporarily mitigate the JNDI problem until they can patch.
"The good news is that if you prepared correctly for your first round of patching, you've already completed what most people found to be the most daunting problem at the start - namely, making a full list of affected applications," Ducklin at Sophos says. "Lots of sysadmins discovered they had a lot more Log4j instances than they ever knew or thought."
Indeed, vendors so far have reported that at least 250 software frameworks, libraries and products include vulnerable Log4j software, and that users will need to install updated software - when available - to patch the problem.
Thus far, attackers mostly don't seem to have found a way yet to trigger the attack in most of the vulnerable products, although it's a sure bet they'll continue to keep trying, Beaumont reports.
Accordingly, defenders should expect to see "flashes of activity as somebody discovers a new trigger in products, which will trigger a wave of incidents," he says of the Log4j version 2.14.0 vulnerability. "It mostly won't be a flash in the pan; it will fester."
Criminal and Nation-State Risks
On Tuesday, Eric Goldstein, executive assistant director for cybersecurity at CISA, said in a call with reporters, as Reuters reported, that thus far, "We are not seeing widespread, highly sophisticated intrusion campaigns."
But security experts say it's a certainty that more sophisticated crime syndicates will begin to target and exploit these flaws. Nation-state attackers have historically never shied away from making use of exploits being wielded by criminals, to better hide their espionage-driven efforts. Furthermore, stealthy assaults may take some time to be spotted, as the SolarWinds supply chain attack demonstrated.
With Log4j, it's still not clear for how long attackers may have already been exploiting the years-old flaw. Details of the vulnerability were first reported to Apache on Nov. 24 by Chen Zhaojun, a member of the security team at Chinese multinational technology company Alibaba.
On Dec. 8, Alibaba's Chen warned the team that maintains Apache Log4j that details of the vulnerability were already being publicly discussed on some WeChat Chinese blogging platform groups, Bloomberg reported. Apache released version 2.15.0 the next day.
What happens next? With not just criminals but also Chinese and Iranian state-sponsored attackers already targeting the flaw, Mandiant's Hultquist expects other nations will soon follow. "We believe these actors will work quickly to create footholds in desirable networks for follow-on activity, which may last for some time," he says. "In some cases, they will work from a wish list of targets that existed long before this vulnerability was public knowledge. In other cases, desirable targets may be selected after broad targeting."
Managing Editor Jeremy Kirk contributed to this story.