Many OODA Loop members have had their nose to the grindstone right through the holiday season attending to the potential impacts of Log4j vulnerability and Log4Shell exploits within their organization.  Following is a ‘big picture’ update of CISA press releases, global incidents, and impacts for your review when you come up for air  – and need to assess more of the strategic challenge ahead with the vulnerability and the potential for executables within your systems.

Summary

• The current update on the CISA Apache Log4j Vulnerability Guidance webpage, last updated on December 28:  “Organizations are urged to upgrade to Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6), and review and monitor the Apache Log4j Security Vulnerabilities webpage for updates and mitigation guidance.   See CISA’s joint Alert AA21-356A: Mitigating Log4Shell and Other Log4j-Related Vulnerabilities for more information.  CISA also highlighted the role vendors need to play in the patching process.”  See the ‘CISA Vendor Recommendations’ section below for more details.
• Log4j is the first US-CERT notification to put front and center private sector collaboration through the newly formed DHS CISA Joint Cyber Defense Collaborative (JCDC).  Links to the incidents and situational awareness reports provided by JCDC companies are available below in the “Mitigation Guidance from JCDC Partners” section.
• Mass exploitation of the original Log4Shell vulnerability (CVE-2021-44228) by threat actors began around December 9th, when a PoC exploit for it surfaced on GitHub.  The PoC exploit got the attention of opportunistic attackers who began mass-scanning the internet for vulnerable servers. (1)
• Today in the OODA Loop Daily Pulse:  researchers have reported a Log4J-Related Remote Code Execution (RCE) Flaw in H2 Database.  This vulnerability is technically not a Log4j vulnerability and should be assessed differently.  What the flaw has in common with Log4j is that the root cause of the H2 flaw is based in Java Naming and Directory Interface (JNDI) remote class loading.
• The most recent vulnerability update (by way of CISA US-CERT and the Carnegie Mellon Software Institute and) is related to JDNI:  VU#930724 – Apache Log4j allows insecure JNDI lookups (cert.org).

CISA Director Easterly and Eric Goldstein (CISA’s executive assistant director for cybersecurity) Hold Virtual Press Conference

From our friends over at The Record:  “Top officials at the US Cybersecurity and Infrastructure Security Agency on Monday said the Log4Shell vulnerability has mostly resulted in crypto-mining and other minor incidents at federal agencies, but warned that threat actors may soon start actively exploiting the vulnerability to disrupt critical infrastructure and other assets.”

“We’ve been actively monitoring for threat actors looking to exploit [Log4Shell],” said CISA director Jen Easterly at a press briefing Monday morning. “Over the past several weeks we have seen widespread exploitation of Log4Shell by criminal actors who use it to install crypto-mining software on victim computers or to capture victim computers for use in botnets.  At this time we have not seen the use of Log4Shell resulting in significant intrusions.  This may be the case because sophisticated adversaries have already used this vulnerability to exploit targets and are just waiting to leverage their access until network defenders are on lower alert.”

Echoing Easterly’s comments, Eric Goldstein, CISA’s Executive Assistant Director for Cybersecurity, offered the following in the virtual press conference:  “We are not seeing confirmed compromises of federal agencies, including critical infrastructure.  We’re seeing widespread scanning by malicious actors, we’re seeing some prevalence of what we would call low-level activities like installation of crypto mining malware, but we’re not seeing destructive attacks or attacks attributed to advanced persistent threats.” (2)

CISA estimates that hundreds of millions of devices have the vulnerability.   Mirroring OODA CEO Matt Devost’s assessment of the long-term impact of the Log4j vulnerability, Goldstein added that the issues are widespread and would require a “long tail remediation.”

CISA Vendor Recommendations

In order for vulnerabilities to be remediated in products and services that use affected versions of Log4j, the maintainers of those products and services must implement these security updates. Users of such products and services should refer to the vendors of these products/services for security updates. Given the severity of the vulnerabilities and the likelihood of an increase in exploitation by sophisticated cyber threat actors, CISA urges vendors and users to take the following actions.

• Vendors
  • Immediately identify, mitigate, and update affected products using Log4j to the latest version.
  • Inform your end-users of products that contain these vulnerabilities and strongly urge them to prioritize software updates.
• Affected Organizations
  • In addition to the immediate actions detailed in the box above, review CISA’s GitHub repository for a list of affected vendor information and apply software updates as soon as they are available. See Actions for Organizations Running Products with Log4j below for additional guidance. Note: CISA has added CVE-2021-44228 to the Known Exploited Vulnerabilities Catalog, which was created according to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities.
  • On December 17, 2021, CISA issued Emergency Directive (ED) 22-02: Mitigate Apache Log4j Vulnerability directing federal civilian executive branch agencies to address Log4j vulnerabilities—most notably, CVE-2021-44228. The Emergency Directive requires agencies to implement additional mitigation measures for vulnerable products where patches are not currently available and requires agencies to patch vulnerable internet-facing assets immediately, thereby superseding the broader deadline in BOD 22-01 for internet-facing technologies.

Mitigation Guidance from JCDC Partners

• Broadcom’s Symantec Enterprise blog: Apache Log4j Zero-Day Being Exploited in the Wild content
• Cisco Talos Intelligence Group – Comprehensive Threat Intelligence: Threat Advisory: Critical Apache Log4j vulnerability being exploited in the wild
• CISA’s Alert AA21-356A: Mitigating Log4Shell and Other Log4j-Related Vulnerabilities
• Cloudflare Blog: CVE-2021-44228 – Log4j RCE 0-day mitigation
• Cloudflare blog: Protection against CVE-2021-45046, the additional Log4j RCE vulnerability
• CrowdStrike blog: Log4j2 Vulnerability Analysis and Mitigation Recommendations
• IBM Security Intelligence blog: How Log4j Vulnerability Could Impact You
• Investigating CVE-2021-44228 Log4Shell Vulnerability: VMWare Threat Research
• Mandiant blog: Log4Shell Initial Exploitation and Mitigation Recommendations
• Microsoft blog: Guidance for Preventing, Detecting, and Hunting for CVE-2021-44228 Log4j 2 Exploitation
• Palo Alto Networks blog: Apache log4j Threat Update
• Splunk’s blog: Log4Shell – Detecting Log4j Vulnerability (CVE-2021-44228) Continued
• Tenable blog: CVE-2021-44228: Proof-of-Concept for Critical Apache Log4j Remote Code Execution Vulnerability Available (Log4Shell)
• VMware Blog: Log4j Vulnerability Security Advisory: What You Need to Know

Further Resources

Log4Shell Incidents and Mitigation Activities To-date: Governmental Agencies (Global)

OODA Loop – 2021 Year-End Review: Cybersecurity

Log4Shell Exploit Used in Cox Media Group Ransomware Attack Attributed to Iranian Hackers

CISA Apache Log4j Vulnerability Guidance Webpage Up and Running with Mitigation Guidance from JCDC Partners

Related Reading:

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real-world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking