Active, worldwide exploitation by malicious cyber actors of vulnerabilities found.
The Australian Cyber Security Centre (ACSC), along with international cyber security agency partners from the United States, United Kingdom, Canada and New Zealand, have issued a joint advisory with technical details, mitigations, and resources to help address critical vulnerabilities in the Apache Log4j software library.
The joint advisory is in response to the active, worldwide exploitation by malicious cyber actors of vulnerabilities found in the widely used Java-based logging package Log4j.
The advisory from the ACSC, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the Canadian Centre for Cyber Security (CCCS), Computer Emergency Response Team New Zealand (CERT NZ), New Zealand National Cyber Secure Centre (NZ NCSC) and the United Kingdom’s National Cyber Security Centre (NCSC-UK), provides critical guidance for organisations or individuals using products with Log4j, which should be implemented immediately.
Acting head of ACSC, Jessica Hunter, has said malicious cyber actors are already scanning and exploiting some of the many thousands of vulnerable systems around the world. To address this threat we all need to be proactive in our efforts to fix vulnerabilities and be alert to malicious cyber activity.
All international agency partners have been working with entities in the public and private sectors since the first vulnerability was discovered to identify vulnerable products, raise awareness, and encourage all potentially affected organisations to take immediate action.
The joint advisory provides valuable resources to help organisations further strengthen their defences and resiliency against these vulnerabilities, as well as other cyber threats.
Every executive and leader is strongly encouraged to ensure their business, organisation, or government agency is taking appropriate action to address the Log4j vulnerabilities.
In Singapore the Cyber Security Agency of Singapore (CSA) has raised the alert and is working with Critical Information Infrastructure (CII) sectors and organisations to patch their systems, and take remediation and mitigation measures immediately.
Log4j is an open-source Java package used to support activity-logging in many Java-based applications. As it is widely used by developers, this vulnerability can have very serious consequences. Successful exploitation of this vulnerability will allow an attacker to gain full control of the affected servers. The situation is evolving rapidly and there have already been numerous observations of ongoing attempts by threat actors to scan for and attack vulnerable systems.
CSA is monitoring the situation closely. There have been two emergency meetings by CSA with all the CII sector leads to issue directions and technical details, and to heighten monitoring for unusual activities. Aside from earlier advisories, CSA has also organised a briefing session this morning to trade associations and chambers to underscore the seriousness of the vulnerability and urgency of implementing mitigation measures for all businesses and SMEs.
CSA urges users and product developers to implement the mitigation measures listed below immediately:
i) Users of products with Log4j should:
• Patch to the latest updates immediately, especially for users of Apache Log4j with affected versions between 2.0 and 2.14.1. They are advised to upgrade to the latest version 2.16.0 immediately.
• Determine if Log4j is used in other instances within their system.
• Heighten monitoring for anomalous activity; deploy Protective Network Monitoring and Review System Logs.
ii) Product developers that use Log4j in their products should:
• Identify, mitigate and develop patches for affected products that utilise Log4j.
• Inform end-users of your products that contain this vulnerability and strongly urge them to prioritise software updates.
Organisations can refer to SingCERT’s advisory at https://www.csa.gov.sg/en/singcert/Advisories/ad-2021-010 for more information.
According to Gartner, the security community has created resources cataloging vulnerable systems. However, it’s important to note that these lists are constantly changing, so if a particular application or system is not included, don’t take it as assurance that it isn’t impacted. Exposure to this vulnerability is highly likely, and even if a particular tech stack does not use Java, security leaders should anticipate that key supplier systems — SaaS vendors, cloud hosting providers and web server providers — do.
What steps should cybersecurity leaders take to protect their enterprises?
Gartner wrote, Cybersecurity leaders need to make identification and remediation of this vulnerability an absolute and immediate priority. Start with a detailed audit of every application, website and system within your domain of responsibility that is internet-connected or can be considered public-facing. This includes self-hosted installations of vendor products and cloud-based services. Pay particular attention to systems that contain sensitive operational data, such as customer details and access credentials.
Once this audit is complete, turn your attention to remote employees, and ensure that they update their personal devices and routers, which form a vital link in the security chain. This will likely require a proactive, involved approach, as it is not sufficient to simply issue a list of instructions, given vulnerable routers provide a potential entry point into key enterprise applications and data repositories. You’ll need the support and cooperation of the broader IT team.
Overall, this is the time to invoke formal severe incident response measures in line with organizational incident response plans. This incident merits involvement at all levels of the organization, including the CEO, CIO and board of directors. Ensure you’ve briefed senior leadership and that they are prepared to respond to questions publicly. This vulnerability and the attack patterns exploiting it are unlikely to subside for some time, so active vigilance will be important for at least the next 12 months.