Pratum Blog

Jave Log4j Vuln Code This post was originally published in December 2021 and has been updated for accuracy and comprehensiveness.

IT and cybersecurity teams saw their priorities immediately reordered in December 2021 when hackers began widespread exploitation of a vulnerability discovered in Java Log4j. Since news of the vulnerability broke, teams scrambled to evaluate how the vulnerability affected their systems and to deploy the required patches. The information below summarizes the latest information on the breach.

 

If you need help identifying and fixing your vulnerability (or if you have experienced a breach related to Log4j), contact Pratum’s incident response team immediately via our website or by calling 515-965-3756.

What is the Vulnerability?

On December 10, 2021, news broke about a critical remote code execution (RCE) vulnerability in the Java library called Log4j, which is part of open-source code maintained by the Apache Software Foundation. It is widely used by enterprise software developers. That means a long list of big-name companies and software providers are affected, including Amazon Web Services (AWS), IBM, Oracle, Cisco, Apple, Minecraft, ConnectWise and many others.

 

Hackers immediately began scanning the Internet for vulnerable systems and launching hundreds of attempts per minute to exploit the vulnerability. On affected systems, hackers could gain the ability to remotely execute code and compromise or export sensitive data. You can read Apache’s advisory on the vulnerability here.

 

How Do I Update the Apache Log4j Library?

Any Log4j-core version from 2.0-beta9 to 2.14.1 is considered vulnerable and should be updated to 2.17.1 or later. Update your version of Apache to 2.17.1 to close the vulnerability. The log4j issue (also called CVE-2021-44228 or Log4Shell) was patched in the update.

 

Log4j version 2.15.0 also is available. This version does not disable JNDI functionality by default and allows messages lookups. While some software supports 2.16.0, other software may still rely on the JNDI functionality. In that case, you should use version 2.15.0. Before updating, ensure that the correct patched version is selected. For software that does not rely on JNDI functionality or messages lookups, version 2.17.1 or later should be used.

A second vulnerability (CVE-2021-44832) released on December 28, 2021, affects a patched version of Log4j, version 2.17.0. While rated a CVSS of 6.6, it should be noted that this vulnerability can allow remote code execution in systems when the Log4j configuration file is loaded from a remote location.

Due to the lower CVSS score and higher complexity requirements for exploitation, fewer users may be impacted. However, if possible, users should update to version 2.17.1 or later as version 2.17.1 patches this vulnerability.

What Other Applications Are Vulnerable?

Updating your version of Apache won’t address the vulnerabilities in the numerous applications that use the Apache library. You’ll need to update each of those applications as their developers release updates. Expect numerous communications from software vendors who are updating their products in order to close the vulnerability. You can review a list of known software vulnerabilities at this site.

Many older applications that rely on the Java runtime are potentially vulnerable. This can include web frontends, servers and other frameworks that use the Log4j library to log data. Even if the main application is not Java-based, it may use Log4j for logging. Plan on applying multiple upgrades and patches to your system. 

Within hours of the vulnerability’s discovery, Pratum’s Security Operations Center (SOC) installed new detections/mitigations to protect the systems of our Extended Detection and Response (XDR) customers. The new rules created by our analysts detect attempted exploitation; block malicious Java processes; block executable files unless they meet specific criteria; and more. We are also actively processing and adding additional Indicators of Compromise as they are disseminated through various channels.

 

How Do I Check for the Vulnerability on My System? 

You should run a vulnerability scan on your system. You also can test it by using a local or third-party DNS logging service. Submit a request with the following: DNS Logging Server Code If the server requests a DNS lookup, it should be logged with the provider.

What Should I Do To Protect My System?

In addition to upgrading your version of Apache and installing the patches that software vendors provide, CISA also recommended these three additional steps: 

  • Enumerate any external facing devices that have log4j installed. 
  • Make sure that your SOC is actioning every single alert on the devices that fall into the category above.
  • Install a web application firewall (WAF) with rules that automatically update so that your SOC is able to concentrate on fewer alerts. 

What if I Can’t Update or The Application Vendor Hasn’t Updated Their Software Yet? 

Software vendors have likely published patches for affected applications. Be sure to check patch or release notes to find fixed versions. Adding the JVM flag JVM Flag Code can prevent the vulnerability.

Pratum’s incident response team is currently helping clients analyze and remediate their exposure to Log4j. For help with your specific situation, contact Pratum’s incident response team immediately via our website or by calling 515-965-3756. This situation is continuing to evolve, and we’ll update this blog as new information becomes available. You also should regularly check CISA’s Apache Log4j Vulnerability Guidance for new information.

Pratum and Technology Association of Iowa Employees at Iowa Capitol holding Cybersecurity Action Month Proclamation

Since 2004, the President of the United States and Congress have declared October to be Cybersecurity Awareness Month, which has helped citizens better understand the risks of online security threats and to become more educated about the daily, evolving environment of personal and public security.

If inaction due to unawareness is a driver of threat events then it is important to empower businesses and the public with the ability to take actions based on awareness.

With the help of Pratum and the Technology Association of Iowa, the State of Iowa made the important move from basic awareness to an emphasis on encouraging data security action when Governor Kim Reynolds declared this October to be Cybersecurity Action Month

State of Iowa Proclamation Cybersecurity Action Month
Brian Waller, President, TAI

With cyberattacks continuing to make headlines right here in Iowa, we understand there is a real need for proactive cybersecurity resources for companies and organizations statewide. So we are proud to partner with Pratum on Cybersecurity Action Month to encourage Iowans to think beyond awareness and how to take action on their cybersecurity programs.

Brian Waller President - Technology Association of Iowa

The Technology Association of Iowa and Pratum are the partnering sponsors of Cybersecurity Action Month and have made a number of training guides and other media available to the public.

Companies and individuals are encouraged to sign up to take advantage of the Cybersecurity Action Month resources to equip themselves to take action in defense of their own cybersecurity.

Various videos, guides, and infographics are available to help organizations establish realistic action plans to take better control of security. Topics range from Vendor Risk Management, Employee Security Training, Incident Response Planning, and Business Impact Analysis (BIA).

Jordan Engbers, President, Pratum

Awareness is critical, but it is not enough. We are providing resources that help equip organizations to take action against cyber threats.

Jordan Engbers President - Pratum
Cybersecurity Action Month Sign Up
Seven Security Culture Mistakes Your Organization Could be Making

Hackers, like all humans, crave efficiency. And that makes your employees their favorite target. It’s easier, after all, to crack a person than a computer. Even though your cybersecurity fears may envision someone tapping out code in a darkened room, the bigger threat is an e-mail that fools an employee into granting access to the company’s system. That’s why social engineering attacks (such as bogus e-mails in phishing attacks) have become the most common method for penetrating an organization’s system.

Use the following list to ensure you're fully protecting your data by educating and motivating every employee to make cybersecurity part of their daily responsibility.

1. Develop a cybersecurity awareness strategy

A security culture takes shape only after someone with authority deems it important, forms a plan for achieving specific goals and then carries out the plan. Your first step should be a written plan that defines the security culture you envision and provides specific steps you’ll take to get there. For example, your culture will define what level of access to company data each employee receives. Include information security themes for each quarter, which will guide your communication and training.

2. Extend your plan to the remote workforce

If you’re thinking only in terms of access to office-based computers and servers, you’re several years behind. The rapid switch in 2020 to working from home should cement our understanding that the dispersed workforce is here to stay. Your data probably lives largely in the cloud with access coming from dozens of personal devices and home networks. Your plan and training need to cover all of that.

3. Create a training plan

About 30% of U.S. companies say they have no cybersecurity awareness and training programs for employees or other stakeholders. That leaves hackers a wide doorway into your systems. For your first information security training program, you can turn to dozens of low-cost solutions that provide excellent and relevant material. Or consider putting together a PowerPoint with relevant security topics that engage employees across all departments. Effective security training solutions include, at a minimum, the following list of topics:

  • Data classification and sensitivity. Employees need to understand what types of data your organization stores, processes and transmits. Giving them an overview of this information helps them recognize the sensitivity of your records and how your business depends on each employee to protect the data they work with.
  • Social engineering tactics, approaches, and example. Attackers use threats, such as fraudulent phone calls, e-mail phishing, and facility access, to obtain more information about your organization or establish remote network access. Employees must be adequately trained to identify situations where bad actors are trying to get them to divulge sensitive information.
  • Password best practices. Passwords are the primary authentication method employees use to access sensitive data. You must provide training on how to generate strong, effective passwords that align with your organization’s requirements.
  • System patching. While your IT department will most likely manage employee devices, it’s imperative to emphasize the importance of system updates. Devices should always be kept up to date with the latest operating system and application patches.
  • Incident response. Training should cover how to quickly and effectively report potential security incidents to management and/or IT staff. Data breaches are typically discovered by an employee observing suspicious activity on their computer system or network.

4. Continuously train employees

Many companies capitalize on a new employee’s eagerness by providing security training on the first day. While this is an important step in the onboarding process, it shouldn’t be the last time the employee hears about these policies and procedures. A study by Vanson Bourne found that just 11% of organizations continuously train employees on information security. We recommend refresher sessions at least a couple of times per year, which ensures employees get reminders on best practices, hear about the latest threats and recognize that management takes the topic seriously.

5. Start with the basics

Don’t generalize based on employees' job skills or age. Many leaders assume that young employees are savvier about information security since they’ve grown up using multiple digital platforms. But that familiarity—and a culture of sharing almost everything online—may actually make your younger team members bigger risks. Train everyone, and make it available in several formats (presentations, videos, quizzes, etc.) so that employees get the message regardless of their learning style.

And don’t skip the basics in your training materials. For example, “Password” is still one of the world’s most common passwords. And a Verizon study shows that approximately 76% of attacks on corporate networks involved weak passwords. So as obvious as the need for strong passwords may seem—it obviously isn’t.

6. Involve company leadership

When employees not only hear leaders talking about the importance of information security but actually see the leaders sitting beside them in training sessions, the message is clear. Use your top managers to reinforce the priority your organization puts on security.

7. Measure progress

Your long-term strategy should include benchmarks showing how you’re doing. Some common performance indicators include tracking how many employees fail routine phishing tests, who is reporting suspicious emails, how often employees change their passwords, and who is adhering to your organization’s Clean Desk Policy. With metrics in place, you can track progress and identify employees who aren’t embracing or understanding policies.

If all of that sounds a bit overwhelming, see how Pratum can help! Every week, our consultants help companies create their security strategy, develop plans for implementation, and maintain security awareness and training effectiveness.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.