To raise the alert level for a number of vulnerabilities in the popular Java-based logging library Log4j, the Cybersecurity and Infrastructure Security Agency (CISA) has created a Emergency directive. The vulnerabilities, first revealed on December 9, 2021, are actively exploited by several threat actors.
CISA has determined that this vulnerability poses an unacceptable risk to federal civil law enforcement agencies and requires contingency measures, and the policy directs these agencies to take action to mitigate the Apache Log4j bug’s vulnerabilities and cyberattacks that exploit it .
KAG issues emergency guidelines for Log4j: Unacceptable risk
Exploitation of one of these vulnerabilities allows an unauthenticated attacker to remotely execute code on a server.
Successful exploitation can occur even if the software that accepts data entry is not written in Java and that software is able to pass malicious character strings to other (backend) systems that are written in Java.
The guideline instructs authorities to remove all affected software assets from their networks by December 23, 2021 and to report all affected software applications by December 28, 2021.
“This finding is based on the current exploitation of this vulnerability by threat actors in the wild, the likelihood of further exploitation of the vulnerability, the spread of the affected software in federal companies and the high potential for compromising information systems of the authorities.”
The current version of the Emergency Policy prioritized solution stacks that accept data input from the Internet; However, CISA strongly recommended that the same measures be applied across the agency’s infrastructure.
The CISA guideline also pointed out that, due to an evolving situation, the agency plans to issue a supplementary guideline that is applicable to broader information technologies (IT) and operational technologies (OT).
By February 15, 2022, CISA will submit a report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) identifying the inter-agency status and outstanding issues.
“CISA will continue to work with our partners to monitor the active exploitation of these vulnerabilities and to notify the authorities and provide additional guidance if necessary,” says the guideline. “[The agency] will provide technical assistance to agencies whose in-house capabilities are insufficient to comply with this policy. “
CISA also urged critical infrastructure owners and operators to take immediate steps to strengthen their computer network defenses against potential malicious cyberattacks, in the face of persistent and persistent cyber threats and the preparations for the holidays.
Among the recommendations, CISA recommended IT security leaders ensure that network defenders implement cybersecurity best practices, increase organization vigilance, and prepare their organizations to respond quickly.
“Have employees review the reporting processes and implement business continuity plans to test your ability to operate key functions in an IT-constrained or otherwise degraded environment,” CISA said in its December 15, 2021 advisory. “Consider the cross-industry dependencies of your company and the impact that a potential incident in your company could have on other sectors and how an incident in these sectors could affect your company.”
Dor Dali, director of information security at Vulcan Cyber, a provider of SaaS for addressing cybersecurity risks in businesses, stated that every cybersecurity organization knows they need to take action to mitigate Log4Shell.
The question is: What measures are necessary for your environment?
“The unfortunate answer is, ‘It depends,'” said Dali. “Also, if a federal agency needs to be asked to take action, there’s a very good chance they don’t know their Log4j-specific security rating and are struggling to know where to start.”
Dali recommends using at least one vulnerability scanner, subscribing to a threat intelligence feed, compiling asset data, and setting threat tolerance levels and risk SLAs.
“Aggregate all of this data by organizational or functional groupings within the agency to make it manageable, and then start prioritizing and delegating the mitigation work,” he said. “You can’t fix what you don’t understand. It is therefore essential to first get a holistic overview of the risk situation of Log4Shell before chasing ghosts in the machine. “
‘Knuckle Biters and Script Kiddies’
Jake Williams, co-founder and CTO of BreachQuest, an incident response specialist, added There is no doubt that threat actors targeting the US government will take advantage of this vulnerability, but he would not expect them to be those at the top of the food chain.
“At this point, every IDS and network security monitoring solution is looking for Log4j JNDI exploits. So if you’re a nation-state threat actor looking to build long-term persistence for intelligence operations, it makes little sense, ”he said. “At this point, the CISA policy is mostly protecting the agencies from ankle-biters and screenplay kiddies.”
He explained the need for caution in setting reporting requirements, especially in response to high profile vulnerability events like Log4j – while Log4j is currently using the message cycle, it seems like a good time to push additional reporting requirements. These additional requirements, even if well meant, can have negative effects.
“However, policy makers should ensure that they are not inadvertently causing operational problems by making reporting mandatory,” Williams said. “In addition, reporting violations must have a specific purpose. There must be a direct link between the reported violation and an improvement in the public safety situation. “