The Log4j vulnerability, also known as Log4Shell, continues to impact companies and organizations since it was first publicly identified by security researchers in early December 2021. Since our last blog on how to detect and mitigate Log4Shell, multiple well-known ransomware groups — including Conti, Khonsari and TellYouThePass — have been seen actively using this remote code execution (RCE) vulnerability in the popular Java logging library to target thousands of organizations around the world with malicious code and ransomware campaigns.
What Are the Potential Impacts of Log4Shell Exploitation?
The Log4Shell critical vulnerability offers yet another point of entry and attack vector for attackers. If your organization uses log4j and threat actors successfully exploit it, they can gain access to your network. Once in your network, attackers can escalate privileges, move laterally to other devices and exfiltrate valuable or sensitive data like Personal Identifiable Information (PII), criminal justice or background data, or evidence. This could ultimately result in you losing access to your mission-critical systems, and could disrupt communications and business operations.
The Federal Trade Commission (FTC) has warned of potential legal action against companies they regulate that fail to update their systems to the most recent versions of the log4j library.
What Can You Do Now to Mitigate Log4Shell Risks?
The vulnerability (starting with CVE-2021-44228) affects any server running Java that uses the Log4j library (Apache Log4j2 2.0-beta9 through 2.15.0 – excluding security releases 2.12.2, 2.12.3, and 2.3.1) for logging, according to the Apache site. Since Log4j is so widely used, and attackers are already developing new ways to exploit it, it’s crucial that all organizations continue to take this threat seriously. As we noted before, your best line of immediate defense is to follow vendor recommendations on updating affected software components to protect vulnerable systems.
Motorola Solutions has provided customers with mitigation guidance for any of our products that may have been impacted by Log4j. For Motorola Solutions products such as ASTRO P25, it’s important that you follow the technical bulletins specific to them to avoid any disruption to these products. Please direct questions to your local account management team member before taking any actions.
How Can You Detect a Log4Shell Compromise?
Several security control technologies placed in the proper flows can identify an initial successful compromise of this vulnerability, as well as subsequent activities from attackers attempting to execute ransomware or carry out a longer term objective like data exfiltration. Network Intrusion Detection can alert you to attackers making a successful inbound connection, as well as the following connection back to their device or control site. Network Intrusion Detection system vendors quickly added, and continue to add, capabilities specific to spotting the Log4Shell exploit.
If you deploy Endpoint Detection and Response (EDR) to a server hosting a vulnerable library, it can detect attackers attempting to download malicious software or initiate other processes to expand their scope of control. If your application is in an AWS environment, the GuardDuty service has specific monitoring policies around outbound traffic that highlight connections to known Log4Shell exploit IPs, ports and DNS queries.
Additional Recommendations to Minimize Log4j Exposure
For owners and operators of Motorola Solutions systems, please consult with your Motorola Solutions representative for guidance.
For enterprise IT networks, we recommend reviewing Apache’s Logging Services site, which lists available patches, to determine the best one for your organization. The most recent updates are Java versions 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later).
Updating the latest version isn’t always possible due to compatibility issues and risks like business interruption, downtime or impacting application functionality. You can reduce your risk by disabling the Log4j Library, JNDI lookup and remote codebases, or by isolating the system. These actions don’t patch the log4j vulnerability, but they minimize exposure.
If you’re using a Cloudflare Web Application Firewall (WAF), three recently deployed rules can help mitigate exploit attempts. We’ve provided links in our previous blog to additional external resources with vendor recommendations and steps to search and identify Log4Shell activity on your network.
How Motorola Solutions Can Help
If you are a customer of any Motorola Solutions products or systems, please contact your Motorola Solutions representative to learn about Log4j fixes that are available now or are planned in the future. If you are a Motorola security services customer, we have updated our toolset to detect and manage this vulnerability.
The Motorola Solutions Security Operations Center (SOC) operates Managed Detection and Response services for a large number of enterprises and public safety organizations. The SOC has been tracking and identifying indicators of compromise (IOCs) and threat actor groups abusing the Log4Shell vulnerability to support malicious campaigns. Soon after the Log4Shell vulnerability became public, we noticed a significant increase in known malicious IP addresses conducting reconnaissance and scanning, looking for Internet accessible vulnerable endpoints.
Our security analysts use advanced queries to identify known IOCs related to Log4Shell. In addition, analysts are reviewing behavioral IOCs in order to identify post-exploitation activity related to privilege escalation, lateral movement, account compromise, data exfiltration and other security risks resulting from exploitation of Log4Shell.
Continuous monitoring is a key element that must be included as part of your security program in order to detect attacks using Log4Shell and other vulnerabilities. Monitoring IT networks and endpoints can help detect malware and many other security threats, and provide crucial details on how long attackers have been in a system as well as where else they may have gained access.
Our advanced security platform, ActiveEye, uses a combination of network intrusion detection and sophisticated EDR technology to stay ahead of threat actors. Organizations using our Managed Detection and Response services can rest assured that trained security experts are closely watching for attacks, and with next-gen EDR capabilities, can quickly stop ransomware attacks.