CISA, International Partners Advise All Orgs to Patch Log4jResearchers Also Detect Iranian APT Activity Around Apache Flaw
The U.S. Cybersecurity and Infrastructure Security Agency, the FBI and the National Security Agency, along with several of their international law enforcement partners, have issued a joint advisory on the known vulnerabilities in the Apache Log4j software library urging "any organization using products with Log4j to mitigate and patch immediately."
The advisory - issued in conjunction with the Australian Cyber Security Center, the Canadian Center for Cyber Security, Computer Emergency Response Team New Zealand, the New Zealand National Cyber Secure Center, and the U.K.'s National Cyber Security Center - provides technical details, mitigations and resources for immediate implementation.
The advisory follows CISA's emergency directive, issued Friday, overriding the previous deadline of Dec. 24 to patch for Log4j and instead telling federal civilian agencies and departments to patch or mitigate immediately (see: CISA to Agencies: Patch Log4j Vulnerability 'Immediately').
The international advisory, officials say, is a response to "active, worldwide exploitation by numerous threat actors" of the vulnerabilities in the widely used Java-based logging package Log4j, which are tracked as CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105.
"Log4j vulnerabilities present a severe and ongoing threat to organizations and governments around the world; we implore all entities to take immediate action to implement the latest mitigation guidance to protect their networks," says CISA Director Jen Easterly. "CISA is working shoulder to shoulder with our interagency, private sector, and international partners to understand the severe risks associated with Log4j vulnerabilities and provide actionable information for all organizations to promptly implement appropriate mitigations.
"These vulnerabilities are the most severe that I've seen in my career, and it's imperative that we work together to keep our networks safe."
FBI Cyber Division Assistant Director Bryan Vorndran says the FBI is "working alongside federal and international partners" to "arm the public and private sectors with information to better shield their systems."
"We continue to urge anyone who is impacted by the Log4j vulnerability to apply all recommended mitigations from CISA and visit fbi.gov/log4j to report details of your suspected compromise," Vorndran says.
And NCSC Director of Operations Paul Chichester says that it remains vital for organizations to patch software "as a matter of urgency" and to follow the published advice.
To date, CISA has created a dedicated Log4j webpage with technical details, mitigation guidance and other resources. It has also created a community-sourced GitHub repository of affected devices and services.
Other experts continue to stress the severity of the Log4j flaw.
"The existence of a long-known design flaw associated with Java that too few enterprises addressed isn't an exploit; it is a defect that should have been fixed years ago," says Richard Bird, board member of the Identity Defined Security Alliance and a Forbes Technology Council member.
Bird, who is currently the chief product officer at the firm SecZetta, says, "Log4j and the resulting scramble it has caused should remind us to look up from our desks and keyboards and ask: What other design defects are out there in the digital universe?"
Iranian APT Activity
In its Log4j report that has been updated with new findings, researchers at the Israeli security firm Check Point call the Apache logging flaw "one of the most serious vulnerabilities on the internet in recent years," and clarify that "the potential for damage is incalculable."
The researchers say they have prevented over 4.3 million attempts to leverage the vulnerability - with 46% of those attempts made by "known malicious groups." The firm says more than 48% of corporate networks have seen attempted Log4j exploits.
Last week, Check Point reported that a known Iranian hacking group, Charming Kitten, aka APT35, has been behind attempts to exploit the Apache flaw - particularly against seven targets within Israel, including both the government and businesses.
"We have blocked these attacks, as we witnessed communications between a server used by this group and the targets in Israel," the firm says. "There's no evidence for the group's related activity on targets outside of Israel."
Xavier Bellekens, CEO of the cyber deception platform Lupovis, says he has seen attacks evolve from the installation of cryptomining software to Mirai and Muhstik malware being injected on vulnerable devices.
"Log4shell will be haunting us for years to come as we have seen a 400% growth since the discovery and targeted attacks on Israel by APT35 and more recently against the Belgian Defense," Bellekens says. "Cybercriminals all around the world have been handed a lucky pass with Log4Shell, and they will be working round the clock trying to exploit organizations."
Nigel Thorpe, technical director at the firm SecureAge, says, "The Log4j vulnerability illustrates why organizations cannot just rely on … tools that look for code, patterns and behavior that we already know is malicious. Until recently, everyone thought that Log4j was just a neat way for services to log their actions. Now we know that, unpatched, Log4j provides a way for cybercriminals to get their malware into systems."
On Tuesday, NVIDIA, which designs graphics processing units for gaming and professional markets, issued a security advisory outlining which of its products are vulnerable to the Log4j flaw.
The firm says five of its products - GeForce Experience client software, GeForceNOW client software, GPU Display Drivers for Windows, L4T Jetson Products; and SHIELD TV - are not vulnerable to or affected by the issue.
It says the following products require attention:
- Nsight Eclipse Edition - versions below 11.0 - are vulnerable to CVE-2021-44228 and CVE-2021-45046. The flaw has been fixed in version 11.0 or later.
- NetQ - versions 2.x, 3.x., and 4.0.x - is vulnerable to CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105. Users are advised to upgrade to NetQ 4.1.0.
- vGPU Software License Server - versions 2021.07 and 2020.05 Update 1 - are affected by CVE-2021-44228 and CVE-2021-45046. NVIDIA provides a mitigation guide.
- CUDA Toolkit Visual Profile includes Log4j files, though the application is not using them. An update is set to arrive in January.
The explosive Log4j vulnerability was originally reported to the U.S.-based nonprofit Apache Software Foundation on Nov. 24, according to Cyber Kendra. Now, Chinese regulators are suspending an information-sharing partnership with Alibaba Cloud Computing over its alleged failure to promptly report and address the vulnerability with the government, according to a new report from Reuters, which cites state-backed media.
China's Ministry of Industry and Information Technology, or MIIT, has reportedly suspended its partnership with the cloud unit - though it will reassess after six months and consider renewal "depending on internal reforms," Reuters writes. According to recent reports, the MIIT said it was first notified of Log4j via a "third-party report."
The move follows activity among Chinese officials to rein in online infrastructure, citing national security. The government has tasked state-owned companies with migrating their data from private operators, including Alibaba, to a state-backed cloud system, according to Reuters.