Author: John Farley
On December 9th, 2021 the Apache Foundation released an emergency update for a critical zero-day vulnerability in Log4j. Log4j is a widely used logging tool that is embedded in a wide range of systems, including cloud platforms, web applications, email services and enterprise systems that allow developers to log various types of user activity. The reported bug may provide access for a threat actor to execute code on systems that are using Log4j which allows them to log their own messages. It has been given the name Log4Shell and received the identifier CVE-2021-44228.
As of this writing researchers are reporting 1 that attackers are making thousands of attempts to exploit this vulnerability via internet scans. Specifically, hackers appear to be attempting to install cryptocurrency-mining malware. Microsoft has also warned 2 that there have been attempts to install Cobalt Strike on vulnerable systems which could provide an ability for attackers to steal usernames and passwords.
What To Do Now
To mitigate the vulnerability, Apache announced a suggested patch via the upgrade to the Log4j 2.16.0 version of its logging tool.
This new cyber threat has also received attention from governments around the globe. Apache is working closely with the& U.S. Cybersecurity & Infrastructure Security Agency & ("CISA") to provide guidance for organizations that may be impacted. CISA has provided the following advice in its advisory, alerting affected organizations to take the following immediate action:
- Review the Apache Log4j 2.16.0 Announcement and upgrade to Log4j 2.16.0 or apply the recommended mitigations.
- Enumerate any external facing devices with Log4j installed.
- Ensure the security operations center actions every alert with Log4j installed.
- Install a web application firewall (WAF) with rules to focus on Log4j.
The UK's National Cyber Security Centre ("NCSC") also issued an alert with similar advice.
New Zealand issued their own alert with similar advice for mitigation strategies.
Leveraging Cyber Insurance
Cyber insurance and other insurance policies may provide assistance to organizations that believe they were victimized by Apache Log4j vulnerability. Many stand-alone cyber policies provide access to crisis services, including breach coaches, IT forensics investigators, and several other breach response experts. Those with cyber insurance should be mindful of claim reporting obligations, requirements to utilize insurance panel breach response vendors, evidence preservation and issues that may impact attorney-client privilege.
For additional information regarding cyber insurance coverage, please contact your Gallagher team member.