By now you have no doubt heard your CIO or CISO talking about a vulnerability that has widespread implications for your health system, which is a security flaw involving the Apache Log4j popular open-source library, a commonly embedded and ubiquitous piece of software found in millions of systems that are web-enabled. It is so prevalent because it provides functionality that every web application needs. This is serious because this vulnerability, which does have well known exploits, allows an attacker to remotely execute code and totally compromise the system affected. As a result, it has been assigned a severity level of 10.0 out 10.0, meaning it doesn’t get any worse. But the real reason this vulnerability is so dangerous is because of its potential widespread attack surface which includes your enterprise systems, vender systems, affiliates, ancillary groups and remote users. The bottom line is it has the potential to affect virtually every aspect of your computing environment, and if left unmitigated is extremely easy to exploit. So, we have a real threat, with real exploits, that affects millions of systems, that is easy to exploit and can have devastating results both operationally and to patient care.
What are it’s impacts and why you should care
Simply put, if a hacker exploits a system running Log4j that has not been remediated, they can essentially cause that system to run whatever software they want. They can execute software that takes command of that IT asset, which is called a Remote Code Execution or RCE attack. This can then lead to larger or more dangerous outcomes such as data theft, disruption of services or extortion. We have already seen a spike in ransomware and other malicious attacks attempting to take advantage of this vulnerability. Minimally it creates a major distraction for IT teams as they work around the clock to find and mitigate affected systems and work with others to mitigate risk. So, at the low end of the potential negative impacts is just the distraction of IT from core projects and supporting the business. At the high end could be devastating and costly impacts from data thefts or ransomware.
What organizations should be doing
The first order of business is to raise awareness and your alert posture. Communicate across the organization what is going on, make sure everyone is alert to any indication that the network isn’t performing right, have your security operations center increase their alert posture for indicators of Log4j compromise. Continue to stay apprised of vulnerable solutions and monitor closely. There are several helpful lists that have been published and are being kept current as fixes are identified. One such list is published by CISA.
Step 2 – Identify all vulnerabilities and understand the attack surface throughout the organization. This will be done through a mixture of vulnerability scanning, validating with remote users, and checking with partners and affiliates to ensure devices have been identified and properly patched.
Step 3 – Consider multiple methods of finding the Log4j instance. This could include leveraging multiple vulnerability scanners, PowerShell, local indexing etc. Relying on multiple sources helps ensure you understand the complete picture of risk and avoid false negatives.
Step 4 – Apply patches and consider mitigation steps to disable Log4j completely or remove a given device if unable to patch.
Step 5 – Utilize web application firewalls to help filter malicious requests.
Step 6 – Conduct a post compromise analysis to ensure devices haven’t already been exploited or your network/systems compromised. The vulnerability was out and available to hackers before we learned of it. By the time we learned of it there were already exploits readily available and evidence threat actors were attempting to take advantage of this vulnerability. You can’t just assume no one successfully made use of this opportunity.
Step 7 – Remain vigilant and stay tuned to further developments as things can always change.
