+++ UPDATE 12/21/2021 +++
The security vulnerability in log4j continues to be heavily exploited.
Government institutions are now also affected by attacks and have had to shut down entire parts of their infrastructure.
There is growing evidence that a functional worm is already in circulation.
The worm automatically searches for affected systems and attacks them – presumably with the aim of setting up a botnet.
At the same time, prominent hacker groups begin to exploit the loophole.
A number of ransomware-as-a-service offers are being prepared.
Attackers exploit the gap, gain access to the systems and place ransomware on the system.
The attack-ready access is then offered for sale.
As the patches for log4j to version 2.15 and 2.16 have also made other security vulnerabilities usable, patch version 2.17 is currently available.
Recommendations for protecting the systems:
It is recommended that all systems are equipped with the latest patch version 2.17.
Manufacturers are also required to equip their products with the latest updates accordingly.
+++ The original workaround of setting the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to TRUE is not sufficient to fix the problem! +++
It is also recommended that all potentially vulnerable systems be subjected to an in-depth audit and that the IT security infrastructure be closely monitored for anomalies.
+++ If required, we will of course be happy to support you in analyzing your systems and give you specific recommendations for action.
+++ Phone: +49 6022 65193-0 +++
+++ UPDATE 12/13/2021 +++
According to the latest findings, the Log4Shell vulnerability can now be used to load code directly via a corresponding call.
The vulnerability has therefore become even more serious.
As a result, BlackBerry systems and MobileIron systems are now also vulnerable.
We have received mitigation information from both manufacturers.
General information on mitigation can be found here:
https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/#4-how-to-mitigate-the-issue
Talos Intelligence assumes that the vulnerability could have been exploited as early as 02.12.2021.
This is currently indicated by various patterns in attacks.
It can also be assumed,
that attackers will not immediately begin to continue any attacks on infrastructures.
Instead, it is to be expected that they will wait and potentially launch further attacks at a later date.
The systems taken over by Log4Shell are then the starting point for this.
Source: https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html
An urgent recommendation is to regularly review the list of affected products: https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592
If products from this list are in use, they should be examined very closely and kept under review.
We have set up a tool published by Huntress Security in our infrastructure to enable us to test systems.
If you have any requirements here, please contact us at help@agilimo.de.
The BSI has also updated its assessment: https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2021/2021-549032-10F2.pdf?__blob=publicationFile&v=7
