August Ransomware Recap: Sixth Month in a Row with YoY Increase
It didn’t feel like it, but some ransomware groups took a summer break. Here’s what you need to...
Updated Monday December 13, 10:45 am ET
On December 10, 2021, Apache published details of the CVE-2021-44228 vulnerability in the Log4j utility — an open source Java package managed by Apache. For background, the Log4j utility is a popular logging package that many applications use. With many applications, as users interact with it, the application will log the various actions that are taking place. This is useful for when administrators need to troubleshoot the application or system.
📌 Interested in learning more about our Log4j vulnerability discovery tool or looking for the latest updates? See the bottom of this page for more info on our Log4j resources.
The vulnerability that was published occurs when a specific series of characters are logged with the Log4j logging package. Knowing how web applications work and log-specific activity, threat actors have identified ways to configure web requests to web applications that include the specific set of characters. When that happens, the threat actors are able to execute commands and gain control of the server.
This might seem par for the course. You'd be forgiven for thinking, “oh great, just another vulnerability to deal with. I’ll follow my patching best practices and call it a day."
Not so fast. Here’s the issue. There are a lot of applications that use the vulnerable logging package. Not only do you need to be concerned with your own applications, but also any third party applications you are using that might be storing your data or have access into your environment. Suffice to say, we are in the first inning of a very long ball game where new vendors will be coming forward with new patches for you to apply.
Early indications are calling this one of the greatest Internet vulnerabilities in the last seven years (anyone remember Heartbleed or ShellShock?).
In other words, this is a big deal and should be taken as such. Working exploit code is already public. Threat actors are already scanning the Internet for vulnerable systems. It is only a matter of time before that access is turned into other forms of malicious activity, such as deploying ransomware.
https://github.com/mergebase/log4j-detector
Windows PowerShell: gci 'C:\' -rec -force -include *.jar -ea 0 | foreach {select-string "JndiLookup.class" $_} | select -exp Path
Linux: find / 2>/dev/null -regex ".*.jar" -type f | xargs -I{} grep JndiLookup.class "{}"
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Click here for additional information on mitigations.
In collaboration with CrowdStrike, we've released a Log4j vulnerability discovery solution to help organizations achieve greater certainty they have located and patched every instance of the Log4j utility. Policyholders can request a scan here (or read more about the tool first).
Refer to the Corvus Knowledge Nest article related to this vulnerability for the latest updates and recommendations. That is the first place we'll publish any changes to guidance.
It didn’t feel like it, but some ransomware groups took a summer break. Here’s what you need to...
For the fifth month in a row, more than 300 global victims were posted to ransomware leak sites. In...
Today, organizations face an evolving range of cyber threats, from data breaches to ransomware...