Securin’s Incident Response to the Log4j Vulnerability
Supriya Aluri
Securin Team
Aug 17, 2022
Rapid Action from Securin’s Incident Response Team
Safeguards Its Clients from the Log4j Vulnerability
Described as a “cybersecurity Hiroshima” or a “Fukushima moment,” the impact of the Log4j vulnerability continues to be felt by thousands of companies exploited or attacked by hackers and ransomware. Yet, rapid and proactive action from Securin’s Incident Response Team has helped protect all its clients.
When the Log4j vulnerability was publicly disclosed on December 9, 2021, Securin immediately had its Incident Response Team reach out to all its clients to guide them on protective measures. Realizing that any vulnerability in Log4j, one of Java’s most popularly used open-source logging libraries, would put the clients using Apache Log4j at risk of data thefts, malware, or ransomware attacks, Securin’s team came up with a rapid protection plan to safeguard clients’ infrastructure.
Objectives
- Inform all clients about the Log4j vulnerability and risks to their networks and infrastructure.
- Use Securin’s proprietary script to detect Log4j vulnerabilities, compromised servers, vulnerable assets, and exploit patterns.
- Deploy Securin’s Incident Response Team to initiate scans to identify any affected Log4j versions in the client’s environment and follow Securin’s vulnerability management process to patch affected IPs and assets.
- Provide clients with regular updates on the list of software to be patched and other indicators of compromise.
Challenges
- Unauthenticated scans only catch 5% of Log4j vulnerabilities. Our team had to create a unique script and use multiple scanners to detect all Log4j issues.
- Our Incident Response Team had to race against the clock to protect all our clients before attackers could exploit Log4j.
- As Apache Log4j is used by both open-source and commercial software, users have to wait for vendors to release a patch.
- The list of software and plug-ins affected by Log4j is growing exponentially, and organizations must continue patching to stay safe.
- Many organizations rely on traditional security controls such as firewalls and lack a dedicated team capable of tracking and spotting cyber threats. Without guidance, they have no idea about how to remediate the Log4j vulnerability.
- Any organization that does not have asset inventory and is unaware of its underlying technology stack will not know how it can be affected by Log4j.
- Organizations using outdated versions of Java and third-party software are easy targets.
Securin’s Incident Response to Log4j
To safeguard its clients, Securin launched a rapid action plan to scan client networks and assets using its proprietary script and an array of scanners that can detect the Log4j vulnerability.
The script was designed to detect Log4j vulnerabilities, identify if a server was compromised, and locate the vulnerable version and path. It could also find exploit patterns and exploits logged on the dark web.
Securin then mobilized its vast team of over 150 pentesters to help validate data and identify vulnerabilities. After the scans were completed, clients were informed about affected IPs and indicators of compromise (IoCs) and were instructed on how to remediate these issues and close gaps. Understanding the need for immediate action, Securin’s Incident Response Team also provided its cybersecurity analysts as an extension of clients’ teams to ensure that remediation was completed without any delays.
Securin is still tracking the Log4j vulnerability and regularly updates its clients with a list of software to be patched and malicious domains and hashes to be blocked. This way, Securin can ensure that its clients are safe and remain a step ahead of other organizations.
Business Impact
Catastrophic Ransomware Attacks
Attackers and Advanced Persistent Threat (APT) groups can easily target vulnerable companies in the supply chain to gain access to vast volumes of confidential data and credentials that enable them to disrupt services. Attackers can also use the vulnerability to install crypto mining software and steal from financial institutions.
Vast Data Losses
An organization’s reputation can be severely damaged if a privileged user account is compromised. A Log4j attack can lead to the loss or misuse of confidential data and personal information and allow attackers to gain unauthorized remote access to the organization’s servers.
Service Disruption
Attackers can use Log4j to flood an organization’s network with traffic and make important services unavailable to regular users. Traffic flooding can affect the organization’s customer base, profit, and brand reputation.
Recommendations to Stay Safe from Log4j
Securin’s Incident Response Team comprises highly skilled cybersecurity resources deployed to work with clients from all industries to create a detailed and proactive security plan. After a security attack occurs, the team will work quickly to help its client organizations minimize impact, identify causes, and provide remediation and patch updates.
Share this post on:
