Log4j flaw could be a problem for industrial networks 'for years to come'

Industrial networks are among those that are vulnerable to the recently disclosed zero-day in the Log4j2 Java logging library, security researchers have warned.

The vulnerability (CVE-2021-44228) was disclosed on December 9 and allows remote code execution and access to servers. Log4j is used in a wide range of commonly used enterprise systems, raising fears that there's ample opportunity for the vulnerability to be exploited.

Within hours of the vulnerability being publicly disclosed, cyber attackers were already making hundreds of thousands of attempts to exploit the critical Log4j vulnerability to spread malware and access networks.

LOG4J FLAW COVERAGE - WHAT YOU NEED TO KNOW NOW

• US warns Log4j flaw puts hundreds of millions of devices at risk
  
• Log4j flaw: Attackers are making thousands of attempts to exploit this severe vulnerability 
  
• Log4j RCE activity began on December 1 as botnets start using vulnerability 

Each day on from its disclosure, more is being learned about the flaw, and now cybersecurity researchers have warned that it could have significant implications for operational technology (OT) networks that control industrial systems – and for a long time.

"Given that Log4j has been a ubiquitous logging solution for Enterprise Java development for decades, Log4j has the potential to become a vulnerability that will persist within Industrial Control Systems (ICS) environments for years to come," said a blog post by cybersecurity researchers at Dragos.

And given how easy it is to exploit the vulnerability, combined with the potentially large number of affected applications, researchers recommend an "assume-breach mentality" and active hunting for post-exploitation activity.

Dragos says that it has seen attempted and successful exploitation of the Log4j flaw – and has already coordinated a takedown of one of the malicious domains used in these attacks.

Several cybersecurity researchers have already noted that some attackers are exploiting Log4j to remotely run Cobalt Strike – a penetration testing tool that's often used in ransomware attacks.

Many industrial organisations struggle with visibility into their networks due to their complex nature, but it's important for those running operational technology to know what their network looks like and counter the possibility of attacks attempting to exploit the vulnerability as a matter of urgency.

LOG4J FLAW COVERAGE - HOW TO KEEP YOUR COMPANY SAFE

• Log4j zero-day flaw: What you need to know and how to protect yourself 
  
• Security warning: New zero-day in the Log4j Java library is already being exploited 
  
• Log4j flaw could be a problem for industrial networks 'for years to come'
  

"It's important to prioritize external and internet-facing applications over internal applications due to their internet exposure, although both are vulnerable," said Sergio Caltagirone, vice president of threat intelligence at Dragos.

"Dragos recommends all industrial environments update all affected applications where possible based on vendor guidance immediately and employ monitoring that may catch exploitation and post-exploitation behaviors," he added.

Researchers suggest that applying the Log4j patch can help prevent attackers from taking advantage of the vulnerability – although the ubiquitous nature of Log4J means that, in some cases, network operators might not even be aware that it's something in their environment that they have to think about.

MORE ON CYBERSECURITY

• Attacks against industrial networks will become a bigger problem. We need to fix security now
• Log4j flaw puts hundreds of millions of devices at risk, says US cybersecurity agency
• Log4j update: Experts say log4shell exploits will persist for 'months if not years'
• Log4j flaw: Attackers are making thousands of attempts to exploit this severe vulnerability
• Log4j RCE activity began on December 1 as botnets start using vulnerability