Apache: act now and prepare for future attacks

Gaps in security and weaknesses are what threat actors feed off, and the latest vulnerability to catch their attention is in Apache Log4j, making it possible for a remote attacker to take control of an affected system.

With the number and severity of cyber-attacks on the increase, the latest news of the Apache Log4j vulnerability is yet another reminder that being alert and responsive is the key to cybersecurity – and the only way to protect your business and your people.

So far only a handful of organisations have identified that the weakness is being exploited, but companies need to act now to implement the patch that has been provided to minimise their risk of exposure.

In laymen terms, Apache Log4j is the glue that many applications rely on to translate activity to other applications. It is deeply embedded within applications and operating systems so, while the name may not be widely recognised by customers, it is integral to some very important business operations across all industries.

In the normal course of things, you wouldn’t need to know about Apache Log4j - just like you don’t typically need to know anything about the glue your builder uses - but that glue now has a demonstrated weakness, and we need to understand and fix it.

A hacker injects malicious code string into the environment that will eventually get logged by Log4j. This exploitation of the system lets an attacker load arbitrary Java code on a server, allowing them to take full control of that device at some later point in time.

Once a malicious actor has obtained control, your world becomes their oyster. The open door provides access to your infrastructure, your people, your customers, and potentially their personally identifiable information (PII).

Apache rates this vulnerability as “critical” in severity and have advised users to apply patches and mitigations as they are published.

The most critical step is to act now.

Our teams are recommending that all organisations take a risk-based approach and focus on those systems that are accessible to the internet in the first place. Your internal systems may also be vulnerable to attack under certain scenarios.

Practical steps your organisation should take today:

• Any externally facing Java-based or internet-facing application that is running an affected version of this software should be taken offline or restricted from external view immediately.
• Immediately contact your application partners and application development teams to identify vulnerable applications. If your application teams can patch to the latest Log4j version, do so immediately.
  
• The flaw can also be mitigated in previous releases (2.10 and later) by setting system property "Log4j2.formatMsgNoLookups" to "true" or removing the JndiLookup class from the classpath.
  
• If the application teams cannot patch, or Log4j is included in another vendor patch that is not available, best practice is to take the system offline till such time it can be adequately patched or otherwise remediated.
  
• It is also important to note that vendors will release patches over time. Apache themselves have released a patch but it is only effective for organisations that are running specific Apache software. In most cases, this patch will need to be added to a larger application and that software will be released with an update from the vendors themselves.

We know this is far from a one-off incident and new attacks are emerging more frequently. The best way your organisation can protect itself is to be proactive about your security practices and to stay informed and alert to new threats.

Here are some practices you need to maintain:

• Monitor your anti-virus vendors for updates and install them as they are made available.
  
• Ensure that user education is current and that users are aware to be on heightened alert for emails that try to trick them into clicking links and providing information.
  
• Review your ransomware response playbook and incident response process so you are prepared to respond to any new threats in the future.

Right now, our Datacom cybersecurity and support teams are actively monitoring customer environments and taking proactive steps to manage and minimise the Apache Log4j threat. We’re encouraging any organisation that has concerns or requires assistance, to reach out for help. Our goal is to keep organisations safe and secure. Which is why we want all organisations, regardless of whether they are our customers or not, to take proactive steps to protect themselves.

Looking beyond Apache, it’s important that all organisations remember that cybersecurity is not a set and forget exercise. New threats are constantly emerging and cybersecurity is an issue that requires your organisation’s ongoing attention.