In recent weeks a critical vulnerability (CVE-2021-44228) has been discovered in Log4j2, a popular logging library for Java applications. Attackers can exploit this flaw by performing Remote Code Execution (RCE) on any systems where it is implemented.
It’s worth bearing in mind that, according to the consulting firm Forrester, 3 billion-plus devices worldwide currently run Java in some format. Fortunately, the latest versions: 2.17.0 (for Java 8), 2.12.3 (Java 7) and 2.3.1 (Java 6) have already fixed it. In response, MSPs need to update the version of Log4j2 implemented in their clients' devices as soon as possible. If they are equipped with an intrusion prevention service that already contains their signatures, they will also be blocked from attacks that can take advantage of this.
At WatchGuard, we searched our data from the start of the attacks to present for signs of this attack. The data shows 12.6% of reporting Fireboxes have seen this vulnerability for a total of 37,463 detections. This makes it the fifth most detected IPS attack family for the month of December. This may see not so bad at first, but we know only about one in four devices scan encrypted traffic and even less have hosted services behind it. We suspect that close to all, if not all, devices that have services hosted behind a Firebox and scanned for this vulnerability have detected a related signature. All detections of the attack came over an encrypted connection as reported by devices that have that reporting ability. Some devices don't report if the connections encryption status.
Europe, the Middle East, and Africa (EMEA) sees the most detections, 22,784. North, Central and South America (AMER) saw 13,152 detections. Asia-Pacific (APAC) saw 1,527 detections. For the countries that saw the most detections of Log4Shell, Germany saw the most at 10,502 followed closely by the US at 10,147 and Italy rounds out the top three with 2,723 detections. Accounting for the varied number of reporting Fireboxes in each region AMER saw 43%, EMEA 33%, and APAC 24% of detections.
Identify, Prioritize and Remediate
This is a prime example of just how dangerous vulnerabilities in popular programs and applications can be to systems. What's more, they are growing in frequency: in 2020 alone, a total of 18,103 vulnerabilities were reported, with an average of 50 common vulnerabilities and exposures (CVEs) per day. IT administrators and staff often do not have enough time or resources to take care of patch and update management. Therefore, MSPs need to understand the importance of preventing vulnerability exploitation, but to achieve this, they have to address three major challenges:
Vulnerability identification: Only a small number of attacks occur as a result of vulnerabilities that are unknown to all parties (zero day attacks). In most cases, cybercriminals exploit known flaws. For this reason, MSPs must ensure that their clients are aware of when they appear and affect their systems, as the time period between a vulnerability being discovered and when attacks are usually executed has been significantly reduced.
Prioritizing mitigation: While it may seem straightforward, most organizations struggle to identify which patch updates to install first. In fact, according to Ponemon, the average time it takes companies to deploy patches to applications or systems is 97 days. That's why MSPs need to know which patches to prioritize first in a reliable and automatic way.
Vulnerability remediation: In the final stage of remediation, the necessary patches are installed to repair an identified vulnerability or security breach. However, this is also a risky task. MSPs have to ensure that the right patches are deployed in organizations, as they may not be legitimate (they must come from an official source), and patches are not always valid for all types of devices. Moreover, MSPs must be sure that the update has no negative impacts or side effects as, in some cases, they involve changes in configuration, firewall policies, etc.
Faced with these challenges, MSPs should deploy advanced tools for their clients that simplify the patch management lifecycle for their installed software and operating systems. These solutions must have audit, monitoring and update prioritization functionalities, but must also include capabilities to mitigate attacks that exploit vulnerabilities through immediate patch deployment. This will reduce the attack surface and strengthen their ability to prevent vulnerability-related incidents.
Someone like you who reads this probably doesn't need a lesson on updating their software, but this type of vulnerability spread to every inch of the internet quicker than many could respond. As the data shows, a massive amount of effect has been put into scanning the internet for these vulnerabilities. We can't block every vulnerability, but we can prevent it from interfering with business operations by segmenting networks and making backups of important data. Anyone who hasn't updated their vulnerable software and doesn't have protection has most likely been put on a list of known vulnerable networks somewhere.