Supply Chain Defense
Log4j: A Threat That Showcases the Need for More Secure Software Development
What to know about the persistent threat, lessons for the future, and how BlueVoyant is working to protect its customers.
Log4j is like asbestos: you won’t know everywhere it lives until you start remodeling your infrastructure. And just like asbestos, the effects of Log4j may linger for many years to come as companies find they are dependent on the related software library or face similar threats down the line.
Log4j is an open-sourced Java logging library developed under the Apache Software Foundation. Many software developers included it as a package to help with activity journaling by an application or online service.
It is most likely found in many of the devices and services you use every day. In late November, a cloud security researcher at Chinese tech giant Alibaba discovered the software flaw, which could allow remote code execution and information disclosure, according to the United Kingdom's National Cyber Security Centre (NCSC).
Amazingly, the flaw had actually existed since 2013.
The Impacts Thus Far
Within days, thousands of attacks had been levied as security teams scrambled to plug holes and deal with the impact of opportunistic attacks. Multiple advanced persistent threat groups, such as some originating from China, Iran, North Korea, and Turkey, as well as cybercriminal groups, were spotted targeting Log4j.
Video game developer Minecraft announced that it “identified a vulnerability in the form of an exploit within Log4j … This exploit affects many services – including Minecraft: Java Edition.” The company said the exploit could pose a potential risk of users’ computers becoming compromised but that it has been addressed with a recent patch.
Minecraft was far from alone. Amazon needed to update its Amazon Web Services (AWS), some Cisco products were affected and Nvidia needed to remediate some products, among other impacts.
Gaining Governments’ Attention
Affected companies also faced pressure from government entities.
The U.S. Federal Trade Commission (FTC) warned companies that they needed to remediate Log4j “in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.”
The U.K.’s NCSC advised organizations that they must report if they were compromised.
The BlueVoyant Approach to Log4j
BlueVoyant provides an end-to-end third-party cyber risk protection capability that provides risk enumeration resulting in true distributed risk defense. Using external data, a large portion of which is proprietary, the BlueVoyant third-party cyber risk management team identified communications that were indicative of adversary exploitation of any programs and services that are accessible from the internet. We continue to work directly with our customers by continuously monitoring their third parties to ensure their environments are not subject to threats coming from their supply chain.
As software vendors disclosed and confirmed the presence of Log4j as a dependency in their applications, we continue to iterate on techniques to use our internet-level telemetry to identify those services that may be vulnerable. Many applications that had this vulnerable dependency require a malicious command be issued for confirmation; this exceeds commonly accepted defensive organizations practices, and we merely identified possible issues at monitored third parties of our clients to enable open communication and verification.
BlueVoyant monitors for indicators of compromise and any analogous activity on endpoints, or devices used by employees, such as laptops, desktops, and smartphones.
To protect your company from any Log4j threats, make sure to update any applications and productions that rely on the Log4j software library. You can find updates from Apache, CISA, and from many product and software providers.
If any customer platforms or products are vulnerable, be sure to inform them and urge them to patch their systems.
Lessons for the Future
Nobody knows if the vulnerability in Log4j was accidental or intentional, but the software package was so commonly utilized (sometimes unnecessarily) that it calls into question how developers follow secure software development practices, especially in open source communities.
Going forward, the industry needs to better check open source software used in production environments to prevent future vulnerabilities. Awareness of potential vulnerabilities in these libraries has improved since 2014’s Heartbleed issue, a security bug in another popular software library, but more work is needed.
For companies, Log4j shows the increasing need to monitor their third-party ecosystem as companies become more and more connected. BlueVoyant’s research found that 93% of companies have suffered a cybersecurity breach because of vulnerabilities in their third-party vendors. U.K. research was higher.
The full impacts of Log4j are not yet known. Additional attacks and breaches from the software library use are expected to be announced in the coming months. And just like that asbestos, the implications could be long lasting.
BlueVoyant will remain vigilant in monitoring for adversary exploitation of the exploit on both customer’s endpoints and in their third-party ecosystem.
Adam Bixler is BlueVoyant’s global head of third-party cyber risk management.