On December 9th, an acute remote code execution (RCE) vulnerability was reported in the Apache logging package Log4j 2 versions 2.14.1 and below (CVE-2021-44228).
Apache Log4j is the most popular java logging library with over 400,000 downloads from its GitHub project. It is used by a vast number of companies worldwide, enabling logging in a wide set of popular applications.
Exploiting this vulnerability is simple and allows threat actors to control java-based web servers and launch remote code execution attacks.
The Log4j library is embedded in almost every Internet service or application we are familiar with, including Twitter, Amazon, Microsoft, Minecraft and more.
At present most of the attacks focus on the use of a cryptocurrency mining at the expense of the victims, however under the auspices of the noise more advanced attackers may act aggressively against quality targets.
Since researchers at Check Point Research witnessed what looks like an evolutionary repression, with new variations of the original exploit being introduced rapidly- over 60 in less than 24 hours.
For example, it can be exploited either over HTTP or HTTPS (the encrypted version of browsing). The number of combinations of how to exploit it give the attacker many alternatives to bypass newly introduced protections. It means that one layer of protection is not enough and only multi layered security posture would provide a resilient protection.
What do you need to do in order to remain protected?
Check Point already released a new Quantum Gateway protection powered by Threat Cloud, designed to prevent this attack, and by using it- you’ll stay protected.
If your Quantum gateways are updated with automatic new protections, you are already protected. Otherwise, you need to implement a new protection by following the guidelines here. Check Point urges IT and Security teams to take immediate remediation measures on the matter.
Is Check Point affected by the Log4j vulnerability?
The Check Point Infinity architecture is not impacted by the Log4j.
Check Point researchers thoroughly verified that the vulnerability does not affect our Infinity portfolio including Quantum Gateways, SMART Management, Harmony Endpoint, Harmony Mobile, ThreatCloud and CloudGuard.
Check Point Research is thoroughly investigating the Log4j vulnerability
Check Point Research (CPR) closely monitors the massive scans and exploit attempts. While the activity till now is limited to scanners and mostly crypto mining threat actors, it does not mean more advanced threat actors are just sitting back enjoying the noise activity. In fact, they are acting silently behind the scenes.
It is clearly one of the most serious vulnerabilities on the internet in recent years.
The numbers behind CVE-2021-44228
This CVE joins the general atmosphere of cyber pandemic where major vulnerabilities in popular software and services impact enormous number of organizations.
Since Check Point started to implement its protection the cubersecurity company prevented over 820.000 attempts to allocate the vulnerability, over 46% of those attempts were made by known malicious groups.
Lotem Finkelstein, Director, Threat Intelligence and Research for Check Point Software Technologies commented:
“I cannot overstate the seriousness of this threat. On the face of it, this is aimed at crypto miners but we believe this creates just the sort of background noise that serious threat actors will try to exploit in order to attack a whole range of high value targets such as banks, state security and critical infrastructure. We started to implement our protection on Friday and by Sunday we had already prevented over 400,000 attempts to exploit the vulnerability across over a third of all corporate networks globally. Most worrying is the fact that almost half of those attempts were made by known malicious groups. Security teams need to jump on this with utmost urgency as the potential for damage is incalculable. The need for a rapid response is highlighted by the fact that this was discovered at the end of the working week in the run up to the holiday season when security teams may be slower to implement protective measures. At Check Point Software we have, for several months, been sounding the alarm about a ‘cyber pandemic’ and this is exactly what we are referring to. It’s highly contagious and spreads rapidly, so constant vigilance and a robust prevention strategy are essential.”