A new domain compromise vulnerability regarding Log4j has been released and affects many Commercial-off-the-shelf (COTS) products; the challenge right now is understanding everything that MAY be affected, as it is embedded in a lot of products/applications.
The immediate concern is related to Internet facing assets being exploited and allowing a foothold, but a secondary concern is that it can allow the takeover of critical infrastructure once on the inside of the network.
In addition to the Log4j vulnerability, last month a pair of Common Vulnerabilities and Exposures (CVE) were released and we now know that a recent exploit tool shows how the combination of these two issues can allow an attacker to go from a standard user to Domain Admin within seconds:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287
https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/
These patches must be applied right away.
Immediate Recommendations:
The best thing to do right now is check with all the vendors (especially the ones with Internet facing services) on alerts and products they are patching to fix this issue and immediately push the updates. Some resources are:
- a github repo tracking affected products (this may not be all inclusive, but is a good start)
- You can find more information and a description of this vulnerability here in Fixed in Log4j 2.15.0 sectionof the Apache Log4j Security Vulnerabilities.
- Cisco has published an advisory with information about affected products.
Additional Recommendations:
- Cybersecurity Assessment (yearly): If your organization has not had a full cybersecurity assessment completed within the last year, you need to schedule one immediately — do not hesitate to contact us. The cyber vulnerabilities have increased significantly during the past year and if your systems are lacking, you may face even more threats than usual. The cost of a full assessment is small compared to the cost of fixing issues once they arise.
- Pro-active security monitoring: Dean Dorton’s cyber team provides proactive security monitoring as a service. Need help or don’t have enough staff to make security monitoring a routine item? Let us assist you or act as your security team.
- Incident response/forensic cyber investigation: If you experience any type of cyber incident, our cyber team can assist with incident response and forensic cyber investigations. We work with cyber insurance companies across the United States and worked recently with the Federal Bureau of Investigations (FBI) on a complex case as well. Let us guide you through the process to make it easy to get your systems going again in the right direction.
Want to learn more about this cyber update? Contact us today. You can also learn more about our cyber security services at the link below.
Gui Cozzi
Cybersecurity Practice Lead