Enterprises working towards reducing their exposure to cyber-attacks targeting the Log4j remote code execution (RCE) vulnerability have to keep a couple of new considerations while moving forward.
Threat actors are able to trigger RCE flaws on internal as well as locally exposed Log4j applications through a Javascript WebSocket connection as discovered by the security researchers working at Blumira. This suggests that the attack surface may be much larger than they first have thought. Simultaneously, the Apache Foundation has released another update to fix a third vulnerability present in the logging framework in recent days. This means that organizations will have no option but to patch their software to keep them secure against the threat.
“The recent, widely publicized Log4j bug is so ubiquitous and exploitable, it has been called the worst computer vulnerability ever seen,” says Benjamin Fabre, Co-Founder and CTO, DataDome. He adds, “At the center of this security nightmare? Malicious bots, which enable attackers to identify vulnerable servers that haven’t been upgraded or downloaded a patch.
Threat actors can exploit the Log4j RCE flaws by enticing users to any server that runs Javascript to start off a WebSocket connection, a communication protocol that most of the modern browsers utilize for bidirectional communication between the server and client. In return, the site would make calls to the user’s system or a local network that uses WebSocket. If the host of a user is exposed, it has no choice but to call out another attacker-controlled website over LDAP, HTTP, DNS, RMI or other protocol and subsequently, download malicious JavaScript to exploit RCE.
Also Read: Fin7 Mailing Malicious USB devices to Businesses in the US
Another thing to note is that the impact of Log4j is not limited to vulnerable servers. Meaning, any user with a service that utilizes a vulnerable Log4j version on their system or network can look around a website and trigger the vulnerability. This increases the attack surface and is another weapon that operators of phishing as well as malicious advertising scams are likely to exploit.
Enterprises that are already following the recommended steps for Log4j should not take initiatives to complicate matters in the wake of the new attack vector. At the same time, it does highlight the criticality of patching all local development and internal servers.
Also Read: How Home Networks and Smart Devices Change IT Threat Model
“This serves as a reminder of how detrimental bots can be – a much needed one, given that bot operators are not just looking for Log4j vulnerabilities, they are looking for any crack in the system to commit online fraud.
Indeed, bot operators are flush with cash and are coming at us from every angle, on every available endpoint. Bearing this in mind, I predict that Log4j will be the tipping point that makes online commerce companies wake up to the reality of online fraud and dedicate serious attention and resources to address it.”
For more such updates follow us on Google News ITsecuritywire News
