CISA and FBI: If You Haven’t Patched Log4Shell, Assume Your Systems are Compromised
A joint cybersecurity alert from the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI details advanced persistent threat activity conducted by Iranian state-sponsored threat actors against the network of an unnamed federal civilian executive branch organization. The attackers gained initial access earlier this year by exploiting the Log4Shell vulnerability. The alert says, “CISA and FBI encourage all organizations with affected VMware systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities.”
Log4Shell is a tricky vulnerability in that exploitability depends first of all on how the library is exactly used, and secondly on the creativity of the attacker to reach the vulnerable code. Please do not underestimate the creativity of the attacker as you are assessing how this vulnerability impacts you. Patch.
Sage advice – assume compromise, apply patches or implement workarounds. It’s been a year since discovery of the Log4j vulnerability. Patches have been produced, workarounds documented and available; yet the government still has to issue an alert. Organizations and their leadership have to be held accountable for not establishing a standard duty of care.
You knew this was coming, even so you couldn't get support to update everything. It’s time revisit all your systems where you've not deployed the patches and forensicate them to make sure they are still pristine. And patch them. Make sure that you're not exposing unneeded services to the internet, like your VMware management network, use MFA judiciously, particularly on your internet facing services, and make sure that everything is plumbed into your centralized logging, and then that appropriate alerts are in place both for your SOC and IT staff. Implement a service which checks credentials against breach dumps and require immediate change or account lock when discovered. Now, a tricky one, make sure that you are using access controls to limit credentials to only operate on authorized services/systems to restrict lateral movement.
Or if you are a customer of SolarWinds. Indeed, assuming that one is compromised can be a prudent and useful assumption. Finding and eliminating covert and dormant compromise is a daunting problem. Consider structuring one's network and implementing least privilege access control so as to resist its spread and exploitation.
William Hugh Murray
Read more in
Dark Reading: Iranian APT Actors Breach US Government Network
Bleeping Computer: US govt: Iranian hackers breached federal agency using Log4Shell exploit