Log4shell: Looking for the “The Dark Side of the Moon”

“There’s someone in my head but it’s not me”
– Pink Floyd, Brain Damage, Dark Side of the Moon

It is the gift that keeps on giving … the Apache Log4j vulnerability. Apache Log4j is a Java-based logging utility. The vulnerability publicly disclosed on 09 December 2021 can lead to remote code execution on the underlying servers that run vulnerable applications.

“No one told you when to run, you missed the starting gun.
So you run and you run to catch up with the sun but it’s sinking
Racing around to come up behind you again.”
– Pink Floyd, Time, Dark Side of the Moon

A week later, and we are all still “on the run” to block, harden and patch the vulnerability and all its evil siblings and cousins. When we can, we will step away, breathe, and take stock of all this activity. The implications. The lessons learned.

It’s ubiquity and design made the Log4j CVE very easy to exploit. Apache Log4j is widely used software. The biggest impact with this one is that exploiting the vulnerability requires no authentication. The CVE can manage to bypass all protections. Quite simply, before it was mitigated, it easily could have been exploited against vulnerable systems for quite some time.

“Grab that cash with both hands and make a stash.”
– Pink Floyd, Money, Dark Side of the Moon

Let’s shine a light on the potential impact of this CVE.

Even today, crypto miners and nefarious actors are looking for quick ways to continue to exploit this “eclipse” before the light is switched back on.  Even after you believe you’ve blocked or patched for this CVE and its derivatives, it’s impact will long live on the dark side.

This dark side is comprised of those threat actors who have used this CVE to gain control, wipe traces, establish persistence. These adversaries are sitting in the darkness. They are patiently waiting and probing for bigger “money”. Or potentially, now that they’re inside your networks, waiting to move from one protected system to another protected – but more valuable – system. The term “advanced persistent threat” or APT was coined for a reason. This CVE is so impactful and so widespread in its use that it is the classic “great gig in the sky” – either you know you’ve been hacked, or you don’t know you have been hacked. Hence the only way out of this “brain damage” is to assume breach and actively hunt for signs of a breach. Yes, even after mitigations are in place, assume breach and hunt for threats.

If you have not done so already, NOW is the time to bolster threat hunting and detection capabilities. Threat hunting can no longer be considered a luxury that one chooses. It is a vital tool in your cybersecurity arsenal.

At Fidelis Cybersecurity, we make it our mission to enable threat hunters. We provide full visibility across hybrid environments via deep, dynamic asset discovery, multi-faceted context, and risk assessment. These features help minimize attackable surface areas, automate exposure prevention, threat detection, and incident response, and provide the context, accuracy, speed, and portability security professionals need to find and neutralize adversaries earlier in the attack lifecycle. We call it proactive cyber defense with defense-in-depth. Our platforms automatically flag anomalous new or rare behaviors such as the use of a new communication path.

We encourage you to choose “any color you like”, but make sure you pick a threat hunting platform capable of performing deep inspection of your environment to find the follow-on attacks that will be taking advantage of initial access gained through the Log4j exploit. This Apache Log4shell is one of those landmark events that makes the entire cybersecurity community step up and take action.  Take a proactive cyber defense approach and double down on threat hunting especially for the due diligence following this event.

There is a “dark side of the moon”. And there is no other way to see it, but to actively look for it and land on it.

“For long you live and high you fly
But only if you ride the tide
And balanced on the biggest wave
You race towards an early grave.”
– Pink Floyd, Breathe, Dark Side of the Moon