A few months on from the reports about a flaw in open-source Java logging library, our cyber security columnist, Davey Winder looks into whether NHS organisations still need to worry about it.
As Digital Health reported in December 2021, a series of vulnerabilities in an open-source Java logging library used by numerous applications and services, could potentially leave NHS organisations open to a remote code exze4cution attack. The National Cyber Security Centre (NCSC) warned of “widespread scanning” and urged organisations to take action to mitigate the risk of attack. NHS Digital also issued a cyber alert, CC-3989, about the actively exploited Log4j (also known as Log4Shell or Logjam) vulns, warning that “hundreds of exploits” were being attempted every second. That was December, now that it’s February then, and the sky (or perhaps I should say cloud, under the circumstances) hasn’t fallen, do NHS organisations still need to worry about the Log4j threat?
If you’re in a hurry, the quick and dirty answer is yes. However, quick and dirty is never the greatest of risk analysis strategies, and dealing with Log4j is no exception. Already in 2022, NHS Digital has issued alerts about attackers actively targeting VMware Horizon servers (CC-4002) and VMware vCenter (CC-4026) for example. This particular security iceberg is mostly hidden in the depths of the enterprise ecosystem, with the usage of the Log4j library itself being so commonplace within software that organisations may struggle to know they are even exposed to the threat at all. From cloud and web apps, to network servers and email services and much, much more, Log4j is deserving of it’s titanic MITRE vulnerability critical rating of 10/10. What’s more, the signs are that it’s going to prove a danger to organisational shipping for some time to come.
Initial Access Brokers see continuing value in exploiting Log4j
Why do I say this? Well, you only have to take a look at the last few days of January for evidence that Log4j isn’t going to suddenly be a done deal that’s not worth worrying about. Two security teams at BlackBerry, Research and Intelligence and Incident Response, disclosed that attacks from a group known as Prophet Spider were exploiting Log4j in VMware Horizon. Prophet Spider is what’s known as an Initial Access Broker, a group that specialises in breaking into organisations and then selling the persistent access it has gained to other criminal actors.
“Initial Access Brokers leverage any opportunity to gain access to an organization, they must maintain that access as they sell it and hand it off to the buyer,” Jorge Orchilles, chief technology officer (CTO) at SCYTHE, says.
“Today the exploit being used is for Log4j, tomorrow it will be another.”
However, what these access groups don’t do is waste their precious time on holes that will be sealed shut quickly.
“When an access broker group takes interest in a vulnerability whose scope is so unknown, it’s a good indication that attackers see significant value in its exploitation,” Tony Lee, vice president of global services and technical operation at BlackBerry, says.
“It’s likely that we will continue to see criminal groups exploring the opportunities of the Log4Shell vulnerability, so it’s an attack vector against which defenders need to exercise constant vigilance,” Lee also concludes.
VMware, to its credit, has done pretty much everything it could be expected to in response to the Log4j threat. From issuing an immediate advisory on December 10, 2021 to ongoing blog posts and FAQs regarding risk and remediation, including multiple patches for impacted products. And it’s not just vendors and service providers who have worked tirelessly over the Christmas and New Year period to ensure mitigations are available, in-house IT teams and third-party security outfits have been doing likewise. To go back to my original question, then, of whether the exploitation tsunami many predicted has now subsided and if NHS organisations need to still be alert, the answer remains yes.
NHS Digital has the threat antidote
“The Log4j vulnerability continues to be a challenge as new exploits are developed,” Saryu Nayyar, CEO and founder of Gurucul, warns.
“Making it essential to detect the threat activity both as the vulnerability is exploited or as attackers have successfully inserted themselves in an environment.”
She recommends that static signatures and rule-based machine learning should be constantly updated for certain variants to be detected, with dynamic and adaptable behavioral analytics prioritizing and escalating specific anomalous activity attempting to exploit Log4j is the best approach.
Meanwhile, my friend and global cybersecurity advisor at ESET, Jake Moore, concludes that “with the rise in efficiency and protection on offer from NHS Digital, NHS services have become far better organised with the speed in which they update.” This, he says, “is the antidote to the majority of Log4Shell attacks.”