The Log4Shell Exploit in Retrospect: 3 Takeaways for FSOs

The holiday seasons have become a perilous time for government agencies and cleared facilities: while everyone else is wrapping gifts, cyber actors are ramping up their malicious activities – and the 2021 holiday season was no exception.

At the beginning of December 2021, the Apache Software Foundation disclosed a remote code execution (RCE) vulnerability in the popular Java logging package Log4j. Affecting millions of devices and up to 89% of organizations, Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly called it “one of the most serious things I have seen in my entire career – if not the most serious.”

With a rapidly changing threat landscape exacerbated by mounting geopolitical tensions, cleared facilities are facing more cyber threats than ever before in 2022, and it’s crucial for them to be prepared with a strategy when threats like Log4Shell come along. In this article, we’ll explain the impact of this vulnerability, along with three takeaways for facility security officers (FSOs).

What Happened

According to a report from Cloudflare, attackers were targeting the Log4j vulnerability (‘Log4Shell’) more than a week before it was publicly disclosed on December 9th of 2021. But following the disclosure, activity immediately ramped up, with researchers reporting attacks from state-sponsored groups in China, Iran, North Korea, and even Turkey.

The government responded quickly, and in mid-December, CISA issued emergency orders for agencies to patch any vulnerable devices by Christmas Eve. But this turned out to be easier said than done: as a common software component, Log4j is buried in millions of devices and software products. Organizations found it hard even to locate vulnerabilities, let alone patch them, especially in closed-source software.

The Impact of Log4Shell

By January, millions of Log4j-directed attacks were being detected every hour: in just 10 days, the number of detected attacks exceeded the number of attacks targeting Apache Struts for a whole year by 200%. While activity has declined since the peak – and while no major breach has been directly traced to Log4Shell – the damage is impossible to know at this time, as some attackers may be biding their time after installing backdoors in their victims’ networks.

While the SolarWinds attack compromised over 18,000 organizations, it is impossible to know how many were impacted by Log4Shell with any certainty. Both Amazon AWS and Microsoft Azure were known to be affected, individually impacting hundreds of thousands of clients. Some attackers may be biding their time after installing backdoors in their victims’ networks.

3 Takeaways for FSOs

While Log4Shell is not the first zero-day exploit to appear in a widely-used, open-source software component, it is the most impactful one to occur in a long time. Ultimately, it not only serves as a reminder of the increased cybersecurity threats faced by government agencies and contractors – it also illustrates multiple trends that FSOs must be wary of in 2022. Here are the top 3:

  1. Critical Infrastructure Threats

Critical infrastructure – ranging from utilities to manufacturing and energy distribution – has become a high-value target for state-sponsored cyber actors, not only posing a danger to government agencies and contractors, but also to the general public. In recent years, vulnerabilities in operational technology (OT) have been increasing due to IT/OT convergence, and remote code execution exploits make these vulnerabilities even worse.

In the coming years, FSOs working for cleared facilities that depend on industrial control systems (ICS) to achieve their mission should be wary of exploits that may expose their critical systems to attackers via the Internet and other public networks.

  1. Perils of the Software Supply Chain

As we saw during the SolarWinds attack, third-party software and code can pose a serious risk to cleared facilities if it is not carefully vetted and monitored. Unlike SolarWinds, Log4j is an open-source software component included by many vendors in their products – but this increases the danger of a zero-day exploit, as it may be found in products that are not longer updated by the vendor.

With organizations using an average of 110 SaaS products in 2021, software supply chain has long been overlooked in the context of cybersecurity. Fortunately, that is starting to change: in March, the White House asked agencies to adopt the National Institute of Standards and Technology (NIST)’s new framework for software supply chain security. In 2022, cleared organizations should follow their lead.

  1. Rise in Foreign Cyber Actors

Protecting cleared facilities from Foreign Ownership, Control, or Influence (FOCI) is a major part of every FSO’s job. But while this usually involves monitoring personnel for foreign contacts or travel abroad, state-sponsored cyber actors are just as bad as insider threats – and sometimes worse. While it took organizations weeks to patch Log4Shell, it only took Chinese actors a few hours to exploit.

Foreign cyber actors are agile and motivated adversaries, constantly seeking new opportunities to infiltrate U.S agencies and their partners. In response, cleared facilities must behave in an agile way as well, keeping track of cybersecurity trends and acting quickly to remediate threats.

FSOs and Cybersecurity

In a previous blog post, we wrote about the FSO’s perspective on cyberattacks:

[FSOs] are on the front lines of national security, charged with keeping sensitive information out of the hands of bad actors. It is their responsibility to turn away unauthorized personnel and watch for insider threats who may be influenced by foreign contacts.

But the job of an FSO has become more complex with time. In the past, cybersecurity and facility security were considered separate domains with different C-level officers and areas of focus. Today, the boundaries between physical and digital security have become less well-defined; in response, FSOs must expand their awareness of cybersecurity and form a more holistic understanding of risks to their organization.

In 2022, these statements are truer than they were when we wrote them. With a general rise in malicious cyberactivity – and state-sponsored cyberattacks in particular – FSOs need to be equipped with the knowledge and tools to protect their organization. MathCraft is here to help you.

Protect Your Organization with Access Commander

The latest version of Access Commander® includes critical functionality to help FSOs collaborate with other executives, prevent threat incidents and promote a culture of cybersecurity from the top-down.

  • Understand and identify insider threats with the Advanced Insider Threat Analysis
  • Share information through role-based dashboards and integration with Portal Commander™
  • Implement training programs and track progress with the Training and Conference Management module
  • Track security incidents, suspicious contacts, foreign travel, and more

Want to learn more? Contact us today for a free demo!