You may have heard about the Log4j vulnerability.
Log4j is an open-source Java library that is primarily used for application event logging typically in Windows-based applications such as human-machine-interface (HMI) and supervisory-control-and-data-acquisition (SCADA) programs.
If this flaw is left unaddressed, the target system could grant access to a malicious code execution request, which can lead to the installation of ransomware or other undesired activity.
In fact, the Khonsari ransomware malware is already in the wild, along with a remote-access Trojan (RAT) called Orcus. An infected machine would have all of its files renamed to .Khonsari, and Bitcoin would have to be paid to disinfect the system.
It has been noted that systems that control critical infrastructure, such as electric grids, water supply and various manufacturing processes, provide an attack vector for this vulnerability. It is especially important to address and prioritize this flaw with Internet-facing systems, although computers on the internal network can still be exploited.
The risk is real, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). It suggests that vendors should be communicating to their customer bases about their applications and provide guidance to solve the problem. I personally have had alerts from multiple vendors who have employed Log4j with guidance on how to patch their systems.
In a 24-hour period, there were as many as 60 new variations of the Log4j exploit originating from multiple bad actors.
Cybersecurity is a real thing; we just think that an attack will never happen to us. Just recently, the healthcare system in Newfoundland, a province in Canada, was attacked, and the system was affected for more than a month. Sensitive information was stolen, and it is suspected, yet unconfirmed, that it was also a ransomware attack. Hospitals are considered critical infrastructure.
So, let’s say you have a SCADA system at a water-treatment facility that is connected to the Internet so that operators can have access remotely to monitor and control the process of providing clean and safe drinking water for its connected residents and industrial clients.
The Log4j vulnerability, if used, can be automatically triggered by the attacker, so it can be done in stealth mode. Depending on the system and the desired result, unauthorized access can be made available to the remote system to do with the system as they please, which could include changing the process parameters to make the water unsafe.
Attackers gain access to systems for many reasons, but mainly it is about the money. One hacker publicly stated that he didn’t want to hurt anyone, but he just wanted to get paid. Enter cybersecurity insurance.
What landed in my inbox was very fortuitous. It was an invitation to get a copy of the Wiley Publishing book called, “Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World.” It contains the answers to questions from some of the leading white hat hackers in the world, all 70 of them.
The content of the answers is designed to help us understand how to prevent these attacks from happening, as well as getting to know the person behind the answers.
One comment suggests that, if the cybersecurity policy is heavy-handed, then it probably won’t work out too well. It suggests having some compassion in developing policies since the people who you are developing the policies for are not as tech-savvy as the cyber guy.
Understanding how these people work in their daily activities and crafting policies that dovetail into that understanding will produce better results.
While I didn’t read all the pages, I gleaned some common points from the responses. Cybersecurity is a separate and independent activity that requires a separate and independent mindset. A computer-science degree really won’t help you a lot. A cyber person has to think out of the box and be agile since the landscape is always changing.
The book talks about training and making sure that the people you are responsible for understand the problem of cybersecurity and what the ramifications of a breach could mean to them and to the companies that they work for.
The information-technology (IT) and operational-technology (OT) departments need to work together hand in hand. It has been observed that a lot of the breaches that happen are of the low-tech variety, such as social engineering, weak passwords, lack of multiple factor authentication and a failure to patch and respond when a threat is identified.
Writing software is not easy; nor is it perfect. There will always be the next zero-day vector to deal with. Have your systems in place to monitor daily and have a redundant backup system that is separate from your regular activities. Prevention is what we are looking for. Reactive responses are just that—reactive. The damage has already been done.
Who is responsible for patching your Internet available SCADA systems? That’s a good place to start.
For more background information on mitigating Log4j vulnerabilities, read CISA Alert AA21-356A.