When the Apache Log4j logging library vulnerability was exposed in December 2021, businesses scrambled to secure their networks. Several months later, bad actors are still exploiting the vulnerability — Log4shell — and they don’t appear to be slowing down anytime soon.
Deemed a critical issue by the National Vulnerability Database, the Log4shell remote code execution enables bad actors to run code on a server, risking the potential of malware installation, cryptocurrency mining, and stolen data. Now, the pressure is on for managed service providers (MSPs) to understand the long-tail risks posed by Log4shell and proactively mitigate its threats.
The ubiquity of Log4j complicates matters
The widespread presence of Log4j has left millions of applications vulnerable to exploits. The Log4j library is used in millions of Java-based applications, from Minecraft to Cisco Webex. One affected product, VMware Horizon, is a desktop virtualization platform used by thousands of organizations as a part of their work-from-home tech stacks.
Our threat intelligence arm, SophosLab, monitored various incidents of VMware Horizon exploitation during the height of the attacks. We saw tactics ranging from cryptocurrency mining to ransomware, as well as other attacks in which the bad actor’s intentions were unclear. Perhaps most notably, we witnessed various backdoor attacks which we believe to be initial access brokers — meaning these attacks could pave the way for even more instances of ransomware. And according to our research, there are multiple adversaries implementing the attacks.
No matter the intent and execution of an attack, we’ve already seen hundreds of businesses fall victim as a result of the Log4j vulnerability. Considering it can take months to identify a data breach, bad actors are undoubtedly lurking in the corners of your customers’ networks. MSPs, it’s time to take the lead.
3 questions to ensure preparedness for Log4shell exploits
Organizations are understandably concerned about the threats posed by Log4shell. Considering the number of scan and exploit attempts we have already seen, MSPs need to be prepared to continue supporting their clients during this tumultuous time. Now is also the time to showcase your expertise — especially with the current tech talent shortage, many organizations lack a dedicated security team.
Ask these questions to ensure you are equipped to help:
- Are you staying abreast with Log4shell updates? Stay informed about the Log4j vulnerability, including which vendors and software programs have been affected, new attacks to look out for and how other MSPs are helping their customers. Proactively communicate with customers to share updates and information that will help customers mitigate threats.\
- Can you sufficiently maintain backups? A critical part of ensuring preparedness for cyberthreats is backup maintenance — and the most efficient way to do this is to follow the 3-2-1 method. Create three copies of your most important data and store it across two different systems, one of which is offline. It’s important to keep one system offline, because if all of your backups are online then all of your backups are vulnerable to bad actors.
- Do your customers have a layered approach to cybersecurity? Ensure your customers have a defensive approach in place, layered with in-depth security presence across all endpoints and servers. This should include endpoint detection and response, and managed response teams who can proactively investigate all potentially suspicious activity. Behavior like unexpected remote access service logins or the use of legitimate tools outside the normal pattern can be early signs of an imminent ransomware attack.
Whether your customers need threat prevention or damage control, it’s your job to keep your customers’ security posture in check — especially amid the many Log4shell exploits that we know will continue to arise. To truly protect your customers’ networks, proactively monitoring threats is essential.
Author Scott Barlow is VP of global MSP & cloud alliances at Sophos. Read more Sophos guest blogs here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.