By: Jameson Miller, CPA, CISA, CISSP
Does your financial institution’s computer system still include machines with the Log4Shell vulnerability? It’s understandable if the question made your eyes glaze over immediately, but you might want to force yourself to pay attention anyway. A recently discovered botnet is attacking Linux systems that haven’t patched the Log4Shell (also known as Log4J) vulnerability, using it as an entry point to install rootkits and access private data.
Compromised computers then become part of the network of bots and are controlled by hackers, while the machines’ owners may remain unaware of what is going on. Cybersecurity experts refer to the new botnet as B1txor20 and are still exploring all of its nefarious functions.
The good news is that leaders don’t have to grasp the details of B1txor20’s proxy services, reverse shells, rootkit installations and domain socket binding techniques. All you have to do is make sure your financial institution has properly updated computer systems and run the patch to keep hackers from exploiting Log4Shell.
The basics of Log4Shell
The Log4Shell/Log4J vulnerability has been widely used by cybercriminals since it was discovered and disclosed in December of 2021, along with the appropriate patch. Months later, though, many organizations are still being exploited by the newest botnets and tactics taking advantage of the Log4Shell vulnerability.
But, what is it exactly? In basic terms, it is a flaw (CVE-2021-44228) in part of a very common Java library, Apache Logging Services package Log4J 2. When hackers target this vulnerability, they can execute code remotely on machines that use the package and take control of the server.
Tons of different software services use Log4J, which means plenty of potential victims. An Iranian hacking group known as TunnelVision is currently targeting unpatched VMware Horizon servers, but that is just one of many targets.
Unfortunately for the millions of Log4J users, this remote code execution vulnerability doesn’t take an evil genius to use. It is incredibly easy to exploit and therefore is extremely popular among hackers around the world. Until it is patched, it represents an open invitation to hijack the machine and hackers won’t hesitate to accept.
Global conflicts increase local risks
Of course, Log4J isn’t the only threat to monitor these days. Some Russian hackers are using a different zero-day exploit called PrintNightmare (among others). This flaw lets hackers remotely execute malicious code hidden in a dynamic link library that is inserted into servers and end points that are set to print spool enabled (which is the default).
PrintNightmare relies on a privilege escalation vulnerability in Windows Print Spooler service, and like Log4J, the vulnerability is fixable. The exploit was identified in the first half of 2021 and a patch has been available for over eight months. Organizations that haven’t patched their systems, however, are still at risk and hackers are taking advantage of that failure to act.
Neglecting to apply patches is always unwise, but the current environment in Eastern Europe should spur the FI sector to be on high alert for cyberthreats—and from Russia-linked threat actors in particular.
Cybersecurity experts observed an increase in state-sponsored attacks associated with Russian hacking groups leading up to the invasion of Ukraine. With relations increasingly unstable between Russia and the West, cyberwarfare is a more than a theoretical risk. Financial institutions and other critical infrastructure interests must maintain an especially vigilant stance.
Don’t let your financial institution become an easy target
Whatever the nature or source of the latest exploit, leaving systems unpatched provides an open door for hackers who are constantly seeking new targets in every country and industry niche. Why make it easy for them?
The importance of monitoring all internet-enabled systems and patching known vulnerabilities immediately cannot be overstated. Despite limited human resources and competing priorities, it is far better to invest the time and attention necessary for prevention than to discover too late that bad actors found their way in via an entryway that could have been barred easily.
Talk to your Mauldin & Jenkins advisor about how to identify IT vulnerabilities and establish strong, secure IT systems and security protocols that help keep your financial institution safe.