Log4j Update: Q&A With Flashpoint and Risk Based Security

On Tuesday, Flashpoint and Risk Based Security hosted a panel to address the ongoing Log4Shell vulnerability. Below are key highlights from the discussion. For more, watch the entire event here.

Participants include Risk Based Security CEO Jake Kouns and Flashpoint cybersecurity experts Kecia Hoyt (Director – Intelligence), Cheng Lu (Senior Analyst II), and Steven Oullette (Senior Analyst I).

How many vulnerabilities are we talking about? 

This is a library issue that runs deep. Ultimately there are 3 distinct vulnerabilities (as of this publishing) across 5 unique CVEs. 

What should we be fixing, installing, implementing now?

CVE-2021-4501 Release 2.17, which accounts for a new denial of service this past Friday.

What have you seen to-date in terms of threat actor activity on illicit communities?

Within the last 7 days, Flashpoint has seen over 5,000 mentions of Log4j within our data collections versus 3,000 in the prior period.

How does this break down in terms of individual CVEs?

There are over 1,700 mentions in Flashpoint’s data collections of CVE-2021-4428. Furthermore, for CVE-2021-45046, we have identified more than 200 mentions. These volumes are unprecedented in terms of threat actor chatter around vulnerabilities.

Related reading: Log4j Chatter: What Threat Actors Are Sharing About the Log4Shell Vulnerability

What are the three main areas organizations should examine in order to assess their exposure to Log4j? How do we inventory these types of libraries in off-the-shelf 3rd party products and determine if my assets are affected? How do I prioritize my efforts? 

• Figure out if you are using Log4j in your own code, in what you’re building in-house. 
• Identify which, if any, of your vendors are using Log4j.
• Is a vendor—or another library that you are using—are they using the Log4j library?

Below are more questions we address in the discussion. To watch it in its entirety, click here.

• What is going on with cloud hosting providers like AWS? Are they affected? 
• The Belgian Ministry has reported an incident, indicating that Log4j was used. Tell me more about this disclosure.
• What are the updates with Log4shell as part of a worm? 
• Can you give some more details on why this vulnerability wasn’t found sooner?
• Teams have been so distracted with Log4j. What else should I be aware of?

See Flashpoint’s Vulnerability Management Solutions in Action

Flashpoint’s enriched CVE data cross-references data from MITRE & NVD with threat-actor chatter in illicit online communities such as deep & dark web forums and chat services, as well as paste sites and open-source technical data. Visibility into these sources allows vulnerability management teams to identify which CVEs have active and proof-of-concept exploits and which are most likely to be exploited in the future. By combining their internal data with these insights, teams are able to prioritize mitigation measures more effectively based on risk.

To learn more, sign up for a free trial today.