Why is the Log4j security vulnerability so important for Banks & Fintechs?
Cybercrime is predicted to inflict damages totalling $6 trillion USD globally in 2021 (1) and that is a threat on the top of every professional in the World of Digital Banking and Fintech. Since it was discovered in early December the Apache Log4j vulnerability has made global headlines as well as the top of our inboxes. The flaw is believed to have impacted numerous organizations around the World while security teams scrambled to mitigate the associated risks. To Banks, Fintechs and their related customers (all of us) this vulnerability comes with an additional threat, cybercriminals have been using this vulnerability to try to disseminate powerful type of banking malwares like Dridex or Meterpreter which can have a devastating impact.
The Dridex malware is a banking trojan originally developed to steal online banking credentials from victims that over time, evolved to be a loader that downloads various modules and therefore can be used to perform different malicious behaviour, such as installing additional payloads, spreading to other devices, taking screenshots, and more ending up often in ransomware attacks.
As for Meterpreter, it is a Metasploit attack payload that provides an interactive shell to the attacker from which to explore the target machine and execute code. Meterpreter is deployed using in-memory DLL injection and as a result, it resides entirely in memory and writes nothing to disk. No new processes are created as Meterpreter injects itself into the compromised process, from which it can migrate to other running processes. Let’s just say it is hard to get and can do a lot of damage.
In an article on americanbanker.com(2) Steve Rubinow a faculty member in computer science at DePaul University and former chief information officer of NYSE Euronext and Thomson Reuters states that “Any Bank or Fintech that uses Java applications is susceptible to the Log4j vulnerability since Log4j is a tool companies use to audit, understand and debug Java applications”. And since via the vulnerability cybercriminals are able to steal credentials, extract data and extort ransom this is one serious threat.
It is still too soon to analyse the true impact of the vulnerability and most Bank & Fintechs end clients aren’t even aware as it will take some months for a thorough analysis, and everything has been happening at an impressive speed. Csoonline(3) published a short timeline on key events during December around the vulnerability. According to the site on the 9th of December the day the vulnerability was discovered when Apache released details on a critical vulnerability in Log4j, the logging library used in millions of Java-based applications. On the same day Apache developers wrote in an advisory. A fix for the issue was made available with the release of Log4j 2.15.0 as security teams from around the globe worked to protect their organizations. Businesses were urged to install the latest version. On December 10 the UK NCSC issues Log4j warning to UK organizations. As the fallout from the vulnerability continued, the UK’s National Cyber Security Centre (NCSC) issued a public warning to UK companies about the flaw and outlined strategies for mitigation. The NCSC advised all organizations to install the latest update immediately wherever Log4j was known to be used. Following on the 11th of December by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) with director Jen Easterly urging network defenders to step up and recommending asset owners to take three additional, immediate steps to help mitigate the vulnerability (Enumerate any external facing devices that have Log4j installed, ensure security operations centres are actioning every single alert on the devices that fall into the category above and Install a web application firewall with rules that automatically update so that security operations centres (SOCs) can concentrate on fewer alerts).
By December 14 a second Log4j vulnerability carrying denial-of-service threat was detected and a new patch released. According to csoonline (3) the new exploit, CVE 2021-45046, allowed malicious actors to craft malicious input data using a JNDI lookup pattern to create denial-of-service (DoS) attacks, according to the CVE description. A new patch for the exploit was made available which removed support for message lookup patterns and disabled JNDI functionality by default, with the Log4j 2.15.0 fix for the original flaw incomplete in certain non-default configurations. “While CVE-2021-45046 is less severe than the original vulnerability, it becomes another vector for threat actors to conduct malicious attacks against unpatched or improperly patched systems,” Amy Chang, head of risk and response at Resilience, told the website. And so far on December 17th a third Log4j vulnerability was revealed and again a new fix made available and on December 20th Cybersecurity research group Cryptolaemus released the warning.
According to pcmag the Log4j exploit is just one of many security holes being exploited and the CISA’s exploited vulnerabilities catalog lists 20 found in December alone. And although some are fixed already others have a fix that’s not due for six months or more.
Concluding, it seems like the parade has just started so Banks and Fintechs are advised to follow closely the Apache Software Foundation and other cybersecurity related entities’ announcements, make use of the available patches for the vulnerability and proceed with the procedural audit, test and monitor tasks of their infrastructures.