Log4j Update: It Ain't Over 'Till It's Over.  And It Ain't Over.
Sound Familiar?

Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart; the centre cannot hold;
Mere anarchy is loosed upon the world,
The blood-dimmed tide is loosed, and everywhere
The ceremony of innocence is drowned;
The best lack all conviction, while the worst
Are full of passionate intensity.
— "The Second Coming,"   WILLIAM BUTLER YEATS

The poet Yeats was obviously not writing about malware in the 1890s; but like all great art, the Yeats poem quoted above transcends time and speaks an eternal truth about the human condition.  Log4j has done nothing but loosed chaos on our world.  Communications have been interrupted.  Otherwise innocent programmers, developers, and executives claim no responsibility for what we now know was some very shortsighted decision making.  Just a week before the Log4j outbreak on November 30, 2020, Security Boulevard posted an article titled, "Common vulnerabilities in Java and how to fix them". The article lists 30 specific vulnerabilities known to be present in Java, and also their mitigations.  We now see corporations assessing what might be their liabilities for employing applications known to have extensive vulnerabilities, and thus spewing platitudes about their methods of production.  Meanwhile every hacker group, pro and am, are lapping up the ill gotten gravy, and getting great belly laughs at the expense of their shorn sheep, you and me.

The HR global contractor, Kronos, based its reputation on its ironclad backups that will insure its customers no interruption of their businesses.  "The company had touted a robust backup policy in whitepapers for its private cloud... Given these previous claims, many customers have been asking why restoration is taking so long."  Kronos gives the explanation that "The threat actor responsible for this attack disabled not only the Kronos Private Cloud production environments, but also disabled UKG’s ability to communicate with our back-up environments.”  It is all well and good that Log4j did not specifically cause the inability to restore data from backups, but that sounds like very thin legalese to me.  The Log4j vulnerability was the predicate for the attack.  The Java Library had known vulnerabilities.  It is reasonable to ask why Kronos, with fiduciary responsibilities the world over, did not make a different decision when it came to automatically logging functions in its servers.  At  least, I believe that will be the basic argument made by attorneys representing victims in the inevitable class action lawsuits.

Fitch Ratings has taken notice of the long term implications of the Kronos fiasco underwriters may well face in the near future.

Fitch Ratings-New York/Chicago/Austin-21 December 2021: The recent breach of Ultimate Kronos Group's (UKG) Kronos Cloud Solutions platform could pose significant, but temporary, management challenges for public finance entities that use the Kronos platform through the holiday season, says Fitch Ratings. While we do not anticipate that the UKG breach will have meaningful credit implications for individual public finance entities that use Kronos, the breach continues to reinforce the necessity of robust third-party risk management strategies and identification of critical dependencies for public finance issuers. The attack further highlights the importance of cyber emergency preparedness and response strategies for the public finance sector.

The breach has already impacted a large number of public finance entities across the country, with some of the most notable the New York Metropolitan Transportation Authority, the City of Cleveland, the state of West Virginia, the Oregon Department of Transportation, the University of California system, and Honolulu’s EMS and Board of Water Supply. Though many high-profile public finance organizations have disclosed being impacted, the actual number could be much larger.

The City of Cleveland, notes Finch Ratings, asserts that some of the city data accessed may have included certain employees’ first and last names, addresses, last four digits of the social security numbers, and employee ID numbers. 

If GM knowingly used defective tires in its vehicles and those defective tires caused accidents, property damage, and bodily injuries to GM's customers, GM would ultimately be held liable for damages regardless of any other insurance.  In fact, GM customers' auto insurers would most likely be named as plaintiffs.  Time will soon come that a deep pocket corporation, like Kronos, will be held responsible for their decisions involving their use of 3rd party IT products.

And the attack surface for Log4j keeps expanding.  Most alarming of all the current alarm bells ringing came from the UK:

The UK's National Health Service (NHS) has issued a warning that hackers are actively targeting Log4J vulnerabilities and is recommending that organisations within the health service apply the necessary updates in order to protect themselves. 

An advisory by NHS Digital says that an 'unknown threat group' is attempting to exploit a Log4j vulnerability (CVE-2021-44228) in VMware Horizon servers to establish web shells which could be use to distribute malware, ransomware, steal sensitive information and other malicious attacks. 

VMWare is a cloud provider employed across many different types of systems and industries using Virtual Machine Technology.

VMware, Inc. is an American cloud computing and virtualization technology company headquartered in California. VMware was the first commercially successful company to virtualize the x86 architecture. VMware's desktop software runs on Microsoft Windows, Linux, and macOS, while its enterprise software hypervisor for servers, VMware ESXi, is a bare-metal hypervisor that runs directly on server hardware without requiring an additional underlying operating system.

Amazon Web Services (AWS) is by all accounts the largest provider of cloud based IT services.  And AWS is powered by VMWare.

What is VMware Cloud on AWS?

VMware Cloud on AWS is the preferred service for AWS for all vSphere-based workloads. VMware Cloud on AWS brings VMware’s enterprise-class SDDC software to the AWS Cloud with optimized access to native AWS services. Powered by VMware Cloud Foundation, VMware Cloud on AWS integrates VMware's compute, storage, and network virtualization products (VMware vSphere, VMware vSAN, and VMware NSX) along with VMware vCenter Server management, optimized to run on dedicated, elastic, bare-metal AWS infrastructure.

Why should I use VMware Cloud on AWS?

AWS is VMware's preferred public cloud partner for all vSphere-based workloads. VMware Cloud on AWS provides you consistent and interoperable infrastructure and services between VMware-based datacenters and the AWS cloud, which minimizes the complexity and associated risks of managing diverse environments. VMware Cloud on AWS offers native access to AWS services and innovation that extends the value of enterprise applications over their lifecycle.

Where is VMware Cloud on AWS available today?

The service is newly available in the following regions: AWS Europe (Stockholm), AWS US East (Northern Virginia), AWS US East (Ohio), AWS US West (Northern California), AWS US West (Oregon), AWS Canada (Central), AWS Europe (Frankfurt), AWS Europe (Ireland), AWS Europe (London), AWS Europe (Paris), AWS Europe (Milan), AWS Asia Pacific (Singapore), AWS Asia Pacific (Sydney), AWS Asia Pacific (Tokyo), AWS Asia Pacific (Mumbai) Region, AWS South America (Sao Paulo), AWS Asia Pacific (Seoul), and AWS GovCloud (US West).

It should be noted that AWS experienced an outage on December 7, 2021, as the Log4j crises was starting to unfold. Another outage hit AWS on December 15, and then a third time again on December 22, 2021.  In each instance, the effects were far reaching, from Amazon deliveries run amok to Tesla owners locked out of their cars. So it doesn't take a NASA Rocket Scientist to see that this is a whole lot of cyber feces about to hit the cyber circular oscillator.

Many commentators among the digerati have compared in one way or another Log4j to Covid.  Security Boulevard published a piece, January 6, 2022, entitled, "Log4Shell log4j Remote Code Execution – The COVID of the Internet".  The Register's take was to make the comparison of Log4j to the Omicron variant.

It's not unreasonable to suggest that immunology and cybersecurity could learn a lot if they talked more. Sometimes, though, the parallels are far too close for comfort.

At the same time as Omicron is confounding our plans for pandemic management, Log4j has set the infosec world on fire. Both come after a year when – surely – we'd already seen the worst, whether it was Delta or SolarWinds. Both have followed the same cycle of early reports provoking "it can't be as bad as it looks" followed by "it's worse than that, how can we cope?" and thence into the long grim period of answering that question.

We even have the same confusion of nomenclatures.  I am neither a doctor nor epidemiologist, but I have seen and heard enough of them on cable news to know that "The virus is known as severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2). The disease it causes is called coronavirus disease 2019 (COVID-19)."  So sayeth the Mayo Clinic.  Likewise, we have a similar situation among the digerati as they do their reporting on Log4j.  Specifically, "If a device that is connected to the internet runs Apache Log4j, versions 2.0-to-2.14.1, then they are vulnerable to Log4Shell." So, if your system is vulnerable to an attack brought about by the Log4j vulnerability, among the many strains of malware that might infect your system, one strain of that malware is called Log4Shell.  I am pretty sure I know who gets to decide this things in medicine, but I have no idea who gets to make these decisions in IT.

If all of this sounds demoralizing and depressing, well, it is.  But we can still have some fun.  Hurry on over to the next post and discover the wonderful world of POWERTOYS.

Gerald Reiff