The whole world is busy with patch management and once again IoT will be forgotten. Security researchers from Armis therefore strongly recommend to focus on IoT, because they discovered log4shell attack attempts on more than a third of their own customers and new attack attempts follow every day. The top 3 of the attacked devices so far are physical servers (42%), virtual servers (27%) and IP cameras (12%).
In addition, it was also possible to detect attempts to attack production devices (HMI panels and controls) and presence systems (Kronos).
The information in the graphic shows the variance of the devices affected by Log4Shell.
For this reason, Armis recommends that you follow the following five steps to prevent or fix the current Log4Shell vulnerability as well as future vulnerabilities:
Does the company have an accurate inventory of all the devices in its IT environment running Apache/Java and using Log4j? Solutions like Armis see and identify each asset for 100 percent complete transparency: assets managed and unmanaged via IT/OT/IoT/IoMT, both on the network and in the cloud.
Which devices in the IT environment are vulnerable or need to be further evaluated to confirm a possible threat? A central platform can help detect the devices in the IT environment running Apache and/or Java and other applications, identify the specific devices that require further verification (e.g. confirmation of the exact software versions), and identify the specific configurations or deployments that are potentially affected by such threats.
Are there currently active exploitation attempts or has a malicious actor already successfully exploited the vulnerability in my environment? Security researchers have analyzed the vulnerability and developed queries that can quickly identify active attempts to exploit the vulnerability so that administrators can isolate or quarantine vulnerable systems and initiate patching measures.
Protecting IT environments
Administrators should isolate the vulnerable systems or quarantine them. In addition, you should initiate patching measures. Asset management and security should be enabled to detect risks before they become a problem.
Preventive and containment measures
It is important to ask which business services, solutions or critical infrastructures could be affected. The answer to this question will then be interesting if the vulnerability is exploited, or are already actively compromised.