Log4j security vulnerability is a double threat to banks

Log4j security vulnerability is a double threat to banks
Written by Publishing Team

Like the news that everyday devices can be fatal to homeowners, the recent discovery of a vulnerability in a widely used software, Log4j from the Apache Software Foundation, has been worrying for most companies.

But for banks, there is an additional risk: cybercriminals are using this vulnerability to try to spread a powerful type of banking malware called Dridex.

Code snippet from the Apache Software Foundation’s Log4j logging software.

Adobe Stock

Any bank that uses Java applications is vulnerable to the Log4j vulnerability, according to Steve Rubino, a faculty member in computer science at DePaul University and former chief information officer at NYSE Euronext and Thomson Reuters.

“It depends on the financial institution, but there should be a lot of Java code available [in the financial industry] “It is a powerful language and is used extensively today,” said Rubino. Log4j is a tool that companies use to log Java applications – in other words, to review, understand, and debug them.

The newly discovered vulnerability, called Log4Shell, allows injecting malicious code into the Log4j program to do just about anything, including downloading and executing a banking Trojan.

This vulnerability is unique in that it affects many operating systems, said Tracy Keaten, director of fraud and security at Javelin Strategy & Research.

“Because Java is so popular, that makes it a huge threat, just from a size perspective,” she said.

Log4j is the kind of software company that is unlikely to try to develop itself, because reliable and free code is available, Rubino noted.

But this kind of software tool still needs to be thoroughly scrutinized, even if everyone uses it.

“You should have a reasonable degree of confidence that what you put into your environment has some integrity, and has some good,” said Rubino.

Banking Trojan Threat

The fact that hackers are trying to inject the Dridex malware through Log4j raises the threat level for financial institutions.

“The Log4Shell exploit was used to deploy Dridex on Windows, so this presents a clear risk to banks,” Kitten said.

The Dridex Trojan, which is usually distributed through phishing emails, is a highly capable piece of malware. Once downloaded and activated, it can do a number of things, from downloading additional software to creating a virtual network to deleting files. It can hack browsers, detect access to online banking apps and websites, and inject malware or keyloggers to steal customer login information.

After stealing login credentials, attackers can send fraudulent automated clearinghouses and bank transfers, open fraudulent accounts, and possibly steal victims’ accounts for other scams involving commercial email hacking or money mule activity.

Since Log4j executes commands automatically, if a hacker injects the Dridex malware, it can spread it immediately, Rubino said. But Trojans like Dridex can also lie dormant for months, and then, when people aren’t watching carefully, do what they’re set up to do.

“You can detect if you’re profiling and, as I’m sure everyone does, look for executables that are running in their environment,” said Rubino. “But if it flies under the radar or if it’s dormant to be called up at another time, that could be a problem in the future. And because it can get in so easily, I think that’s what makes people so uncomfortable.”

What is the extent of the threat

Jane Easterly, director of the US Agency for Cybersecurity and Infrastructure Security, warned that the recently disclosed Log4j vulnerability was “one of the most serious” she had seen in her career, “if not the most serious”.

Other security experts interviewed for this story hesitated to go that far.

“I can’t say yet if it’s the most dangerous, but it could very well be, given how common Log4j is in Java applications,” Kitten said.

The Log4Shell vulnerability makes it easy to steal credentials or extract data and extort ransomware, noted Ian McShane, Arctic Wolf’s CTO.

“This is a critical issue for all infrastructure,” McShane said. “Banks need to be especially vigilant because of the nature of the data they hold and store.”

McShane said the full scope of the vulnerability may not be understood for weeks or months.

“A weakness of this magnitude in a large-scale software component like this would have consequences for all organizations, including banks and other financial institutions,” McShane said. “An attacker could gain full administrator-level access to an organization that is unable to patch or mitigate the vulnerability. Of course, this brings access to sensitive data if it is not secured by other means, perhaps personally identifiable information such as account numbers, Social Security numbers, and more.” “

However, McShane said that the biggest threat to banks and other companies remains the ransom being paid via Office 365 apps.

What banks need to do

The Apache Software Foundation has released a patch for the vulnerability, so the first step is to find all the places where the company is using affected versions of Log4j and apply the patch.

Log4j can exist in many places in the organization, and it can take time to find all of its instances.

“And time is not on your side when you have a potential attack,” said Rubino. “So I can understand why people say this is the most dangerous because its simplicity and prevalence have surprised people.”

Banks also need to test and monitor their IT environment for signs of unusual code or unusual network traffic. Rubino said any strange patterns should be investigated and any problems identified and fixed.

Since Log4j is so prevalent, companies have to increase the sensitivity of their monitoring systems, which means you’re generating a lot of red flags.And Robino said.

“At times like these, you want to overdo it rather than underestimate it,” he said. “So you can look for things that might be hidden, that might have escaped your attention before, but you don’t want them to escape your attention now because you don’t want to leave any stone unturned.”


About the author

Publishing Team

Leave a Comment