In the weeks since the discovery of CVE-2021-44228, a vulnerability in the common Log4j Java utility package, there has thankfully been little fallout — especially considering that all signs pointed to one of the worst vulnerabilities of the decade. At Corvus, related claims activity has been negligible. We thank the many policyholders we contacted regarding the issue who were able to patch their systems quickly, and our broker partners who helped in conveying the urgency of the situation to their clients.
Given its unusual severity, however, the Log4j vulnerability (also known as “log4shell”) will remain a threat as long as there are vulnerable systems. We anticipate continued attempts by cybercriminals to locate and exploit Log4j to gain access to environments, to escalate privileges within an environment, and ultimately to remotely execute malicious code across the environment. In supporting our policyholders throughout the rapid response of Log4j, it became clear that many organizations are still struggling to gain confidence that they have fully identified and patched vulnerable systems.
That is why the Corvus Data Science and Product teams have developed a new tool modeled on the best open source scanning tools and made it available to our policyholders. This takes the complexity out of having to figure out how to run the scan yourself and instead allows Corvus to support the identification of potentially vulnerable systems. Our Log4j scan allows Corvus to remotely scan environments for those who request it in order to determine whether the Log4j vulnerability is still present on externally accessible systems.
If you’re a Corvus policyholder, click here to request a scan. Our Risk + Response team will work with you to schedule the scan and deliver you the results along with guidance on further action based on the results of the scan.
While the Corvus Log4j Vulnerability scan will help identify potentially vulnerable external systems, there are still internal systems and applications that may be vulnerable. To allow our policyholders to gain complete visibility into our environments, we looked to our friends at CrowdStrike, frequent collaborators with Corvus on breach response efforts.
The CrowdStrike Archive Scan Tool (or “CAST”) performs a scan of internal systems to look for applications running versions of Log4j. It helps organizations find any version of the affected Log4j library anywhere on disk, even if it is deeply nested in multiple levels of archive files.
We recommend reviewing CrowdStrike’s blog post about CAST to get familiar with the tool’s specific capabilities and find out what to expect from the results readout. CrowdStrike also has a prolific set of resources about log4j that can be found at their Log4j/Log4shell Vulnerability Learning Center, which we recommend to anyone trying to understand the situation better.
We believe that security starts with gaining full visibility into your environment. With the Corvus Remote Log4j vulnerability scan and the CrowdStrike Archive Scan Tool, Corvus policyholders can feel safer knowing that they have done their due diligence in identifying vulnerable systems and applications.