Much like the news, an everyday device could be deadly for homeowners, the recent discovery of a security vulnerability in a widely used program, Log4j from the Apache Software Foundation, has thrown most businesses off balance.
But for banks, there is an additional risk: Cybercriminals have used this vulnerability to try to spread a powerful type of banking malware called Dridex.
Any bank that uses Java applications is susceptible to the Log4j vulnerability, according to Steve Rubinow, computer science faculty member at DePaul University and former chief information officer of NYSE Euronext and Thomson Reuters.
“It depends on the financial institution, but there must be a lot of Java code [in the financial industry] because it’s a powerful language and is widely used today, âRubinow said. Log4j is a tool that companies use to register Java applications, in other words, to audit, understand and debug them.
The recently discovered vulnerability, called Log4Shell, allows malicious code to be injected into a Log4j program to do almost anything, including downloading and running a banking Trojan.
This security vulnerability is unique in that it affects many operating systems, said Tracy Kitten, director of fraud and security at Javelin Strategy & Research.
âWith Java being so common, that makes it a significant threat, just from a volume perspective,â she said.
The Log4j program is the kind of software that software companies are unlikely to try to develop on their own because there is free, reliable code available, Rubinow observed.
But this type of software tool still needs to be carefully controlled, even if everyone is using it.
âYou have to have a reasonable degree of confidence that what you put into your environment has a certain integrity, has a certain kindness,â Rubinow said.
The threat of the banking Trojan
The fact that hackers attempt to inject Dridex banking malware through Log4j increases the level of threat to financial institutions.
âThe Log4Shell exploit was used to release Dridex on Windows, so it’s an obvious risk for banks,â Kitten said.
The Dridex Trojan, which is typically distributed via phishing emails, is high performance malware. Once downloaded and active, it can do a number of things, from downloading additional software to establishing a virtual network to deleting files. It can infiltrate browsers, detect access to online banking apps and websites, and inject malware or keylogging software to steal customer credentials.
After stealing login details, attackers can send fraudulent automated bank and bank transfers, open fraudulent accounts, and potentially hijack victims’ accounts for other scams involving the compromise of business email or transfer activity. silver.
Because Log4j automatically executes the commands, if a hacker injects Dridex malware, it can deploy immediately, Rubinow said. But Trojans like Dridex can also sit dormant for months on end, and then when people aren’t watching carefully, do what they’re set to do.
âYou can detect if you’re doing profiling and, like everyone else, I’m sure, look for executables that are running in their environment,â Rubinow said. âBut if it goes unnoticed or if it’s dormant to be summoned another time, it might be a problem in the future. And because it can get in so easily, I think that’s what makes them very, very uncomfortable people.
Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency, warned that the recently exposed Log4j vulnerability was “one of the most serious” she has seen in her career, “if not the most serious.”
Other security experts interviewed for this story were reluctant to go that far.
âI can’t say yet if this is the most serious, but it could very well be, given how common Log4j is in Java applications,â Kitten said.
The Log4Shell vulnerability makes it easy to steal credentials or extract data and extort a ransom, said Ian McShane, chief technology officer at Arctic Wolf.
âThis is a critical issue for all infrastructure,â McShane said. “Banks need to be especially careful because of the nature of the data they hold and store.”
The full extent of the vulnerability will likely not be understood for weeks or months, McShane said.
“A vulnerability of this magnitude in a software component as extensive as this will have consequences for all organizations, including banks and other financial institutions,” McShane said. âAn attacker could gain full administrator-level access to an organization unable to remediate or mitigate the vulnerability. Of course, this opens up the possibility of accessing sensitive data if it has not been secured by other means, perhaps personally identifiable information such as account numbers, social security numbers, etc.
However, the biggest threat to banks and other businesses, McShane said, remains ransomware pushed through Office 365 apps.
What banks should do
The Apache Software Foundation has released a patch for the vulnerability. So the first step is to find all the places where a business is using the affected versions of Log4j and apply the patch.
Log4j can exist in many places in an organization, and it can take a long time to find all instances of it.
âAnd time is not on your side when you have a potential attack,â Rubinow said. “So I can understand why people say it is the most serious because its simplicity and prevalence caught people off guard.”
Banks should also test and monitor their IT environment for signs of unusual code or unusual network traffic. Any strange patterns should be investigated and any issues should be located and resolved, Rubinow said.
Because Log4j is so ubiquitous, companies need to increase the sensitivity of their monitoring systems, which means you generate a lot more red flags., said Rubinow.
âAt times like this you want to do too much rather than underestimate it,â he said. âSo you can look for things that maybe are subtle, that maybe escaped your attention before, but you don’t want them to escape your attention now because you don’t want to overlook anything. “