Log4 j in industrial systems. Regulatory response. Exploitation for ransomware.

Log4j issues have been found in industrial control systems as ICS vendors review their offerings. Regulatory responses are beginning to play out, and the Log4shell vulnerability is being exploited in ransomware attacks.

Log4j in ICS products.

Industrial control system vendors are working to close Log4j vulnerabilities in their products. SecurityWeek has a useful and interesting summary of the ways in which the companies are working on the problem.

• The companies who've found, disclosed, and are fixing Log4j issues include ABB (B&R products are at low risk. and the ABB Remote Access Platform has been patched), Honeywell (some Voice applications are affected), Phoenix Contact (some cloud services are affected, and their remediation is in progress), Rockwell Automation (Plex IIoT, Fiix CMMS, Warehouse Management, Industrial Data Center, VersaVirtual Application, FactoryTalk Analytics and Firewall Managed Support have been patched; EIG, has been discontinued), Schneider Electric (EcoStruxure IT Gateway and other cloud-based products have been patched; mitigations are in progress for APC PowerChute, Building Advisor StarDog, and Eurotherm Data Reviewer), Siemens (over a hundred products are affected, and the vulnerabilities are being addressed), Sierra Wireless (AM/AMM servers and elements of the AirVantage and Octave cloud platforms are affected, and remediations are under preparation), and WAGO (Smart Script labeling software has been patched in its current version),
• Emerson, Johnson Controls, and Moxa are still investigating, but they've published lists of products they've confirmed are unaffected.
• Inductive Automation, VTScada, and COPA-DATA have confirmed to their customers that their products are unaffected.

Most of the issues the companies have been finding are related specifically to Log4shell, but some of the other, later and lesser vulnerabilities have also been detected.

Two foreseeable developments in the Log4j story.

Regulators and legislators are looking for ways of preempting the next widespread vulnerability, and for the required responses and incentives (these last more stick than carrot) for organizations to do better. US Senator Gary Peters (Democrat of Michigan), chairman of the Senate Homeland Security and Governmental Affairs Committee, said yesterday that the Log4j issues show the importance of mandatory reporting requirements. Defense Daily quotes the Senator: “I remain concerned that we will likely never know the full scope and impacts of this widespread vulnerability, or the risk posed to critical infrastructure. Our federal government still lacks the necessary insight to understand the threat facing our nation, protect our networks, and impose consequences on malicious hackers.”

Media reaction to the US Federal Trade Commission's advisory about companies' responsibility for fixing Log4j vulnerabilities has focused on the FTC's tough line, and not-so-veiled warning that businesses would be well advised to get on with detection, remediation, and disclosure, lest they get the Equifax treatment.

And ransomware gangs have continued to exploit these vulnerabilities where they can. BleepingComputer reports that the Vietnamese cryptocurrency trading firm ONUS has declined to pay a $5 million ransom hoods demanded in a double-extortion scheme. The vulnerability was in the Cyclos point-of-sale and payment system server ONUS used. As an indication of the speed with which criminals can move on newly available exploits, Cyclos delivered a patch for its systems on December 13th, and ONUS promptly applied it. That was just four days after Log4shell was first publicly disclosed, but by then it was already too late. The hoods had gained access to know-your-customer databases that contained personal information and hashed passwords.