Like news an everyday appliance could be lethal to homeowners, the recent discovery of a security vulnerability in a widely used program, the Apache Software Foundation's Log4j, was unsettling to most companies.
But for banks, there’s an added risk: Cybercriminals have been using this vulnerability to try to disseminate a powerful type of banking malware called Dridex.
Any bank that uses Java applications is susceptible to the Log4j vulnerability, according to Steve Rubinow, a faculty member in computer science at DePaul University and former chief information officer of NYSE Euronext and Thomson Reuters.
“It depends on the financial institution, but there's got to be a lot of Java code out there [in the financial industry] because it's a powerful language and that’s used heavily today,” Rubinow said. Log4j is a tool companies use to log Java applications — in other words, to audit, understand and debug them.
The newly discovered vulnerability, called Log4Shell, allows malicious code to be injected into a Log4j program to do almost anything, including download and execute a banking Trojan.
This security vulnerability is unique in that it affects so many operating systems, said Tracy Kitten, director of fraud and security at Javelin Strategy & Research.
“With Java being so common, that makes it a big threat, just from a volume perspective,” she said.
The Log4j program is the kind of software companies are unlikely to try to develop themselves, because reliable and free code is available, Rubinow observed.
But this type of software tool still has to be thoroughly vetted, even if everybody uses it.
“You have to have a reasonable degree of confidence that what you're putting in your environment has some integrity, has some goodness,” Rubinow said.
The banking Trojan threat
The fact that hackers are trying to inject the Dridex banking malware through Log4j ups the threat level for financial institutions.
“The Log4Shell exploit has been used to spread Dridex on Windows, so that’s an obvious risk to banks,” Kitten said.
The Dridex Trojan, which is usually distributed through phishing emails, is a highly capable piece of malware. Once downloaded and active, it can do a number of things, from downloading additional software to establishing a virtual network to deletion of files. It can infiltrate browsers, detect access to online banking applications and websites, and inject malware or keylogging software to steal customer login information.
After stealing login data, attackers can send fraudulent automated clearing house and wire transfers, open fraudulent accounts and potentially hijack victim accounts for other scams involving business email compromise or money-mule activity.
Because Log4j automatically executes commands, if a hacker injects the Dridex malware, it can deploy immediately, Rubinow said. But Trojans like Dridex can also lie dormant for months, and then, when people aren’t watching carefully, do what they’re set up to do.
“You could detect if you're profiling and as I'm sure everybody's doing, looking for executables that are running in their environment,” Rubinow said. “But if it flies under the radar or if it's dormant to be invoked another time, it could be a problem in the future. And because it can enter so easily, I think that's what makes people very, very uncomfortable.”
How threatening it is
Jen Easterly, the director of the U.S. Cybersecurity and Infrastructure Security Agency, has warned the recently revealed Log4j vulnerability was “one of the most serious” she’s seen in her career, “if not the most serious.”
Other security experts interviewed for this story hesitated to go that far.
“I can’t say just yet if it is the most serious, but it very well could be, given how common Log4j is in Java applications,” said Kitten.
The Log4Shell vulnerability makes it easy to steal credentials or to extract data and extort ransom, pointed out Ian McShane, field chief technology officer at Arctic Wolf.
“This is a critical issue for all infrastructure,” McShane said. “Banks should be especially cautious due to the nature of data they hold and store.”
The full scope of the vulnerability probably won’t be understood for weeks or months, McShane said.
“A vulnerability of this magnitude in a software component as wide-reaching as this will have consequences for all organizations, including banks and other financial institutions,” McShane said. “An attacker could gain full, admin-level access to an organization that was unable to patch or mitigate the vulnerability. Of course, that brings the potential for access to sensitive data if it has not been secured by other means, perhaps personally identifiable information such as account numbers, Social Security numbers and more.”
However, the biggest threat to banks and other companies, McShane said, remains ransomware pushed out through Office 365 apps.
What banks need to do
The Apache Software Foundation has issued a patch for the vulnerability, so the first step is to find all the places a company is using affected versions of Log4j and apply the patch.
Log4j can exist in many places in an organization, and it can take time to find all the instances of it.
“And time is not on your side when you've got a potential attack going,” Rubinow said. “So I can understand why people say this is the most serious one because its simplicity and its prevalence caught people off guard.”
Banks also need to test and monitor their information-technology environment for signs of unusual code or unusual network traffic. Any strange patterns have to be investigated and any problems located and fixed, Rubinow said.
Because Log4j is so prevalent, companies have to increase the sensitivity of their surveillance systems, which means you generate a lot more red flags, Rubinow said.
“At times like this, you want to overdo it rather than underdo it,” he said. “So you can look for things that maybe are subtle, might have escaped your attention before, but you don't want them to escape your attention now because you don't want to leave any stone unturned.”
