Yesterday, we told you what PIA VPN did as a response to the Log4Shell hack, and today we’re looking at ExpressVPN — which did its thing to keep users safe.
ExpressVPN’s engineers managed to reproduce the exploit in their lab setup and confirmed that this was indeed an issue on vulnerable versions of the Minecraft client. A callback was made to the attacker’s server on the LDAP port and a malicious payload was executed on the user’s machine.
The company’s researchers went even deeper only to find other user applications that are affected by the Log4j vulnerability, as well. These included the Arduino IDE used by hardware enthusiasts to program their microcontrollers, the open-source testing tool OWASP ZAP, and even the open-source reverse engineering tool Ghidra.
ExpressVPN predicts a long tail of threat actors trying to exploit client applications prone to Log4Shell on user devices, as many individuals will continue to have vulnerable applications installed.
In view of this, on December 14, 2021, ExpressVPN decided to block outbound LDAP traffic based on port numbers, and rolled the block out to all its users. This is a similar move to the one PIA has made, and it acts as a protective layer to prevent pulling in the more harmful second-stage payloads that allow an attacker to run arbitrary commands on your computer.
What ExpressVPN did?
ExpressVPN implemented a new layer of protection on December 14, 2021, and it is live across all its VPN servers worldwide. This means that everyone using ExpressVPN on their devices or router enjoys protection from the Apache Log4j vulnerability. This mitigation is server-side, so no action from users is required.
With the protection in place, attacks can be mitigated since the LDAP outbound traffic is blocked for default payloads.
As noted above, this is something ExpressVPN did on a server side and none of its apps include Log4j as a dependency. So, no action from ExpressVPN users is needed at this time.
What can you do to protect yourself?
There are several things you could do to keep your device and your data protected:
Update your apps
First, review all the apps you use across your devices and remove those that you no longer use. Next, for those that remain on your device(s), take time to review the versions installed and be sure to update them as new versions become available. If the installed app is an unofficial release, consider removing it to reduce potential risk.
It is also recommended to deploy the firewall rules that will prevent exploitation if the attacker uses default ports in their payload. In other words, you should block outbound TCP/UDP traffic on LDAP ports (389, 1389, 3268, 3269), as well as TCP/UDP on RMI ports (1099). ExpressVPN users will get the same baseline protections without needing to take any further action.
Keep following the news
This is probably the easiest thing to do as it only requires you to keep up with the latest security news. Chances are, if the vulnerability is big enough, it will also be reported by a non-tech media – but you never know. Awareness and understanding of the widespread impact of the vulnerability on client apps installed on user devices to Log4Shell is key to shortening the long tail of this vulnerability.
Get a VPN
Finally, if you still don’t use a VPN – now’s the time to change that. ExpressVPN is one of the best options out there, and yes – we highly recommend it. Click the link below to get it and then install it across all devices you use.