How did your IT firm react to Log4j?

Preparation is often half the battle, and that holds true for many things – but more often than not, it holds especially true with cybersecurity. On Friday, December 10, 2021, news broke of active exploitation of a critical vulnerability (CVE-2021-44228) in a common component of Java-based software, referred to as Log4j.

Labeled the “most serious” security breach ever, put simply, Log4j is a flaw in one of the internet’s most commonly used piece of code. For years Log4j was code that software applications used to log – or keep track of – application activities. It’s code that has been used all over the internet as part of the Java programming language which has been foundational language for software since the 90’s. So, if the internet has been using Log4j for so long, why is it considered potentially the biggest security breach of the past decade?

A few weeks ago it was discovered that Log4j could be used to allow bad actors to seize control of application servers by running and logging a bad line of malicious code. A simple line of bad code could give anyone the keys to running off with an organization. This kind of oversight rarely, if ever, occurs.

Log4J Vulnerability Tests Agility of Internal & Outsourced IT

With such an incredible vulnerability exposed, organizations of every size have rushed to review their environments and remediate where they can. This kind of event has the power to lay bare the organizations that are most intimate with their environments and those that engage in active management – whether that is via a third-party provider or in-house IT.

Here are some steps that we took to keep our clients safe in response to the Log4j vulnerability:

Enumeration, Mitigation, and Attack Detection

Working with our partners, we leveraged a 3^rd party external tool for both Windows and Linux that downloads and executes the latest detection methods published by Florian Roth.

The tool, championed by Datto, allowed us to:

• Scan all JAR files on the system for signs of insecure versions of Log4j
• Search TXT and LOG files on a system for indicators of a potential attack
• Automatically inoculate against future exploit attempts by setting the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to TRUE.

Sophisticated Scanning & Custom Scripts

Our team also deployed sophisticated scanning, using custom scripts to scan, log, and identify areas for review. We cross-pollinated information gathered by our security team with ongoing releases from software vendors, alongside environment risk maintenance documentation to rapidly identify the software and systems that were in immediate need of patching. From there our team generated a risk heat map – allowing our team to address the greatest to least risk in a measured approach and we deployed patching.

Blocking External Communication

We also created strict firewall and web filtering rules to monitor for and block potential attempts from Log4j exploits at maintaining communication with Command and Control (C2) infrastructure.

Additional Actions

We recommend the following actions in addition to the immediate actions we performed above:

• If you use an outside IT or cybersecurity provider (e.g., internal SOC, Managed Security Service Provider [MSSP], Managed Services Provider [MSP], etc.) ensure they are aware of, monitoring, and taking appropriate actions on any alerts associated with the presence of Log4j in your environment
  • Ask them specifically for evidence of outbound traffic as a result of a Log4j exploitation attempt
• Install or modify an existing Web Application Firewall (WAF) with rules that automatically update with the latest information
  • CISA will be maintaining a repository of information and affected software here
  • Another useful and trusted repository is being maintained by the Dutch National Cyber Security Center

Additional Resources

1. DHS CISA Apache Log4j Vulnerability Guidance
2. DHS CISA Github Repository
3. National Vulnerability Database: CVE-2021-44228
4. Apache Log4j Security Update Page
5. Microsoft Blog: Guidance for Preventing, Detecting, and Hunting for CVE-2021-44228 Log4j 2 Exploitation
6. Cisco Talos Intelligence Group - Threat Advisory: Critical Apache Log4j vulnerability being exploited in the wild
7. Palo Alto Networks blog: Apache log4j Vulnerability CVE-2021-4428: Analysis and Mitigations
8. Dutch National Cyber Security Center Github Repository
9. Swiss Government CERT Blog on Log4j (Good visual)
10. CrowdStrike blog: Log4j2 Vulnerability Analysis and Mitigation Recommendations
11. TrustedSec: Log4j Detection and Response Playbook
12. F5 Labs: Explaining the Widespread Log4j Vulnerability
13. Tenable blog: CVE-2021-44228: Proof-of-Concept for Critical
14. Apache Log4j Remote Code Execution Vulnerability Available (Log4Shell)
15. Curated Intelligence Trust Group Github Repository
16. SwitHak Blue Team Cheat Sheet for Log4j
17. Symantec Enterprise blog: Apache Log4j Zero-Day Being Exploited in the Wild content
18. Tech Solvency: The Story So Far
19. TryHackMe: Solar, exploiting log4j
20. Picus Security: Simulating and Preventing CVE-2021-44228 Apache Log4j RCE Exploits
21. National Vulnerability Database: CVE-2021-45046
22. Carnegie Mellon University CERT Coordination Center
23. RecordedFuture: Log4Shell Attacks Expand to State Actors