Apache Log4j is a Java logging framework, highly prevalent in commercial and open-source software. Log4j is ubiquitous in commercial and open-source software and the vulnerability is relatively easy to exploit making it a significant challenge to defend.
The Log4j vulnerability is now associated with two Common Vulnerabilities and Exposures (CVE): CVE-2021-44228 & CVE-2021-45046. CVE-2021-45046 has been elevated from low severity (3.7) to critical (9.0).
eSentire’s Threat Response Unit (TRU) has observed scanning for the vulnerability, Cobalt Strike activity and crypto mining payloads. TRU has also observed the targeted of webservers. There have also been reports in the wild of the Log4j exploitation resulting in ransomware deployments. We recommend organizations scan their networks regularly, on an ad hoc basis, outside of standard cadences, to identify vulnerable assets and prioritize their patching.
Full Log4j Timeline
On December 9th, security researchers released details and a Proof-of-Concept (PoC) exploit code for CVE-2021-44228 (CVSS: 10), impacting the Apache Log4j Java-based logging library. If exploited successfully, a threat actor would have Remote Code Execution abilities, which would allow a remote and unauthenticated threat actor to take control of systems with vulnerable versions of Apache Log4j.
By December 10th, eSentire’s TRU team had observed exploitation attempts. We developed and deployed rules for our MDR for Network, Endpoint and Log services to identify exploitation activity. We began global threat hunts for exploit patterns and indicators of compromise.
On December 17th, Apache updated their advisory stating that “the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.” CVE-2021-45046 was initially considered to be a Denial of Service (DoS) vulnerability. New research suggests that exploitation may allow a remote threat actor to achieve Remote Code Execution and steal sensitive data from vulnerable systems under certain conditions.
On December 28th, Apache released additional updates to their advisory
related to CVE-2021-44832 indicating that an “attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.” There remains some debate in the community as to whether this additional fix warrants a CVE. However, it is recommended that organizations ensure applications running Log4j are updated to the most recent release (2.17.1).
Recommendations from our Threat Response Unit (TRU)
- Audit software vendors/applications for Log4j use and make applying security updates a top priority (version 2.17.0 is recommended)
- Apache has provided alternative mitigations if patching is not currently possible
- Both CISA and NCSC-NL have released a vendor vulnerability status which can be correlated against software inventories
- CISA has released an Emergency Directive to the US federal government mandating that all organizations in the federal government with the Log4j vulnerability, CVE-2021-44228 must have a patch or mitigation in place for December 23rd, 2021
- NCSC-NL has additionally compiled various methods and scripts for scanning applications and systems for Log4j use
- Organizations are strongly recommended to make use of available scanning tools to identify vulnerable assets and prioritize patching of internet-facing products
- If you’ve been breached, please contact eSentire’s Digital Forensics and Incident Response experts at 1-866-579-2200
How eSentire secures our customer environments 24/7
- eSentire Managed Vulnerability Service (MVS) has plugins in place to identify CVE-2021-45046. Ad-hoc scans outside of a regular monthly or quarterly cadence are available, and recommended
- We are conducting global threat hunts for exploit patterns as part of the value added by our 24/7 Threat Hunting and Multi-Signal Managed Detection and Response (MDR) service
- We have also blocked known attacker infrastructure via our global deny list
- eSentire MDR for Network, Endpoint and Log have identified successful Log4j exploitation and post-exploitation actions. eSentire will continue to evaluate detections as the situation evolves. To ensure our customers are protected, new rules and updated detections based on threat hunting have been applied across our Atlas XDR Cloud Platform, and ongoing threat hunts are occurring, led by our Threat Response Unit
- We are communicating regularly with our customers through advisories, our SOC, our customer success organization, and on social media. Please see the publicly available communications below.
Additional Resources from eSentire:
To learn how eSentire’s Managed Vulnerability Service can help secure your environment against vulnerabilities like Log4j, connect with a security specialist today.
