Log4j is a Java library for logging error messages in applications and is a critical security vulnerability with a severity score of 10 out of 10. The high score is due to it being remotely exploitable and requiring little technical skill to execute. A new vulnerability has been disclosed over the past few days and there are active attackers scanning the internet for vulnerable servers and even deploying malicious payloads to those servers such as DDoS bots, Cobalt Strike Beacons, and even Cryptominers. The NIST Vulnerability Database for this is listed as CVE-2021-44228. All versions of Apache’s Log4j older than 2.15.0 are vulnerable. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. There are also discussions on social media about a possible worm being developed within 48 hours that will be self propagating with the ability to stand up a self hosted server on compromised endpoints in addition to spraying traffic, dropping files and c2c.
The vulnerability, also nicknamed Log4Shell, can be exploited by forcing Java-based apps and servers, where the Log4j library was used, to log a specific string into their internal systems. When the app or server processes the logs, this string can force the vulnerable system to download and run a malicious script from an attacker-controlled domain, effectively taking over the vulnerable application/server.
Indicators of Compromise of log4j CVE-2021-44228
The primary focus should be to identify internet-facing devices running Log4j and upgrade them to version 2.15.0, or to apply the mitigations provided by vendors immediately.
If you need help identifying a vulnerable application, you can use log4shell.huntress.com‘s tool at your own discretion. The source code is available at GitHub. This site does not trigger any remote code execution and only helps identify possibly vulnerable sites by using a unique identifier. Please only use this tool on applications you’re authorized to test against.
If you find that log4j has already been patched, please verify that it was patched by someone in your organization. Applying a patch to a vulnerable server just prevents it from being attacked again. A patch does not remove shells, implants, or other malware that were installed prior to patching.
Remediation of log4j CVE-2021-44228
The suggested remediation of log4j is to update it to the latest 2.15.0 release. If you’re on version a version between 2.10 and 2.14.1, you can mitigate the vulnerability by setting system property “log4j2.formatMsgNoLookups” to “true”.
If you have a defense in depth concept with multiple layers of security, it is important to check your firewalls and web application firewalls (WAF) to download the most recent threat lists. Cisco, Palo Alto, Checkpoint, and Imperva have all updated their threat feeds that attempt to block these attacks by looking for strings in the web applications or by blocking reported scanning IPs.
The next step is to contact vendors of any software you have installed on your systems to verify their vulnerability or patch status. There is a good GitHub Log4j Cheat Sheet to reference.
Items to look for on your endpoints:
- Suspicious execution of common command line tools used to download files such as: curl, wget, or powershell
- The creation of suspicious or unexpected programs or services on an endpoint
- An increase in CPU and memory usage on a server (This is due to many attackers placing cryptominers on exploited systems.)
- Endpoint security software generating alerts for post-exploitation tool usage or activity
Items to look for on your network:
- Search for outgoing network or web connections from your servers to the Internet.
Outbound network connections may be to nonstandard ports or over standard HTTP/S ports.
- Look for suspicious curl or wget user agents to external IP addresses.
- Examine DNS for queries to suspicious or known malicious sites. A list of known domains and callback URLs can be found at the following links:
Known scanning IPs
Known callback URLs
Zeek Log4j Intelligence Feeds
log4j is an ongoing threat and the landscape will definitely change in the near future. As more information becomes available we will keep this article up-to-date with the latest tools, links, and support.