Apache Log4j is a Java library that is used to log messages (for diagnostics, troubleshooting, auditing, and information). This library also provides the ability to log information to various destinations such as databases, file consoles, and syslog, making it the most widely used Java logging library. The default configuration of Log4j supports JNDI (Java Naming and Directory Interface) lookups of Java objects at program runtime given a path to their data. Log4Shell is the recently discovered vulnerability (CVE-2021-44228) in the Log4j library where JNDI lookups can be exploited to exfiltrate data or execute arbitrary code via remote services such as LDAP, RMI, and DNS providing the attackers full control of the vulnerable systems.
Log4j is used extensively, and this Remote Code Execution Vulnerability could affect millions of applications and devices. Log4j is included in thousands of enterprise applications across the stack and appliances with a web interface. Log4Shell also affects many systems that are internal to enterprise networks. APTs/Attackers already inside the network may leverage Log4Shell vulnerability of the internal systems. Log4j is also an embedded component of many Java-based OT/ICS hardware and software components. Billions of IoT devices built on Java may also be susceptible, and so are many of the networking appliances.
The vulnerability is severe enough for CISA, FBI, and NSA to release a joint Advisory stating “Log4j vulnerabilities present a severe and ongoing threat to organizations and governments around the world; we implore all entities to take immediate action to implement the latest mitigation guidance to protect their networks”.
Mass scanning attempts by threat actors to identify vulnerable systems are ongoing. In addition, botnets like Mirai, remote access toolkits, and reverse shells such as Meterpreter have expanded to leverage the Log4Shell vulnerability. Attackers are also finding new ways to exploit this vulnerability, for example, by exploiting internal systems in the Enterprise and leveraging these systems to conduct post exploitation activity.
Patching Log4Shell vulnerable applications will till take a long time and it may not even be possible for certain embedded systems. Existing detection methods rely on signatures and attackers have already started circumventing such simple detection methods by using payload obfuscation.
- Provide Visibility into Log4Shell Vulnerable Assets
- Actively protect Log4Shell Vulnerable Assets
- Generate Threat Intelligence
Visibility
The first step in combating Log4Shell vulnerability is the visibility of the affected systems.
Acalvio ShadowPlex provides a reliable, safe, and easy-to-deploy capability to automatically discover Log4Shell vulnerable assets across your IT, Cloud, IoT, and OT environments. A single click from the ShadowPlex admin console will discover the Log4Shell vulnerable assets. There are no scripts to run manually, and no cloud services are required for the setup.
Acalvio ShadowPlex does not require access to the asset’s filesystem, unlike traditional vulnerability scanners. Acalvio discovery approach works for any kind of remote service, device, or application without requiring any special asset access, firewall changes, or sensitive login credentials. Acalvio Log4Shell Visibility is designed to be safe for use in IT, OT, and IoT environments.
Asset Protection
Often vendors need time to create and test the Log4Shell vulnerability patches. Applications of patches can be very challenging in many mission-critical environments such as OT/ICS networks. Acalvio provides the ability to leverage deception deployment on and around the vulnerable assets to quickly detect and respond to Log4Shell exploit attempts.
An attacker/malware needs to attempt an exploit to determine whether a system is vulnerable. This provides an excellent opportunity to leverage the active defense and just-in-time deception platform to detect and respond to exploit attempts from inside the organization’s IT, OT, IoT, or Cloud environments.
Generate TI
Acalvio ShadowPlex platform can be leveraged to generate Threat Intelligence (TI) using deception technology. The TI is specific to Log4Shell exploits, including new obfuscation techniques and attacker-controlled IPs that can be blocked. Such TI can be very useful for MDR solutions and large enterprises to get ahead of the fast-moving Log4Shell exploit attempts.
ShadowPlex provides a comprehensive Active Defense solution to combat Log4Shell exploits, providing frictionless visibility of affected systems and effective deception-based detection that does not rely on signatures. These capabilities are included in the ShadowPlex solution and are available at no additional cost.
Authors
