Yesterday, 12/10/2021, a critical zero-day vulnerability in Apache Log4j (CVE-2021-44228), a widely used Java logging library, is being leveraged by attackers in the wild – for now, fortunately, primarily to deliver coin miners.
The SOC is fully engaged in building a comprehensive threat advisory, threat hunting queries, and working with several clients on the matter affected by related exploitation attempts observed in their environments.
We will continue to hunt for related Indicators of Compromise throughout client environments and scan for the vulnerability within our clients that have the Vulnerability Management Service.
We can confirm that the Stellar Cyber – BDS platform’s IDS engine has been updated with new IDS signatures that would trigger security detections on exploitation attempts observed in network traffic.
In addition, the CyFlare SOC has also built its threat hunting queries & custom alarm (ATH) rule to trigger a security detection on exploit attempts. The rule has been enabled and successfully operationalized.
Customers of applications leveraging Apache log4j should upgrade to the newest version immediately.
Since the original patch was discovered to be bypassed, in the interest of implementing as many protections against this vulnerability as possible, the following mitigations are also recommended:
- Disable suspicious outbound traffic, such as LDAP and RMI on server in PANW Firewall
- Disable JNDI lookup
- Remove the JndiLookup file in the log4j-core and restart the device
- Setup spring.jndi.ignore=true
Reference Links:
- https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/
- https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html
- https://logging.apache.org/log4j/2.x/security.html
- https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/
- https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce
- https://www.sentinelone.com/blog/cve-2021-44228-staying-secure-apache-log4j-vulnerability/
Should you have any questions or concerns, please place a ticket with the SOC using socir@cyflarecom or call 877.729.3527 extension 2.
