ENGLISH
23.12.2021
Mitigating Log4Shell in Log4j with Group-IB
A widespread, critical and easy-to-exploit vulnerability that has been discovered in Apache Log4j, a commonly used logging tool. MITRE has designated this vulnerability as CVE-2021-44228 and has given it the highest possible CVSS severity scroe of 10.0.
Below you can find Group-IB's recommendations to mitigate this vulnerability and protect your organization.
Below you can find Group-IB's recommendations to mitigate this vulnerability and protect your organization.
What is the Log4Shell vulnerability?
A deserialization vulnerability in the Log4j logging tool, used to aid in debugging and metrics, has been discovered and requires immediate attention from security teams in organizations of every size and industry. Log4j is not a distinct application, it is a software component and is available in a variety of different services, this makes identifying and patching vulnerable versions of Log4j within an organization challenging. Furthermore, even if publicly accessible applications are not vulnerable, logging services downstream can be compromised by the exploit.
To date most known Log4j attacks have been automated and exploratory, however it is believed that ransomware gang's, such as Conti, may have begun using the exploit for lateral movement.
Organizations are urged to perform mitigating actions as soon as possible to prevent:
· Disruption to operations
· Reputational damage
· Response and recovery costs
· Disclosure announcements if there is a breach
"[CISA] strongly urges every organization large and small to follow the federal government's lead and take similar steps to assess their network security and adapt the mitigation measures outlined in our Emergency Directive. If you are using a vulnerable product on your network, you should consider your door wide open to any number of threats." - CISA Director Jen Easterly
To date most known Log4j attacks have been automated and exploratory, however it is believed that ransomware gang's, such as Conti, may have begun using the exploit for lateral movement.
Organizations are urged to perform mitigating actions as soon as possible to prevent:
· Disruption to operations
· Reputational damage
· Response and recovery costs
· Disclosure announcements if there is a breach
"[CISA] strongly urges every organization large and small to follow the federal government's lead and take similar steps to assess their network security and adapt the mitigation measures outlined in our Emergency Directive. If you are using a vulnerable product on your network, you should consider your door wide open to any number of threats." - CISA Director Jen Easterly
Group-IB's recommendations
Remediation:
· Update and patch impacted applications where possible within 24 hours.
Workarounds and mitigations:
· Prohibit Internet network communication for important information systems by direct TCP/UDP and HTTP protocols. It is a primary way to deliver payload to the system. Prohibiting communication disables the full killchain, even if an attacker is able to exploit the initial stage by poisoning the logs.
· Restrict DNS resolution on important systems, potentially use static host files. While such systems can have TCP/UDP/HTTP protocols already disabled, sometimes attackers can leverage the DNS exfiltration technique to get access to critical segments.
· Examine components lists of the products and services used in the organization to detect Log4j Library usage. Update the library
· Examine your logs for exploitation traces with Yara rules. If something is found, examine successful network communications with the domain names listed in the traces.
· Update and patch impacted applications where possible within 24 hours.
Workarounds and mitigations:
· Prohibit Internet network communication for important information systems by direct TCP/UDP and HTTP protocols. It is a primary way to deliver payload to the system. Prohibiting communication disables the full killchain, even if an attacker is able to exploit the initial stage by poisoning the logs.
· Restrict DNS resolution on important systems, potentially use static host files. While such systems can have TCP/UDP/HTTP protocols already disabled, sometimes attackers can leverage the DNS exfiltration technique to get access to critical segments.
· Examine components lists of the products and services used in the organization to detect Log4j Library usage. Update the library
· Examine your logs for exploitation traces with Yara rules. If something is found, examine successful network communications with the domain names listed in the traces.
Group-IB offers a range of products and services to help organizations that need assistance:
Further information
Group-IB products, services and infrastructure have been verified as safe and not vulnerable to this exploit.
Useful links and references:
· CISA vulnerability guidance
· NCSC board guidance
· NIST vulnerability database
· MITRE vulnerability information
· Apache Log4j support
Useful links and references:
· CISA vulnerability guidance
· NCSC board guidance
· NIST vulnerability database
· MITRE vulnerability information
· Apache Log4j support
Adversary-centric detection of targeted attacks and unknown threats
Share
Prevention
Response
Investigation
Products
Company
