Note: this blog has been updated on December 20, 2021, and we will continue to make updates as more technical information becomes available

Exploit Background
The Log4j exploit is a vulnerability in an open source Apache logging framework that allows attackers to gain arbitrary execution abilities on an affected device. Used commonly in modern Java applications (even some non-enterprise applications like Minecraft), services are scrambling to defend against this vulnerability. Earliest evidence of this exploit was found December 1st, according to Cloudflare CEO Matthew Prince.

This vulnerability can be exploited through sending a single crafted string that is then logged by versions 2.0 and up of Log4J. Users on Twitter, Minecraft, and iCloud have been seen changing their usernames or posting chat messages that include the string, successfully gaining access. The exploit can also be used to read server environment variables, which can read static credentials in some cases without full remote code execution.

The situation with this exploit is currently ongoing as researchers continue to find affected applications and further holes in the logging framework. Some have dubbed this situation ‘Log4Shell’. More information on this CVE can be found here.

Currently, the Log4J vulnerability is causing a sharp uptick in traffic with the triggering string. Though most hosts are able to fight against it by layering security measures, discontinuing use of some Java applications, or dropping/banning traffic, others are scrambling to review their assets for any inclusion of Log4J or components using the framework.

An arbitrary execution can result in catastrophic damage, as it allows for near full access to all server resources. After successfully triggering the vulnerability, attackers can upload scripts to the server that can retrieve files, use the server for DDoS attacks, monitor the server, and more.

Needless to say, this sort of vulnerability has been classified as a Critical or 10.0 severity on CVSS version 3 and is highly dangerous. As a result, we have put together some automation and this release to help our customers.

Automation Logic

  • Detection
    In response to this vulnerability, we have implemented some logic to detect it in customer instances. This detection first searches out items using LDAP and certain ports associated with LDAP. It will also search for unusual URIs (which would find instances of attempts using the custom string). After assigning scoring and sorting by least frequent/unusual hosts, cases are created for triage.

  • New Release
    In our new release, Milestone 86, we’ve implemented the Apache-recommended fix to prevent attempts against our instances. We’ve also done thorough checks of customer instances and done reviews of known customer assets for notifications.

    The Apache recommendation, though followed for this article, has since been invalidated by Apache and continues to be vulnerable. A later release is in progress to further patch issues related to Log4J. Please keep an eye on our latest releases page for details.

Within LogicHub, please ensure you keep up on our latest instance version releases as they become available. We will continue to monitor for additional instances of this activity and new attacks under the Log4j vulnerability umbrella.

Please also follow the advice given under the Apache remediation page for devices that are not running LogicHub instances. Please see Sources in this release for more information.

Relevant Sources and Further Reading
Watch LogicHub’s coverage of Log4J Library Zero-Day on LogicHub’s Monthly Security RoundUp.

Read LogicHub's December’s Monthly Security Roundup to get more information about other threats we’re finding in the wild.

Join us on the 15th of each month @ 10:00am PT/ 1:00pm ET for LogicHub’s Monthly Security RoundUp on the LogicHub webinar channel.

Proof of Concept:

Demo from Marcus Hutchins (MalwareTechBlog):

Article from Wired (for a user-friendly understanding of how this is affecting the internet as a whole):

LogicHub Milestone 86 Release Notes:

Apache Logging Security Vulnerabilities (includes mitigations and other information):


Related Posts

September 13, 2022 Kumar Saurabh

Why No Code Solutions Are a Double-Edged Sword

Most out-of-the-box security automation is based on a simple logic — essentially, if “this”...

Learn More

August 16, 2022 Willy Leichter

Understanding MDR, XDR, EDR and TDR

A program with proper threat detection and response (TDR) has two key pillars: understanding the...

Learn More

August 9, 2022 Willy Leichter

Intuition vs. Automation: What Man and Machine Bring to Data Security

Cybersecurity experts Colin Henderson and Ray Espinoza share their take on the automation-driven...

Learn More

August 2, 2022 Anthony Morris

Using AI/ML to Create Better Security Detections

The blue-team challenge Ask any person who has interacted with a security operations center (SOC)...

Learn More

July 26, 2022 Willy Leichter

How to Select the Right MDR Service

It can be difficult to understand the differences between the various managed detection and...

Learn More

July 21, 2022 Willy Leichter

The Evolving Role of the SOC Analyst

As the cyber threat landscape evolves, so does the role of the security operations center (SOC)...

Learn More

July 19, 2022 Kumar Saurabh

Life, Liberty, and the Pursuit of Security

As cyber threats evolve, organizations of all sizes need to ramp up their security efforts....

Learn More

July 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: July 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

July 12, 2022 Willy Leichter

Security Tools Need to Get with the API Program

No cloud API is an island The evolution of cloud services has coincided with the development of...

Learn More

July 6, 2022 Willy Leichter

Why the Rush to MDR?

LogicHub recently published a survey conducted by Osterman Research, looking at changing trends and...

Learn More