News

December 2021 – ASK4Key Threat Advisory

Global Threat Intelligence

 TLP:

 White

 A4K-ISAC Advisory Number:

 2021-101

 Author:

 Ikbal (ASK4Key)

ABSTRACT

The problem is with Log4j, a ubiquitous open-source Apache logging framework that developers use to record activity in their applications. Security analyst are working to fix bugs that could easily be exploited to remotely control vulnerable systems. At the same time, hackers are actively scanning the Internet for affected systems. Some have already developed tools that try to exploit bugs automatically, or worms that can spread from a vulnerable system to another under the right conditions. Log4j is a Java library, and although programming languages are not very popular with consumers these days, they are widely used in enterprise systems and web applications. Many researchers they expect many mainstream services will be affected.

SUBJECT

! Apache Log4j Vulnerabilities Unauthenticated Remote Code Execution

Log4J aka Log4Shell first Vulnerability CVE-2021-44228 and follow up vulnerability CVE-2021- 45046

OVERVIEW

On December 10, a remote unauthenticated vulnerability CVE-2021-44228 was published to the public and the PoC code (Proof of Concept) also had been circulated. Further to this, we have found the flaw is actively exploited until this day.

VERSION AFFECTED

Apache Log4j version 2.0-beta9 – 2.14.1 CVE-2021-44228

Apache Log4j version 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 CVE-2021-45046

•Note: affected organizations that have already upgraded to Log4j 2.15.0 will need to upgrade to Log4j 2.16.0 to be protected against both CVE-2021-44228 and CVE-2021-45046.

MITIGATION

CVE-2021-44228 CVE-2021-45046

•Install a WAF with rules that automatically update.

•Temporary Mitigation: Set log4j2.formatMsgNoLookups to true by adding – Dlog4j2.formatMsgNoLookups=True to the Java Virtual Machine command for

Log4j 1.x mitigation: Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. To mitigate: audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.

Log4j 2.x mitigation: Implement one of the mitigation techniques below.

Java 8 (or later) users should upgrade to release 2.16.0.

Users requiring Java 7 should upgrade to release 2.12.2 when it becomes available (work in progress, expected to be available soon).

Otherwise, remove the JndiLookup class from the classpath: zip -q -d log4j- core-*.jar org/apache/logging/log4j/core/lookup/ JndiLookup.class

Note: only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.

Log4j 1.x mitigation: Log4j 1.x is not impacted by this vulnerability.

Log4j 2.x mitigation: Implement one of the mitigation techniques below.

Java 8 (or later) users should upgrade to release 2.16.0.

Users requiring Java 7 should upgrade to release 2.12.2 when it becomes available (work in progress, expected to be available soon).

Otherwise, remove the JndiLookup class from the classpath: zip -q -d log4j- core-*.jar org/apache/logging/log4j/core/lookup/ JndiLookup.class

Note: only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.

ASK4KEY COMMENT

All ASK4Key customers are advised to test which of their internal apps and servers utilize the Log4j Java library, check if systems are vulnerable to the Log4Shell exploit, and patch affected servers.

A mitigation steps also necessary to reduce the risk of the attacks as we have seen a significant number of attacks targeting South East Asian countries comprising of all types of sectors.

Take note that these types of vulnerabilities not only limited to servers but also may include endpoint (end users) that may already installed Oracle application which specifically nested .jar. For Windows

machine, normally residing in C:\Program Files (x86)\\Common Files \\Oracle\\Java\\javapath\\javaw.exe.

All ASK4Key customers also can utilized any AntiVirus / Security Tools product to scan for hashes or

.jar files name to find the vulnerable log4j-core JAR files. For Elastic SIEM users, if you do have a SIEM Elastic Agent installed, you can perform a query by copying a ruleset from https://www.elastic.co/blog/detecting-log4j2-with-elastic-security.

Also, if you do have a Network Detection of Response (Extrahop), you can easily spot the attack and the vulnerable path residing in your network. A Reveal(x) Extrahop NDR normally saves transaction records and it can be searched for JNDI calls, which can provide a starting point for investigating potential exploit attempts. Tips in finding the attacks by looking at port 80 and 443 with JNDI calls.

Worst case scenario is when if your organization is already compromised with these vulnerabilities with Cryptomining or Ransomware, do isolate the host immediately and activate your Incident Response Playbook. If your organization need our help in investigating, mitigating or remediating pertaining to these vulnerabilities, please do reach us out at [email protected]

SIDE NOTE

Attached herewith a list of IP addresses of exploitation attempts and .jar vulnerable hashes. Also included, vendor list for reference.

REFERENCES

https://logging.apache.org/log4j/2.x/security.html
https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance

https://www.elastic.co/blog/detecting-log4j2-with-elastic-security

https://www.extrahop.com/company/blog/2021/log4j-security-exploit/

CREDITS (Hashes, Vendor List & IPs):

Blotus

Xanda

Kevin

DISCLAIMER

GTI analyst at ASK4Key IT Security Department highlight and provide context to current media trends each month as they analyse and encapsulate the events in cyber security. Topics selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats. ASK4Key GTI analyst does not specially endorse any third-party claims made in this material or related links, and the opinions expressed by third parties are theirs alone. The enclosed ASK4Key GTI comments and accuracy rankings are based on information available at the time of publication, and ASK4Key GTI reserves the right to hone its analytical perspective as the threats evolve and as further intelligence is made available.

Below is zip file of Log4j vulnerabilities information content Log4j hashes and it java library that is effected .

https://www.dropbox.com/s/5fl6ahmg98vxw9d/Log4j%20vulnerabilities%20information.zip?dl=0