Log4Shell Vulnerability – Detection, Remediation and Next Steps

Vulnerability Log4Shell is the latest and most dangerous vulnerability in the cyber threat landscape. Read CTRL Group's recommendations here.

The Log4Shell Vulnerability, also known as CVE-2021-44228, was disclosed on Friday, December 10, after nine days of “in the wild” exploitations with no remediating patches available. It received a “perfect” severity rating – 10/10 – as it affects countless internet-facing machines.

Log4Shell Vulnerability – What is it?

In a nutshell, the vulnerability has to do with the way the Java Naming and Directory Interface (JNDI) feature resolves variables. This interface is triggered when it receives a log message that specifies a formatting string “${}”. This string initiates a function that’s instructed to retrieve and execute a file from a remote location. Attackers change that remote location to one that allows them to control the commands. The vulnerability exists in an open-source logging library called “log4j”, which is extremely popular due to the fact that almost every security system worldwide runs a type of logging service (a list of activities applications ran which can be inspected if needed, e.g., if there’s a system error). The perfect severity rating suggests that the vulnerability is easily exploitable and can allow an attacker to gain full control permissions on the target machine. It also can be exploited with or without authentication

Vulnerability – Detection and Remediation

In order to detect whether or not your network is vulnerable to this threat, CTRL Group advise using this vulnerability tester, built by Huntress Labs – https://log4shell.huntress.com. It offers a quick and simple test specifically for your network.

For remediation purposes, the best way to make sure your systems are patched against this threat is by upgrading your vulnerable systems to Apache Log4j version 2.15.0.

If that is not achievable as soon as possible, other temporary mitigation steps are available for your organisations. They are as below:
– Scan your environment for vulnerable machines.
– Be on the lookout for any unauthorised configuration changes.
– Search for odd or abnormal traffic patterns that might imply an attacker is inside your network. Specifically, variations of the phrase “${jndi:”, which precedes the attackers’ internet address. If this phrase was found on your network, CTRL Group advises initiating a full scan of the compromised network.

In previous releases of the Apache Log4j (2.10 and earlier), the threat can also be mitigated by setting the system property “log4j2.formatMsgNoLookups” to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).

Since the discovery of this vulnerability on Friday, attackers have begun exploiting it in droves. There are already sightings of networks compromised to install cryptominers, ransomware or botnets for future access to the network, even after the patching is completed.

Next Steps against Log4Shell Vulnerability

CTRL Group predict that cybercriminals will continue to try and exploit this vulnerability in any unpatched environment for the foreseeable future. Any organisation that will not patch its vulnerable systems as soon as possible will most likely be breached, therefore we expect a surge in ransomware attacks and data theft against vulnerable environments. Furthermore, any information that was stolen from companies that were already breached will soon be offered for sale on the dark web.

If you require any assistance, please reach out to CTRL Group at [email protected]

 

BY CYBER THREAT INTELLIGENCE ANALYST, Yonatan Zuriel