The disclosure of the Log4j zero-day exploit, a.k.a. Log4Shell or CVE-2021-44228, at the end of 2021 set the cybersecurity world on fire. The vulnerability was characterized as one of the worst in history as it provided an open door to millions of network devices using the popular open-source Log4j software. Within a few days and weeks following the disclosure, the cybersecurity community has made much progress in identifying and countering this threat. Despite all the initial efforts, the general guidance is to remain vigilant and assume a long remediation journey across software suppliers, service providers, and security organizations.
About the Author
CEO & Founder of Dynamite Analytics
Oleg is a 20-year security software veteran leading Dynamite Analytics from its inception.
Log4j is a commonly used Java library for logging error messages in applications. It is used in enterprise software, including vendor products, in-house software applications, and cloud computing services. A Log4j library may be buried in multiple layers of software subcomponents built on top of each other. Internal remediation may get tricky when relying on 3rd parties to patch their products and services. There is a lingering risk of the unknown.
The Log4j exploit is a simple JNDI lookup, and it is easy to implement by cyber criminals. There is an ongoing avalanche of exploitation attempts relentlessly scanning for vulnerable devices all over the world. It is a matter of time until a vulnerable, publicly accessible system is compromised. Successful exploitations may lead to a variety of cyber-attacks, including ransomware, data theft, etc.
Plan of Action
- Scan your network environment – Use vulnerability scanners to identify Log4j vulnerabilities. Start with publicly facing systems. Use purpose-built scanners like log4j-scan and Huntress. Hire a 3rd party specializing in vulnerability assessments to perform deep web application scans.
- Detect Vulnerable Software – Search for Log4j libraries in all servers and applications. Use commercial or open-source scanning tools like Grype and Syft to inventory code libraries and their vulnerabilities.
- Upgrade Vulnerable Code – Apply the latest Log4j upgrades – currently: 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6).
- Patch Vulnerable Vendor Products – Identify all software vendor products in your environment. Research if any of these vendors have released information about the Log4j vulnerability. Review the list of known vulnerable vendors. Contact your software vendors regarding their remediation steps. Apply vendor patches.
- Monitor for Log4j Exploitations – Perform ongoing monitoring for exploitation and post-exploitation activities by paying special attention to Log4j’s JNDI exploit strings. Use purpose-built detections by endpoint and network security vendors.
Zeek and Suricata against Log4Shell
Dynamite’s network sensor, Dynamite Agent, is built on the industry-leading network traffic inspection technologies Zeek and Suricata. Zeek delivers network metadata, such as connection telemetry, application-layer transcripts and artifacts, going far beyond NetFlow and other types of flow data. Suricata complements Zeek with rule-based network intrusion alerts based on the top IDS signature dataset.
Both Zeek and Suricata can be very effective for monitoring Log4j exploitation attempts. Corelight has published a Zeek script that detects suspicious JNDI lookups via HTTP, DNS and other types of traffic. Emerging Threats open ruleset has been updated with the Log4Shell signatures for Suricata. Dynamite Agent 1.2 natively includes the Log4Shell threat detections.