Critical Apache Log4j/Log4Shell Zero-Day Vulnerability – Securonix Detection and Recommendations

Threat Research
Share

As the situation develops the latest information can be found here.

The attacks against the critical Log4j/Log4Shell Zero-Day Vulnerability (CVE-2021-44228) are continuing to evolve. The Securonix Threat Research Team is constantly publishing updated content to help our customers and partners detect, mitigate, and respond.

Due to the extreme and broad-reaching impact of the Log4j/Log4Shell vulnerability, Securonix is offering our current SaaS customers free use of Securonix Autonomous Threat Sweeper capabilities for a limited time.  Please contact your Customer Success Manager or Service Delivery team to request assistance.

The content released by Securonix Threat Labs includes:

  • Detection rules to actively monitor existing and new variants of attack against the log4j vulnerability
  • Search queries to go back in time and look for any suspicious activity or exploit attempts
  • List of updated indicators of compromise identified till date by Securonix related to the vulnerability

Update: December 29, 1:00 PM PT

A new Log4j2 vulnerability (CVE-2021-44832) that uses JDBC Appender has been reported [1]. The new Log4j2 vulnerability targets Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) that are vulnerable to remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and
2.3.2.
– The complexity of this vulnerability is relatively higher than the original CVE-2021-44228 since it requires the attacker to have control over the configuration. Specifically, in log4j, there is a feature to load a remote configuration file or to configure the logger through the code, so a Remote Code Execution (RCE) could be achieved, e.g. through a MITM attack, with user input ending up in a vulnerable configuration variable, or modifying the config file.
– This vulnerability doesn’t use the disabled JNDI lookup feature directly but does share some common behaviors with the earlier log4j attack vectors, i.e., using a JNDI URI to download malicious Java class code.

Based on our initial analysis, the existing Securonix log4j threat content should help detect the malicious attack activity associated with the new attack vector.

Reference:
1. Apache Log4j Security Vulnerabilities https://logging.apache.org/log4j/2.x/security.html

Update: December 28, 3:00 PM PT

A new attack vector targeting Apache Log4j v2.x, including v2.17.0, is reported, and an updated Apache Log4j v2.17.1 is released. Based on our initial analysis, the existing Securonix log4j threat content should help detect the malicious attack activity associated with the new attack vector.

Update: December 22, 9:00 PM PT

Updated policies  – The file attached includes the latest list of queries to help customers go back in time and search for exploit attempts – log4j_detection_rules_policies.pdf

Update: December 22, 4:00 PM PT

As the Securonix Threat Research Team continues to monitor the evolving log4j attacks, we want to make our customers aware that a new Windows Active Directory domain service privilege-escalation vulnerability, combined with the log4j vulnerability, make domain takeover much easier.

Windows Domain Controllers are Under Threat

Microsoft urged organizations to immediately patch CVE-2021-42287 and CVE-2021-42278, both of which were fixed in its November 2021 Patch. These vulnerabilities when unpatched can easily give attackers admin privileges to Windows Active Directory.

They are called “Windows Active Directory domain service privilege-escalation” by Microsoft and they have a criticality score of 7.5 out of 10. These vulnerabilities combined are straightforward to exploit on their own. But Windows Active Directory domain service privilege-escalation vulnerability combined with the log4j vulnerability make domain takeover much easier.

Securonix has delivered the below policy for 6.3 and 6.4 customers to help detect the exploitation of this vulnerability.

Potential Privilege Escalation SamAccountName Spoofing Analytic

Spotter Query: index=activity and rg_functionality = “microsoft windows” and baseeventid = 4781 and devicecustomstring3 ends with “$” and devicecustomstring5 not ends with “$”

 

Update: December 21, 4:00 PM PT

Updated Spotter queries – The file attached includes the latest list of queries to help customers go back in time and search for exploit attempts – Log4j Vulnerability – Spotter queries.pdf

Update: December 19, 9:00 AM PT

Updated Policies – See below list of all policies shared by Securonix Threat Labs till date:

 

Functionality Policy Name SignatureId
Web Server Possible CVE-2021-44228 Exploitation Attempt URI Analytic WEB-ALL-811-RU
Web Proxy Possible CVE-2021-44228 Exploitation Attempt URI Analytic – Web Proxy PXY-ALL-912-RU
Web Application Firewall Possible CVE-2021-44228 Exploitation Attempt URI Analytic – Web Application Firewall IFW-ALL-1153-RU
Next-Generation Firewall Possible CVE-2021-44228 Exploitation Attempt URI Analytic – Next-Generation Firewall IFW-ALL-1154-RU
Web Server Possible CVE-2021-44228 Exploitation Attempt UserAgent Analytic WEB-ALL-799-RU
Next-Generation Firewall Possible CVE-2021-44228 Exploitation Attempt UserAgent Analytic -Next-Generation Firewall IFW-ALL-799-RU
Web Application Firewall Possible CVE-2021-44228 Exploitation Attempt UserAgent Analytic -Web Application Firewall IFW-ALL-1152-RU
Web Proxy Possible CVE-2021-44228 Exploitation Attempt UserAgent Analytic -Web Proxy PXY-ALL-799-RU
Web Proxy Possible CVE-2021-44228 Exploitation – Unusual Download Attempt From Log4j Logging Server Analytic – Web Proxy PXY-ALL-915-RU
Next-Generation Firewall Possible CVE-2021-44228 Exploitation – Unusual Download Attempt From Log4j Logging Server Analytic – Next-Generation Firewall IFW-ALL-1156-RU
Web Proxy Possible CVE-2021-44228 Exploitation – Rare Download Attempt From Log4j Logging Server Analytic – Web Proxy PXY-ALL-913-ERR
Next-Generation Firewall Possible CVE-2021-44228 Exploitation – Rare Download Attempt From Log4j Logging Server Analytic – Next-Generation Firewall IFW-ALL-1157-RU
Web Proxy Network Application Port Mismatch Analytic – Web Proxy PXY-ALL-914-RU
Next-Generation Firewall Network Application Port Mismatch Analytic – Next-Generation Firewall IFW-ALL-1155-RU
Microsoft Windows Potential Privilege Escalation SamAccountName Spoofing Analytic WEL-ALL-982-RU
IDS / IPS / UTM / Threat Detection Possible CVE-2021-44228 Exploitation -Log4j related signature detection – IDS-IPS IDS-ALL-808-RU
Antivirus / Malware / EDR Possible CVE-2021-44228 Exploitation -Log4j related signature detection – EDR EDR-ALL-905-RU
Cloud Antivirus / Malware / EDR Possible CVE-2021-44228 Exploitation -Log4j related signature detection – Cloud EDR CEDR-ALL-905-RU
Web Application Firewall Possible CVE-2021-44228 Exploitation -Log4j related signature detection – Web Application Firewall IFW-ALL-1154-RU

 

Updated Spotter queries – 

The file attached includes the latest list of queries to help customers go back in time and search for exploit attempts – Log4j Vulnerability – Spotter queries.pdf


 

Update: December 18, 8:00 PM PT

An additional attack vector associated with CVE-2021-44228 that uses a client-side exploit/web-sockets was reported by Blumira. Based on our initial analysis of the attack vector, some of the existing Securonix detections, including:

  • Unusual LDAPs Network Connection From Java Application
  • Suspicious Process Launched by Log4j Logging Server Executable Analytic
  • Unusual Download Attempt From Log4j Logging Server Analytic

and other log4j exploitation detection policies listed below should help detect the activity associated with this attack vector. Please ensure the corresponding detections policies are downloaded and enabled. 

Securonix Threat Labs is further researching this attack vector. If required, based on the learnings, we will provide additional detections policies.


 

Update: December 17, 10:00 PM PT

New Log4j vulnerability exploitation detection policies

  • Possible CVE-2021-44228 Exploitation Attempt UserAgent Analytic
  • Possible CVE-2021-44228 Exploitation Attempt UserAgent Analytic -Next-Generation Firewall
  • Possible CVE-2021-44228 Exploitation Attempt UserAgent Analytic -Web Application Firewall
  • Possible CVE-2021-44228 Exploitation Attempt UserAgent Analytic -Web Proxy

Beta policies for Log4j vulnerability exploitation detection based on signatures

  • Possible CVE-2021-44228 Exploitation -Log4j related signature detection – IDS-IPS
  • Possible CVE-2021-44228 Exploitation -Log4j related signature detection – EDR
  • Possible CVE-2021-44228 Exploitation -Log4j related signature detection – Cloud EDR
  • Possible CVE-2021-44228 Exploitation -Log4j related signature detection – Web Application Firewall

 


Update: December 17, 9:00 AM PT

Updated Doc: Log4j Vulnerability – Spotter queries


 

Update: December 16, 8:00 PM PT

The threat labs team has released new policies to detect anomalies post-exploitation of log4j vulnerability.

  1. Potential Privilege Escalation SamAccountName Spoofing Analytic
  2. Network Application Port Mismatch Analytic – Next-Generation Firewall
  3. Network Application Port Mismatch Analytic – Web Proxy
  4. Possible CVE-2021-44228 Exploitation – Unusual Download Attempt From Log4j Logging Server Analytic – Web Proxy
  5. Possible CVE-2021-44228 Exploitation – Unusual Download Attempt From Log4j Logging Server Analytic – Next-Generation Firewall
  6. Possible CVE-2021-44228 Exploitation – Rare Download Attempt From Log4j Logging Server Analytic – Next-Generation Firewall
  7. Possible CVE-2021-44228 Exploitation – Rare Download Attempt From Log4j Logging Server Analytic – Web Proxy

 

Update: December 16, 9:00 AM PT

Policy Updates:

Updated Policies in 6.4:

The existing policies were updated for new regex matches based on Threat Research on how the vulnerability is being exploited. 

URI-Based Policies:

  • Possible CVE-2021-44228 Exploitation Attempt URI Analytic – Web Server
  • Possible CVE-2021-44228 Exploitation Attempt URI Analytic – Web Proxy

User Agent-Based Policies:

  • Possible CVE-2021-44228 Exploitation Attempt UserAgent Analytic
  • Possible CVE-2021-44228 Exploitation Attempt UserAgent Analytic -Next-Generation Firewall
  • Possible CVE-2021-44228 Exploitation Attempt UserAgent Analytic -Web Application Firewall
  • Possible CVE-2021-44228 Exploitation Attempt UserAgent Analytic -Web Proxy

New Policies

URI based analysis for NextGen Firewall and web application firewall

  1. Possible CVE-2021-44228 Exploitation Attempt URI Analytic – Next-Generation Firewall
  2. Possible CVE-2021-44228 Exploitation Attempt URI Analytic – Web Application Firewall

Indicators of Compromise (CVE-2021-44228)

Securonix has been actively monitoring and investigating the critical Log4j/Log4Shell Zero-Day Vulnerability (CVE-2021-44228) to help our teams and customers detect, mitigate, and respond. This repository provides new or existing indicators of compromise identified by Securonix related to this vulnerability. Additionally, spotter Queries are hosted on-demand for your reference and will be updated regularly as the team determines new intelligence.

Github linkhttps://github.com/Securonix/AutonomousThreatSweep/tree/main/Log4Shell

Spotter Queries

These queries will help customers go back in time and search for exploit attempts. (File updated Dec. 17, linked to above.)

 


 

Update: December 15, 9:00 AM PT

First Posted: December 13

Securonix Threat Labs R&D/Threat Research Team has been actively monitoring and investigating the critical Log4j/Log4Shell Zero-Day Vulnerability (CVE-2021-44228) to help our teams and our customers detect, mitigate, and respond.

You may already be receiving communication from your Customer Success Managers with updates about how Securonix is managing the Log4j vulnerability situation. Those include the steps and measures we are taking to ensure our products are secured against this emerging threat. Securonix Threat Labs is also working on content to support our customers in their efforts to detect and respond to attacks leveraging the Log4j vulnerability. Below is the brief summary for your reference.

Securonix Threat Labs is noticing different variations on how the vulnerability is being exploited. As we learn more about these variations we will be continuously updating our content to better support our customers. Please look out for additional ongoing communication from us.

Securonix Content Update for Customers

Securonix threat labs has been researching this vulnerability and associated threats. Initial detection rules have been published to the content library. Additionally, customers using Securonix Autonomous Threat Sweep have their logs already being scannedfor IOCs associated with these CVE exploits.

Our CSE team is also working to push the new content to customers running on 6.31 as we speak.

6.3 on-premises customers can follow the documentation we created to create the detection policies. Customers can connect with their Customer Success Managers to ensure they get the Log4j related content deployed.

 

Policies that are committed to the content library.

Threat labs has finished committing the following policies to the content library.

Policy 1:

Possible CVE-2021-44228 Exploitation Attempt URI Analytic

Possible CVE-2021-44228 Exploitation Attempt URI Analytic – Web Proxy

Policy 2:

Possible CVE-2021-44228 Exploitation Attempt UserAgent Analytic

Possible CVE-2021-44228 Exploitation Attempt UserAgent Analytic -Next-Generation Firewall Possible

CVE-2021-44228 Exploitation Attempt UserAgent Analytic -Web Application Firewall Possible

CVE-2021-44228 Exploitation Attempt UserAgent Analytic -Web Proxy

Securonix has also developed and shared spotter queries to help customers identify the footprint of log4j in their environment. We will continue to update this content.

 

Next Step

  • We are working on a Securonix Security Advisory (SSA) with more details on the vulnerability and associated threats.

 

Mitigation Recommendations

Investigate internal and third-party usage of Log4j in your environments and take immediate mitigation/remediation actions:

Update to Log4j 2.15.0 urgently, if possible. If it’s not possible to update, the Apache Foundation recommends the following mitigations:

  • Log4j 2.10 or greater – add -Dlog4j.formatMsgNoLookups=true as a command-line option or add log4j.formatMsgNoLookups=true to a log4j2.component.properties file on the classpath.
  • Log4j 2.7 or greater may specify %m{nolookups} in the PatternLayout configuration to prevent lookups in log event messages.
  • Remove the JndiLookup and JndiManager classes from the log4j-core jar. Removal of the JndiManager will cause the JndiContextSelector and JMSAppender to no longer function.

 

Additional Observations

  • As part of our continuous security monitoring over the weekend, we’ve identified some additional real-world log4shell attack instances that leverage more security product evasions targeting log4j.Some examples include ${${::-, \/?x=${jndi:ldap:\/\/, and other attack vectors.
  • We are seeing more attacks leveraging urls vs. http headers.
  • Based on the preliminary analysis, most of these attack vectors should be addressed by our updated detection/policies developed on Friday/Saturday.
  • We are continuously working on content updates to ensure security detection coverage for the additional log4j attack variants.