Log4j/Log4shell is a remote code execution vulnerability (RCE) in Apache software allowing attackers unauthenticated access into the remote system. It is found in a heavily utilized java open-source logging framework known as log4j. The framework is widely used across millions of enterprise applications and therefore a lucrative target for threat actors to exploit. The availability of the POC exploit and ease of exploitation triggered the widespread exploitation attempts that we are now witnessing.
CVE-2021-44228 – Apache Releases Log4j Version 2.15.0 to Address Critical RCE Vulnerability Under Exploitation.
Should the vulnerability be present, an attacker might run arbitrary code by forcing the application or server to log a specific string. This string can force the vulnerable system to download and run a malicious script from the attacker-controlled system, which would allow them to effectively take over the vulnerable application or server.
A full technical analysis can be found here:
McAfee Advanced Threat Research: Log4Shell Vulnerability is the Coal in our Stocking for 2021
In this blog, we present an overview of how you can mitigate the risk of this vulnerability exploitation with McAfee Enterprise solutions. Due to the severity of this vulnerability and the observed exploitation attempts already taking place, the KB article linked below will be continually updated to communicate detailed actions to mitigate risk with McAfee Enterprise products. Subscribe to this KB article to receive updates pertaining to related coverage and countermeasures.
KB95091: McAfee Enterprise coverage for Apache Log4j CVE-2021-44228 Remote Code Execution
Attack Chain and Defensive Architecture
Organisations preparing to defend against this threat needs to think beyond the initial access vector. What the vulnerability allows a threat actor to do is initially only connect to a remote endpoint and establish a beachhead. The attacker only gets a return on investment when they can exploit that initial foothold either to move laterally, execute additional payloads on the endpoint or attack other organisations as part of a botnet. Instead of just focusing on the initial access vector, let’s look at the entire defensive kill chain.
The impact on organisations varies between resource takeover, denial of service or data theft. Therefore, making visibility in attack patterns and trend via threat intelligence extremely critical. In addition, other attack vectors have been discovered which allows for local exploitation of the log4j library over WebSocket.
Let’s walk through the defense lifecycle in more details
Getting the Latest Threat Intelligence
Threat Intelligence is critical to adapt security controls and gain an understanding of attacker techniques and active campaigns exploiting the vulnerability
The MVISION Insights platform reports threat intelligence related to the Log4j attacks under the campaign name Log4Shell – A Log4j Vulnerability – CVE-2021-44228.
The Global Prevalence map snapshots captured on the 10th and 16th December 2021 demonstrates how impactful has being the vulnerability so far and how fast activity, both defender and attack, is increasing and spreading worldwide.
MITRE Techniques Observed:
- Exploit Public-Facing Application – T1190 (Initial Access)
- Exploitation of Remote Services – T1210 (Lateral Movement)
- External Remote Services – T1133 (Initial Access, Persistence)
- Resource Hijacking – T1496 (impact)
- Web Shell – T1505.003 (Persistence)
As we are writing this blog, on MVISION Insights there are 1,813 IOCs including MD5, SHA256, URL, IP, DOMAIN, HOSTNAME. In terms of Determinism, 1,632 are unique and 30 are commodity.
The top MD5 detected so far has been related to Kinsing (MD5: 648effa354b3cbaad87b45f48d59c616), a crypto miner with backdooring features. The file runs on Linux machines and has been uploaded on Virus Total for the first time in December 2020. Its detection increased by 161% between the 11th and the 15th of December 2021 and it is currently observed in 19 different countries. The log4j vulnerability is helping threat actors to push Kinsing malware via encoded payloads to vulnerable services exposed to the internet. And this is just the tip of the iceberg. We are actively monitoring for and analyzing new payloads.
The same unique indicator is also reported as part of other two threat campaign on MVISION Insights:
- Kinsing Malware Adds Windows to Its Target List
- Misconfigured Apache Hadoop YARN Exploited
Since April 2020, when the Kinsing crypto miner was discovered, further developments of the malware have occurred including a rootkit component and other features that make detection harder. Kinsing comes with multiple shell scripts that download and install the backdoor, miner, and rootkit alter the system itself.
The IP address 45.155.205[.]233 included within the MVISION Insights IOCs and used by threat actor as a log4j callback attack server has been detected 6,884 times by December 4th topping 15,106 detections by December 7th. Most detected countries included the United States, Turkey, Thailand, UK, Taiwan, and Italy.
MVISION Insights also includes indicators related to unique variants of MIRAI botnet that McAfee observed being leveraged by threat actors to exploit the log4j vulnerability.
Shell scripts are using wget and curl tools for external communication as part of the attack chains analyzed.
Latest updates highlighted Conti ransomware group actively leveraging the Log4Shell exploit to gain access to internal corporate resources and lunch their malicious payloads. But also, Khonsari group and state sponsored APT35 have been reported by researchers.
Determining your Asset Exposure
In this case, you should detect and prioritise internet facing applications running java-based web servers such as Apache Tomcat, either isolate or patch these resources. Run vulnerability scans for both monolithic and containerized workloads to build an inventory of assets that might be impacted.
Continuously discovers your cloud resources and can run vulnerability scans for Virtual Machines and Containerized workloads in the cloud. MVISION Cloud has the ability to build an inventory of running processes within workloads as part of it application control capabilities. If log4j is used as a separate package we will detect the vulnerability in both runtime and container registry. If the log4j is included in the java binary we will not be able to scan it.
Ensure you run configuration audits for cloud assets that allow unrestricted outbound access and does not use firewalls or NAT GW’s for outbound connections. Run configuration audits for secondary misconfigurations that might allow the attacker to exploit IAM to elevate privileges, gain persistence or takeover other resources.
Compares the available defensive capabilities on the endpoint to the attacker techniques, tools and IOC’s and highlights exposed endpoints.
You can perform real time searches in MVISION EDR to identify endpoints with Log4j binaries.
Blocking Exploitation Attempts
The attacker only succeeds if they can get to this stage so blocking outbound suspicious connections, preventing execution of additional payloads, and protecting credentials/auth tokens theft are things that could prove to be critical in defeating the attack. As part of the available threat intelligence attackers are using several post exploit methodologies to pivot from the original log4j injection vulnerability. This varies from misuse of resources with crypto miners, deploying malware, or exfiltrating sensitive information.
MVISION Cloud – Cloud Native Application Protection Platform (CNAPP)
Use Application Control (VM and Containers) to kill unverified server processes and payloads from executing.
OS Hardening (VM) – ensure that SE Linux state is enforcing
Use UCE URL filtering and Remote Browser Isolation to prevent browser-based exploit attempts over WebSocket and C2 attempts.
McAfee Endpoint Protection Platform
Use signature-based protection in ENS 10.7 to block known hashes of second stage malicious payloads. On December 12, 2021, McAfee Enterprise released V3 AMCore content 4648 (ENS) and V2 DAT 10196 (VSE). Generic detections are provided under the title Exploit-CVE-2021-44228.C.
In ENS (Endpoint Security) 10.7 update 4 and above, there is a powerful security feature available to every defender, which is the ability to trigger a memory scan from an Expert Rule. For more details on this capability, please see this blog post from our AC3 team
Additionally, it is recommended to enable the ENS ATP rules that prevent or detect post exploitation techniques such of second stage payload execution, credential dumping or encryption activity from ransomware, use of malicious tools or lateral movement.
Network Security Platform
An Emergency User Defined Signature has been written and tested by McAfee Enterprise to provide immediate protection against the Apache Log4j2 Remote Code Execution Vulnerability.
For details on latest signatures, please follow the KB…KB95091: McAfee Enterprise coverage for Apache Log4j CVE-2021-44228 Remote Code Execution
Detecting and Hunting for Exploitation Activities
Assuming breach is critical especially if you know that you had exposed assets and therefore, build forensics and post exploitation detection techniques this includes exploitation of living of the land binaries (LOLBINS), credential dumping as well as using information such as known file hashes / hunting queries to query web server / reverse proxy/ Network IPS logs.
In addition to an Intelligence Summary, Insights provides exportable YARA rules to find additional Indicators of Compromise.
As mentioned above, you can leverage Real Time and Historical Search functionality to proactively identify vulnerable systems or post exploit activity such as…
- historical process execution spawning from Java as this could be a clear indicator that the parent java process was used to spawn additional malicious processes.
- monitoring for detection of threats emanating from assets running Java
- identify outbound communication attempts to known C2 domains through DNS or Web traffic
Identify Indicators of Compromise associated with exploit payloads
Data Exfiltration Visibility and Control with Cloud Security
Along with control on the endpoint, visibility into attacks and where data is being uploaded is also critical to stopping Data Exfiltration. Mapping threats to the MITRE ATT&CK Framework will provide visibility into ongoing attacks happening in the cloud and where security controls can be improved to stop future attacks.
Another critical method to stopping the exfiltration of data is putting restrictions against data uploads to non-sanctioned cloud storage. Limiting data uploads to only sanctioned Cloud Service Providers can stop external and insider threats from transferring data to Cloud Services that are questionable or not sanctioned. The Cloud Registry within MVISION Cloud/Unified Cloud Edge will provide ratings for well over 25,000 Cloud Service Providers so restrictions can be placed on CSPs with high risks or attributes that put company data at risk.
The current situation is dynamic and our resources to help you understand the attack and mitigations available are also evolving. For the latest updates on McAfee Enterprise threat intelligence and defender resources please continue to follow these sites
MCFE Log4Shell Vulnerability KB: https://kc.mcafee.com/corporate/index?page=content&id=KB95091
MCFE Log4Shell Security Bulletin: https://kc.mcafee.com/corporate/index?page=content&id=SB10377
MCFE Log4Shell Vulnerability Blog: https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/log4shell-vulnerability-is-the-coal-in-our-stocking-for-2021/
MCFE Log4Shell Exploit Demonstration by McAfee ATR: https://www.linkedin.com/posts/mcafeeenterprise_cve-2021-44228-log4shell-exploitation-activity-6876241150219485184-URLE
MCFE LinkedIn Live Customer Briefing: https://www.linkedin.com/posts/mcafeeenterprise_mcafee-enterprise-atr-explore-the-internet-breaking-activity-6876614287197122560-wNuD
FEYE Log4Shell Vulnerability KB: https://community.fireeye.com/s/article/000003827