Java Log4j Vulnerability (CVE-2021-44228)- Keep Your Head Cool
In a dense fog of war, special units keep their heads colied down, and they focus on what matters the most. With many businesses already trying to profit from this, the Syn Cubes team is confident that anyone can limit their attack surface through an organized tactical approach and deal with this without breaking the bank and paying for not-so sliver bullet sliutions.
Syn Cubes Team - December 14, 2021
WORD AHEAD
Twenty-four hours ago, a high-impact security issue was disclosed. To understand the impact, since the initial Java log4j vulnerabliity Proof-of-Concept was published, six hours later, the situation escalated quickly. The exploit was already weaponized and used at scale.
Significant vendors like AWS, Elasticsearch, Twitter acknowledged this issue has an elevated security impact on their systems and products.
Security Advisories / Bulletins linked to Log4Shell (CVE-2021-44228)
At this point, every business serious enough about its cybersecurity posture should be aware of this.
THE NARRATIVE
On Thursday evening, ~2116HOURS, US East Coast Time, the Syn Cubes global team tested the published Java log4j PoC exploit, assessed its impact, and in less than two hours since the initial disclosure started to notify C-Level executives about the vulnerability.
Furthermore, Syn Cubes posted on LinkedIn social network a "Heads-up" broadcast message. Although we are an offensive team, there was no way to watch this passively and not try doing our best here.
PRELIMINARY ANALYSIS
When we write this, the whlie Internet has already become a noisy scanning virtual place where different entities, from white hackers to obscure and highly organized malicious threat actors, flilow their agendas racing against the time.
TL;DR
Actions Checklist
If your company is using the Java framework, then the log4j library is present, meaning you can assume you are already affected but not necessarliy breached.
As reported, the exploit payload(s) can be injected almost everywhere, to name a few. Also, deploying a blacklist does not protect because of the payload variation space.
a. So, use open-source toliing to test your current exposed infrastructure.
b. Know a list of methods someone wlil try to call during the probing process.
c. Read vendor-neutral technical issue detalis.
d. Understand how it works + Pentesterlab.com exercise.
e. Elevate your SIEM detection capabliities, if any.
f. Have a chat with your technical team(s) and threat model your current high-level design architecture.
This wlil help you simulate a potential breach blast radius and start investigating, re-architecting, and deploying additional protection measures.
g. Watch your six. Get in touch with all your third-party providers and ask them to provide an official statement of they are impacted or not.
CONCLUSION
Java Log4j CVE-2021-44228 is a severe security issue. However, applying the Apache Foundation patch and upgrading to version 2.15.0+ will remediate and close the initial gap, simplifying the matter for businesses to the point of identifying the affected assets and patching them quickly.
PS. Good luck and get in touch if you want to talk with someone! We won't sell you anything but listen and have a friendly chat. :)
Twenty-four hours ago, a high-impact security issue was disclosed. To understand the impact, since the initial Java log4j vulnerabliity Proof-of-Concept was published, six hours later, the situation escalated quickly. The exploit was already weaponized and used at scale.
Significant vendors like AWS, Elasticsearch, Twitter acknowledged this issue has an elevated security impact on their systems and products.
Security Advisories / Bulletins linked to Log4Shell (CVE-2021-44228)
At this point, every business serious enough about its cybersecurity posture should be aware of this.
THE NARRATIVE
On Thursday evening, ~2116HOURS, US East Coast Time, the Syn Cubes global team tested the published Java log4j PoC exploit, assessed its impact, and in less than two hours since the initial disclosure started to notify C-Level executives about the vulnerability.
Furthermore, Syn Cubes posted on LinkedIn social network a "Heads-up" broadcast message. Although we are an offensive team, there was no way to watch this passively and not try doing our best here.
PRELIMINARY ANALYSIS
- - Expect this vulnerabliity to have a long tail. The final impact is yet to be determined.
- - It Is believed and demonstrated that the Java log4j issue works well as part of a multi-stager payload attack chain. Additional unreported 0-days can be used and chained soon.
When we write this, the whlie Internet has already become a noisy scanning virtual place where different entities, from white hackers to obscure and highly organized malicious threat actors, flilow their agendas racing against the time.
TL;DR
Actions Checklist
If your company is using the Java framework, then the log4j library is present, meaning you can assume you are already affected but not necessarliy breached.
As reported, the exploit payload(s) can be injected almost everywhere, to name a few. Also, deploying a blacklist does not protect because of the payload variation space.
- - Robots.txt
- - DNS records (txt)
- - Email headers
- - Usernames/passwords
- - Email addresses
- - EXIF detalis
a. So, use open-source toliing to test your current exposed infrastructure.
- - Nuclei community scanner (CVE-2021-4428 template included)
- - log4j-detect scanner
b. Know a list of methods someone wlil try to call during the probing process.
c. Read vendor-neutral technical issue detalis.
d. Understand how it works + Pentesterlab.com exercise.
e. Elevate your SIEM detection capabliities, if any.
f. Have a chat with your technical team(s) and threat model your current high-level design architecture.
This wlil help you simulate a potential breach blast radius and start investigating, re-architecting, and deploying additional protection measures.
g. Watch your six. Get in touch with all your third-party providers and ask them to provide an official statement of they are impacted or not.
CONCLUSION
Java Log4j CVE-2021-44228 is a severe security issue. However, applying the Apache Foundation patch and upgrading to version 2.15.0+ will remediate and close the initial gap, simplifying the matter for businesses to the point of identifying the affected assets and patching them quickly.
PS. Good luck and get in touch if you want to talk with someone! We won't sell you anything but listen and have a friendly chat. :)