Due to this being a component used by a substantial number of applications and systems, keep a close watch on anything which uses Java or Apache in any way. A spike in CPU usage on such a system may indicate crypto mining activity and ransomware could be next.
Today (12/10/2021), the critical vulnerability CVE-2021-44228 against log4j was released with zero-day exploitation actively occurring. If a device/application uses Java and logs any string relying on user input, it is vulnerable, and an attacker can run anything they wish on the system.
Currently, there is a public proof-of-concept, and we are observing the first wave of discovery attacks to determine who is vulnerable and the beginnings of the second wave consisting of crypto mining software. Following the standard escalation trend for this type of vulnerability, we expect to see automated ransomware deployment occurring by Monday (12/13/2021).
As stated before, devices/applications that use Java logging containing user input are vulnerable. Some currently known vulnerable applications and services include:
The updated and secure version of log4j is available directly for developers using the component: https://logging.apache.org/log4j/2.x/download.html
Third-party applications and systems should be patched immediately, and any subsequent patches should be evaluated and installed as quickly as possible.
According to Cloudflare, this attack can be mitigated by using one of these two configuration changes:
Another mitigation is to use web applications and other firewalls to block the triggers from the proof-of-concept. This will require testing as it can very well break things! From current knowledge, the regular expression to block or use to search logs is:
Due to this being a component used by a substantial number of applications and systems, keep a close watch on anything that uses Java or Apache in any way. A spike in CPU usage on such a system may indicate crypto mining activity and ransomware could be next.
Reach out to TorchLight at firstname.lastname@example.org for help on remediation or any questions.