December 20 Update:
Arctic Wolf Provides Video Walkthrough of Log4Shell Deep Scan Tool
In this short six-minute video, Arctic Wolf provides an update on the latest happenings with Log4j/Log4Shell as well as a walkthrough demonstration of how you can run the tool in your own environment.
Watch the Log4Shell Deep Scan walkthrough (scroll to bottom)
December 17 Update #2:
Arctic Wolf Open Sources Log4Shell Deep Scan Script to Support the Security Community
After successful deployment to Arctic Wolf’s customer community of more than 2,300 organizations worldwide, today we are making “Log4Shell Deep Scan” publicly available on GitHub. Log4Shell Deep Scan enables detection of both CVE-2021-45046 and CVE-2021-44228 within nested JAR files, as well as WAR and EAR files.
December 17 Update #1
Second Critical Log4j/Log4Shell Vulnerability + Enhanced Detection Tool for Customers
Arctic Wolf continues to work with our customers on Log4j-related vulnerabilities, including CVE-2021-44228 and CVE-2021-45046. We are actively monitoring for new indicators of compromise associated with any malicious activity and updating the Arctic Wolf Platform with new detections.
Initially, CVE-2021-44228 was the only critical remote code execution (RCE) vulnerability affecting Log4j version 2.0; however, Apache today indicated that CVE-2021-45046, previously classified as a Denial-of-Service (DOS) vulnerability, now is a critical RCE vulnerability affecting Log4j 2.15 and earlier. The risk posed by CVE-2021-45046 is critical to organizations, and we strongly recommend that organizations upgrade to Log4j 2.16.0 as soon as possible.
To support our customers in managing and mitigating both Log4j/Log4Shell vulnerabilities, Arctic Wolf is releasing an updated version of our Log4Shell Deep Scan tools to customers that now includes the detection of CVE-2021-45046 and CVE-2021-44228 within nested JAR files, as well as WAR and EAR files.
If you are an Arctic Wolf customer and have a question about how to access the script, or the Log4j vulnerability in general, please email firstname.lastname@example.org.
December 16 Update:
Arctic Wolf Webinar: Understanding the Log4j/Log4Shell Vulnerability
Revisit Arctic Wolf’s webinar covering the Log4j/Log4Shell vulnerability to get up to speed on the latest findings regarding this vulnerability.
Topics covered include:
- What Log4j - CVE-2021-44228 is
- Why Log4j is so dangerous
- How Arctic Wolf can help you overcome its challenges
December 14 Update:
Arctic Wolf Releases Log4j Vulnerability Detection Tool to Customers
Identifying all instances of Log4j within an organization is an ongoing concern for IT and security teams this week. To help address this challenge for our customers, Arctic Wolf has developed a Log4j detection script that can identify instances of the Log4j vulnerability and serve as a complement to existing vulnerability scanning solutions already in place.
When executed, Arctic Wolf’s Log4j detection script will use code analysis and deep scanning of a host’s filesystem to identify Java applications and libraries with vulnerable Log4j code. When it identifies the existence of impacted Log4j code, the script will flag it and output its location within the host’s filesystem. By exposing what applications are affected and where each vulnerability exists, IT and security teams can then conduct rapid and targeted remediation of this vulnerability.
Earlier today, Arctic Wolf customers were sent a bulletin with details on how they can access and execute our Log4j detection script. If you are an Arctic Wolf customer and have a question about how to access the script, or the Log4j vulnerability in general, please email email@example.com.
Original Post - December 13:
On Thursday, December 9, security researchers published a proof-of-concept exploit code for CVE-2021-44228, a remote code execution vulnerability in Log4j, a Java logging library used in a significant number of internet applications. Also known as Log4Shell, the situation is significant and continues to evolve, and the Cybersecurity and Infrastructure Security Agency is recommending immediate action.
Multiple campaigns have since emerged, exploiting CVE-2021-44228 against vulnerable public facing systems to deploy a variety of malware, ranging from crypto miners to Trojan backdoors.
We have assessed the risk posed by this vulnerability as critical due to the ease of exploitation and widespread campaigns exploiting it.
Arctic Wolf has deployed detections that identify pre- and post-exploitation of CVE-2021-44228 and we are actively ingesting and curating new threat intelligence to assist in creating additional detections around new methods of exploitation. Arctic Wolf continues to actively investigate and respond to the widespread exploitation of the Log4j remote code execution (RCE) vulnerability CVE-2021-44228. Elements of the Arctic Wolf® Platform deployed by customers, including the Arctic Wolf Sensor, Arctic Wolf Agent, and Managed Risk Scanner do not use the Log4j Java library, and our engineering and security teams have addressed all known impacted elements of our cloud-based platform.
Security Operations Approach to Zero-Day Threats
While security researchers and experts continue to unpack the total impact of this evolving threat, it is going to have a long tail for the entire industry as companies and vendors assess their exposure. Attackers are rapidly crafting new obfuscation tactics, making it difficult to nail down indicators and signatures as these new attack tactics are created just as quickly.
With an attack of this magnitude and speed, it underscores the critical importance of asset inventory and management, which can often fall through the cracks between IT ops and security teams. Over the weekend, CISOs everywhere were asking their teams, “What’s our exposure?” If security teams don’t have an accurate catalog of devices and software, it’s impossible to answer the question. This is hard to accomplish and is often a forgotten element of the security operations framework, but the evolving and severe Log4j situation illustrates the significance of having a complete view.
Our Security Operations Cloud, services, and Concierge Security® Team can support app and service identification inside and outside customer physical networks, so we can tailor reporting and help customers prioritize mitigation work.
Log4j also underscores the advantage of security operations and Arctic Wolf’s concierge delivery model. Our teams worked side by side with customers in the immediate wake of the attack to identify known indicators and prioritize mitigation and patching to impacted systems. With such a broad array of potentially vulnerable apps and services, this scope of implementing patches can be time consuming and complex for customers—and some security patches may not be automatically applied or immediately available. In collaboration with our customers, Arctic Wolf continually updated and distributed lists of affected services, identified patches, and worked with customers to design workarounds when upgrading to Log4j 2.15.0 was not immediately feasible. This real-time communication and concierge delivery model enabled Arctic Wolf customers to quickly mitigate the immediate impact of this threat.
There is much yet to understand about the impact of Log4j exposure, but it is the perfect scenario to illustrate the importance of security operations delivered via a concierge model.
Arctic Wolf’s Response and Recommendations
Arctic Wolf’s concierge and security teams surged through the days and nights immediately following the Log4j exploit to communicate with customers, identify at-risk systems, and assist in detection and remediation. While the full scope of this incident will continue to unravel over the days and weeks ahead, here are highlights from Arctic Wolf’s approach and response in a significant zero-day threat campaign.
- We completed the first pass investigation on all customers by midday Friday, December 10.
- All at-risk customers were contacted by end of business on Friday, December 10.
- We observed the majority of malicious activity using LDAP, DNS, and RMI.
Here are Arctic Wolf’s current recommendations to identify and remediate CVE-2021-44228.
This section will be updated as more information is available.
Recommendation #1: Identify Impacted Applications and Closely Monitor Software Vendor Patch Advisories Related to CVE-2021-44228
Although Apache has released a fix for CVE-2021-44228 in Log4j version 2.15.0, the security patch is not automatically applied to software products that use the library under the hood of their code until that software product vendor ships their own update containing the new component version.
As is usually the case with security incidents and vulnerabilities, the best method for remediating CVE-2021-44228 in software products is to apply the official security update from software vendors as soon as they become available.
We strongly recommend monitoring software vendor advisories for security updates that remediate CVE-2021-44228 in your environment and apply the security update promptly.
Arctic Wolf® Managed Risk customers can contact their Concierge Security Team for assistance with prioritization and patch status.
Recommendation #2: Take Vulnerable Non-Critical Public-Facing Systems Out of the Internet Path
We strongly recommend that organizations take public facing systems out of the internet path if they are confirmed to be vulnerable to CVE-2021-44228 until they can be patched. The risk of leaving a system public to the internet that is exposed to CVE-2021-44228 is high at this time due to multiple threat actors exploiting this vulnerability in their campaigns. Reducing the attack surface is better than hoping your system is not discovered or attacked.
Investigation and Response is Ongoing
There is much yet to discover about the Log4j vulnerability and its full impact. As the situation evolves, Arctic Wolf will continue to work alongside customers to mitigate the threat.
This is a fast-evolving and complicated process, and many companies lack the team or resources to act quickly and mitigate their risk. Arctic Wolf’s Concierge Security Team continues to work side by side with customers to hunt for activity and deploy new detections—advancing security operations while our customers focus on implementing updates.
This blog article will include updates as they become available.