Log in
Register
Cyber Forum
More options
Toggle width
Share this page
Share this page
Share
Share
Cyber Forum
Log in
Register
More options
Toggle width
Share this page
Share this page
Share
Share
Menu
Install the app
Install
Home
CyberWeekly Podcast
Breaking News! Podcast
Cyber Risk Rating
Forums
New posts
Forum list
Trending
Leaderboards
News Feeds
Resources
Latest reviews
Sophos X-Ops Intelix
Threat Reports
Members
Current visitors
My.CompTIA
Help Documents
Preference Center
Forums
Security
Active Exploits Discussion/Recommendations
Log4j Vulnerability Information
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="Ian Andriechack" data-source="post: 2465" data-attributes="member: 78"><p>Hey everyone, I just jumped off CISA's call; here are my notes in case you were unable to attend:</p><p></p><p><strong><em>The general census, regardless of versions utilized, includes 1, upgrade to versions 2.15.</em></strong></p><p><strong></strong></p><p><strong>Introduction:</strong></p><ul> <li data-xf-list-type="ul">Experts note that it is one of the most serious they've ever seen throughout their career</li> <li data-xf-list-type="ul">CISA is focusing on identifying vulnerable assets and assisting in applying mitigation measures</li> <li data-xf-list-type="ul">APT Groups will exploit, limited time to correct vulnerabilities</li> <li data-xf-list-type="ul">Holiday season, so it is likely threat actors will exploit this vulnerability over the holiday season. Geopolitical tension could also significantly increase the likelihood of impact</li> <li data-xf-list-type="ul">Make sure cybersecurity staff, and IT are heightened over the holiday</li> <li data-xf-list-type="ul">Check public-facing appliances, make sure they are secure</li> <li data-xf-list-type="ul">Share information with your constituents and groups</li> <li data-xf-list-type="ul">Please share with CISA so they can distribute and help others</li> <li data-xf-list-type="ul">Twitter is being used to distribute various pieces of information regarding the vulnerability</li> </ul><p><strong>Mitigation for network defenders and operators:</strong></p><p><strong>What is log4j?</strong></p><ul> <li data-xf-list-type="ul">Open-source java-based logging utility – 300 billion devices, enterprise software (on-prem/cloud) to IoT</li> <li data-xf-list-type="ul">Open source, maintained by Apache. Released in 2021 originally (Birthday January)</li> <li data-xf-list-type="ul">September 2013 to release of last week are vulnerable</li> <li data-xf-list-type="ul">Exploit has been shared on Twitter; unauthenticated, remote code execution vulnerability-- it's 12 characters long as is considered trivial</li> <li data-xf-list-type="ul">Does not require permissions, worst type of vulnerability</li> <li data-xf-list-type="ul">Result, an attacker could take control of the system if exploited</li> <li data-xf-list-type="ul">POCs are making exploit very easy</li> <li data-xf-list-type="ul">No network access or privileges restrictions</li> <li data-xf-list-type="ul">Approximately 100's of millions of devices are vulnerable</li> <li data-xf-list-type="ul">CISA is working with vendors to make sure they know they are vulnerable and may no longer receive support from manufacturers.</li> <li data-xf-list-type="ul">Network defenders look back to the first of the month for externally facing devices where the software is installed for indicators of compromise.</li> <li data-xf-list-type="ul">External devices, actors may patch behind companies. Implement change control</li> </ul><p><strong>Mitigation:</strong></p><ul> <li data-xf-list-type="ul">Scan applications for vulnerable versions 2.0 beta 1 to 2.14.1</li> <li data-xf-list-type="ul">Upgrade 2.15 as soon as possible, not feasible?</li> <li data-xf-list-type="ul">Work with vendors on hardening devices that cannot be upgraded</li> <li data-xf-list-type="ul">Security operations center</li> <li data-xf-list-type="ul">Action every single alert on a device that is running log4j</li> <li data-xf-list-type="ul">When there is a vulnerability in a logging system, it's likely that it may not be logged if exploited, so every alert needs to be reviewed.</li> <li data-xf-list-type="ul">If you do not know where it's not installed</li> <li data-xf-list-type="ul">Upgrade WAF's with the latest rules. They are using mask scanning techniques which WAFs stop</li> </ul><p><strong>Q/A</strong></p><ul> <li data-xf-list-type="ul">Q1: Ransomware, vulnerability be leveraged to deploy ransomware?<ul> <li data-xf-list-type="ul">Absolutely, they may deploy crypto miners first. Safe to assume actors will leverage it for various malicious activities, including ransomware.</li> </ul></li> <li data-xf-list-type="ul">Q2: Applying defense in depth - other than what was mentioned, should we/be doing or looking for anything else?<ul> <li data-xf-list-type="ul">Threat activity is changing; new IOCs will be released and published. Multi-week process, new actors will leverage the vulnerability. We should expect this picture to change rapidly.</li> </ul></li> <li data-xf-list-type="ul">Q3: Are there indicators that this may have intentionally been placed into the repository.<ul> <li data-xf-list-type="ul">Currently, there is no evidence that this is a supply-chain attack</li> </ul></li> <li data-xf-list-type="ul">Q4: Vulnerability is not exposed if you use the newer versions of Java runtime?<ul> <li data-xf-list-type="ul">Not able to validate whether running updating version provides authoritative protection.</li> </ul></li> <li data-xf-list-type="ul">Q5: If people do update 2.15, we are good?<ul> <li data-xf-list-type="ul">Yes, but it does not mean that an actor could have already leveraged it before deploying the patch.</li> </ul></li> <li data-xf-list-type="ul">Q6: Can you repeat which versions are at risk?<ul> <li data-xf-list-type="ul">2.0 – beta 9 to 2.1.4.1</li> <li data-xf-list-type="ul">21st of September 2013 to the 6th of December 2021 are vulnerable to exploitation</li> </ul></li> <li data-xf-list-type="ul">Q7: Will CISA have tools that companies can use to scan networks, are a customer at the Albert network seeing an activity?<ul> <li data-xf-list-type="ul">Cyber Hygiene service (learn more at cisa.gov)</li> <li data-xf-list-type="ul">Notifying entities that are part of the service if they are vulnerable</li> <li data-xf-list-type="ul">Limited signatures at this point to scan for</li> </ul></li> <li data-xf-list-type="ul">Q8: Version 2.0 beta and versions one isn't supported anymore? Version 1 vulnerable?<ul> <li data-xf-list-type="ul">Negative</li> </ul></li> <li data-xf-list-type="ul">Q9: Weblink, can you share it so we can use it to do a comparison between organizations?<ul> <li data-xf-list-type="ul">Website = going live shortly</li> <li data-xf-list-type="ul">Will be shared through CISA.gov, ISACS, and other online profiles</li> </ul></li> <li data-xf-list-type="ul">Q10: Standing up a website? When will it be online? Log4j version 1 is speculation that this version is good, but if you are using JMS class, it's not true, correct?<ul> <li data-xf-list-type="ul">Shooting for the next day</li> <li data-xf-list-type="ul">We are glad to look more deeply into that point.</li> </ul></li> <li data-xf-list-type="ul">Q11: Is CISA going to have specific guidance for version 1?<ul> <li data-xf-list-type="ul">Not an immediate focus, we are focusing on the recently released CVE</li> </ul></li> <li data-xf-list-type="ul">Q12: Should we enable MFA?<ul> <li data-xf-list-type="ul">Always enable MFA and any other additional layers of security that are available.</li> <li data-xf-list-type="ul">These are all good practices to implement outside of the context of the actual vulnerability.</li> </ul></li> <li data-xf-list-type="ul">Q13: On the website, will there be a list of "bad-actor" Ip addresses exploiting available ports? So, you know, we can get a block list going on firewalls and things like that?<ul> <li data-xf-list-type="ul">We include effective measures and mitigations that network defenders can deploy</li> <li data-xf-list-type="ul">Not feasible, tracking IPs would be changing and will grow, and grow due to the how many devices are vulnerable and how many actors are likely to exploit the vulnerability.</li> </ul></li> <li data-xf-list-type="ul">Q14: IBMs, IDRAC, and stuff administrators are using. Is there a way to exploit systems and devices like these?<ul> <li data-xf-list-type="ul">The logging component is a wide variety of devices.</li> <li data-xf-list-type="ul">There is no evidence of KVMs or iDRAC being exploited</li> <li data-xf-list-type="ul">But these devices are highly susceptible to attack due to the information stored on them.</li> <li data-xf-list-type="ul">Update these devices.</li> </ul></li> <li data-xf-list-type="ul">Q15: Scope of mitigation, the primary one of course update. Many organizations can't. Is there a combination of mitigations?<ul> <li data-xf-list-type="ul">We want to provide a single place where companies can view a list of mitigation measures and aggregate information if companies are unable to patch.</li> </ul></li> <li data-xf-list-type="ul">Q16: (Points) We discovered hundreds of devices running the software; a lot of them are internal no internet access. However, a lot are cloud, so they are communicating with an external vendor. Unfortunately, we do not have control through these devices because they are on a vendor's private network; we are the middleman – we have no management. So, it will take more than our mitigation; most of our prominent, well-known vendors are right on top of the vulnerability and have resources for review. Work with your vendors to make sure you are good-to-go companies with which you may do business.<ul> <li data-xf-list-type="ul">Thank you for the points; there are risks associated with utilizing the cloud if they are vulnerable.</li> <li data-xf-list-type="ul">CISA's goal is to provide information for entities of different maturity.</li> </ul></li> <li data-xf-list-type="ul">Q17: Dish network organization admits to seeing scan attempts on their vulnerable equipment<ul> <li data-xf-list-type="ul">Great, that is what we are observing too.</li> </ul></li> <li data-xf-list-type="ul"><strong>Q18: DDoS and KinSing are being deployed as a final payload, as well as cobalt strike beacons. What's going on with them cobalt strike beacons?<br /> <ul> <li data-xf-list-type="ul">Nothing categorically different than we just outlined.</li> </ul></strong></li> </ul></blockquote><p></p>
[QUOTE="Ian Andriechack, post: 2465, member: 78"] Hey everyone, I just jumped off CISA's call; here are my notes in case you were unable to attend: [B][I]The general census, regardless of versions utilized, includes 1, upgrade to versions 2.15.[/I] Introduction:[/B] [LIST] [*]Experts note that it is one of the most serious they've ever seen throughout their career [*]CISA is focusing on identifying vulnerable assets and assisting in applying mitigation measures [*]APT Groups will exploit, limited time to correct vulnerabilities [*]Holiday season, so it is likely threat actors will exploit this vulnerability over the holiday season. Geopolitical tension could also significantly increase the likelihood of impact [*]Make sure cybersecurity staff, and IT are heightened over the holiday [*]Check public-facing appliances, make sure they are secure [*]Share information with your constituents and groups [*]Please share with CISA so they can distribute and help others [*]Twitter is being used to distribute various pieces of information regarding the vulnerability [/LIST] [B]Mitigation for network defenders and operators: What is log4j?[/B] [LIST] [*]Open-source java-based logging utility – 300 billion devices, enterprise software (on-prem/cloud) to IoT [*]Open source, maintained by Apache. Released in 2021 originally (Birthday January) [*]September 2013 to release of last week are vulnerable [*]Exploit has been shared on Twitter; unauthenticated, remote code execution vulnerability-- it's 12 characters long as is considered trivial [*]Does not require permissions, worst type of vulnerability [*]Result, an attacker could take control of the system if exploited [*]POCs are making exploit very easy [*]No network access or privileges restrictions [*]Approximately 100's of millions of devices are vulnerable [*]CISA is working with vendors to make sure they know they are vulnerable and may no longer receive support from manufacturers. [*]Network defenders look back to the first of the month for externally facing devices where the software is installed for indicators of compromise. [*]External devices, actors may patch behind companies. Implement change control [/LIST] [B]Mitigation:[/B] [LIST] [*]Scan applications for vulnerable versions 2.0 beta 1 to 2.14.1 [*]Upgrade 2.15 as soon as possible, not feasible? [*]Work with vendors on hardening devices that cannot be upgraded [*]Security operations center [*]Action every single alert on a device that is running log4j [*]When there is a vulnerability in a logging system, it's likely that it may not be logged if exploited, so every alert needs to be reviewed. [*]If you do not know where it's not installed [*]Upgrade WAF's with the latest rules. They are using mask scanning techniques which WAFs stop [/LIST] [B]Q/A[/B] [LIST] [*]Q1: Ransomware, vulnerability be leveraged to deploy ransomware? [LIST] [*]Absolutely, they may deploy crypto miners first. Safe to assume actors will leverage it for various malicious activities, including ransomware. [/LIST] [*]Q2: Applying defense in depth - other than what was mentioned, should we/be doing or looking for anything else? [LIST] [*]Threat activity is changing; new IOCs will be released and published. Multi-week process, new actors will leverage the vulnerability. We should expect this picture to change rapidly. [/LIST] [*]Q3: Are there indicators that this may have intentionally been placed into the repository. [LIST] [*]Currently, there is no evidence that this is a supply-chain attack [/LIST] [*]Q4: Vulnerability is not exposed if you use the newer versions of Java runtime? [LIST] [*]Not able to validate whether running updating version provides authoritative protection. [/LIST] [*]Q5: If people do update 2.15, we are good? [LIST] [*]Yes, but it does not mean that an actor could have already leveraged it before deploying the patch. [/LIST] [*]Q6: Can you repeat which versions are at risk? [LIST] [*]2.0 – beta 9 to 2.1.4.1 [*]21st of September 2013 to the 6th of December 2021 are vulnerable to exploitation [/LIST] [*]Q7: Will CISA have tools that companies can use to scan networks, are a customer at the Albert network seeing an activity? [LIST] [*]Cyber Hygiene service (learn more at cisa.gov) [*]Notifying entities that are part of the service if they are vulnerable [*]Limited signatures at this point to scan for [/LIST] [*]Q8: Version 2.0 beta and versions one isn't supported anymore? Version 1 vulnerable? [LIST] [*]Negative [/LIST] [*]Q9: Weblink, can you share it so we can use it to do a comparison between organizations? [LIST] [*]Website = going live shortly [*]Will be shared through CISA.gov, ISACS, and other online profiles [/LIST] [*]Q10: Standing up a website? When will it be online? Log4j version 1 is speculation that this version is good, but if you are using JMS class, it's not true, correct? [LIST] [*]Shooting for the next day [*]We are glad to look more deeply into that point. [/LIST] [*]Q11: Is CISA going to have specific guidance for version 1? [LIST] [*]Not an immediate focus, we are focusing on the recently released CVE [/LIST] [*]Q12: Should we enable MFA? [LIST] [*]Always enable MFA and any other additional layers of security that are available. [*]These are all good practices to implement outside of the context of the actual vulnerability. [/LIST] [*]Q13: On the website, will there be a list of "bad-actor" Ip addresses exploiting available ports? So, you know, we can get a block list going on firewalls and things like that? [LIST] [*]We include effective measures and mitigations that network defenders can deploy [*]Not feasible, tracking IPs would be changing and will grow, and grow due to the how many devices are vulnerable and how many actors are likely to exploit the vulnerability. [/LIST] [*]Q14: IBMs, IDRAC, and stuff administrators are using. Is there a way to exploit systems and devices like these? [LIST] [*]The logging component is a wide variety of devices. [*]There is no evidence of KVMs or iDRAC being exploited [*]But these devices are highly susceptible to attack due to the information stored on them. [*]Update these devices. [/LIST] [*]Q15: Scope of mitigation, the primary one of course update. Many organizations can't. Is there a combination of mitigations? [LIST] [*]We want to provide a single place where companies can view a list of mitigation measures and aggregate information if companies are unable to patch. [/LIST] [*]Q16: (Points) We discovered hundreds of devices running the software; a lot of them are internal no internet access. However, a lot are cloud, so they are communicating with an external vendor. Unfortunately, we do not have control through these devices because they are on a vendor's private network; we are the middleman – we have no management. So, it will take more than our mitigation; most of our prominent, well-known vendors are right on top of the vulnerability and have resources for review. Work with your vendors to make sure you are good-to-go companies with which you may do business. [LIST] [*]Thank you for the points; there are risks associated with utilizing the cloud if they are vulnerable. [*]CISA's goal is to provide information for entities of different maturity. [/LIST] [*]Q17: Dish network organization admits to seeing scan attempts on their vulnerable equipment [LIST] [*]Great, that is what we are observing too. [/LIST] [*][B]Q18: DDoS and KinSing are being deployed as a final payload, as well as cobalt strike beacons. What's going on with them cobalt strike beacons? [LIST] [*]Nothing categorically different than we just outlined. [/LIST][/B] [/LIST] [/QUOTE]
Name
Verification
Post reply
Forums
Security
Active Exploits Discussion/Recommendations
Log4j Vulnerability Information
Top
Bottom
Home
Forums
Threat Reports
My.CompTIA
Menu