Log in
Register
Cyber Forum
More options
Toggle width
Share this page
Share this page
Share
Share
Cyber Forum
Log in
Register
More options
Toggle width
Share this page
Share this page
Share
Share
Menu
Install the app
Install
Home
CyberWeekly Podcast
Breaking News! Podcast
Cyber Risk Rating
Forums
New posts
Forum list
Trending
Leaderboards
News Feeds
Resources
Latest reviews
Sophos X-Ops Intelix
Threat Reports
Members
Current visitors
My.CompTIA
Help Documents
Preference Center
Forums
Security
Active Exploits Discussion/Recommendations
Log4j Vulnerability Information
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="MJ Shoer" data-source="post: 2543" data-attributes="member: 3"><p><h3><span style="color: rgb(0, 168, 133)">TLP: Green</span> Notes from Log4J CISA Call December 20, 2021</h3><p><strong>Tags</strong></p><ol> <li data-xf-list-type="ol"><strong>Critical CVE</strong></li> </ol><p>Notes from Log4J CISA Call December 20, 2021 Part 1</p><p>Opening:</p><p>House Keeping Items:</p><ul> <li data-xf-list-type="ul">Sensitive period holidays -</li> <li data-xf-list-type="ul">Threat actors exploit networks during the holidays; security posture is weaker.</li> <li data-xf-list-type="ul">Next few weeks, as a staff is off, actors will likely attempt to disrupt organizations with malware.</li> <li data-xf-list-type="ul">Which is why CISA has been flooding the zone with messaging.</li> <li data-xf-list-type="ul">CISA has released best practices and mitigation measures available on their website, IT-ISAC has shared this information with constituents.</li> <li data-xf-list-type="ul">Ensure that incident response plans and playbooks are updated</li> <li data-xf-list-type="ul">Open information-sharing channels have been made available to companies.</li> <li data-xf-list-type="ul">Focus on continuity of operations</li> <li data-xf-list-type="ul">A variety of actors are exploiting vulnerabilities in log4j, guidance such as providing information to reduce risk and exposure at cisa[.]gov</li> <li data-xf-list-type="ul">Catalogs are constantly being updated by vendors and companies that share information.</li> <li data-xf-list-type="ul">Eric Goldstein - Log4j</li> <li data-xf-list-type="ul">Points, what the vulnerability is, why it is concerning, walkthrough emergency directive</li> <li data-xf-list-type="ul">Log4j is a Java-based logging library, fairly ubiquitous across various industries and infrastructure.</li> <li data-xf-list-type="ul">Any vulnerability in this library is concerning; reporting suggests that the vulnerability can be triggered with a very tiny string remotely for a variety of malicious purposes,</li> <li data-xf-list-type="ul">Ransomware</li> <li data-xf-list-type="ul">Crypto Miners,</li> <li data-xf-list-type="ul">Backdoors</li> <li data-xf-list-type="ul">CISA is attempting to provide a single source of information for best defense as well as priorities guidance</li> <li data-xf-list-type="ul">Low-level cyber actors are exploiting> lots of crypto miners</li> <li data-xf-list-type="ul">Ransomware gangs as well APT are now abusing the vulnerability to achieve their goals.</li> <li data-xf-list-type="ul">APT activity means that network defenders need to react to prevent exploitation and prevent lateral movement</li> <li data-xf-list-type="ul">CIO and CISO need to make sure the correct steps are being taken</li> <li data-xf-list-type="ul">CISA has a single webpage with the latest information regarding the vulnerability, including steps for mitigation.</li> <li data-xf-list-type="ul">Guidance on the website is aggregated from various sources.</li> <li data-xf-list-type="ul">A repository of known vulnerable products is available so that companies can check and see if they are using vulnerable products.</li> <li data-xf-list-type="ul">Visit cisa.gov and check out the repository for vulnerable products; if vulnerable, pivot over to the emergency directive.</li> <li data-xf-list-type="ul">What is the directive?</li> <li data-xf-list-type="ul">All organizations focus on risk reduction prioritization.</li> <li data-xf-list-type="ul">Companies need somewhere to start prioritizing.</li> <li data-xf-list-type="ul">Internet-facing devices, first. The vulnerability is exploitable over the internet by pinging an internal device that is processing java inquiries even if the devices exposed to the device are not.</li> <li data-xf-list-type="ul">Once your organization has determined which solution stacks are using log4j, there are a few critical mitigation steps.</li> <li data-xf-list-type="ul">Update assets where patches are available</li> <li data-xf-list-type="ul">Many products are still receiving patches.</li> <li data-xf-list-type="ul">Which products have patches? Deploy them right away</li> <li data-xf-list-type="ul">Mitigate the risk of exploitation</li> <li data-xf-list-type="ul">Link in the directive for mitigation measures</li> <li data-xf-list-type="ul">Example; update WAF with updated rules.</li> <li data-xf-list-type="ul">Implement one more where applicable</li> <li data-xf-list-type="ul">Patching not possible? Remove the asset from the network.</li> <li data-xf-list-type="ul">The vulnerability has been in the wild for 11 days. It is reasonably likely for all organizations that these assets accepting input from the internet are being scanned, and adversaries have found them.</li> <li data-xf-list-type="ul">Assuming some compromise, look for abnormal network traffic if vulnerable assets were exposed to the internet or have not been remediated.</li> <li data-xf-list-type="ul">Network defenders are overwhelmed; we need to focus on immediate, most severe threats first = RCE vulnerability, and prevent remote code execution.</li> </ul><p>Q/A</p><p>Q1: Challenge > Software suppliers using vulnerable versions refusing to patch or take action, what are partner companies doing to dictate their response?</p><p>A: Concerning hearing that, we are expecting vendors to do the right thing and work with urgency. We want to drive the correct behavior. If you are a member of an ISAC, use information-sharing companies to share the message. Remove the third-party assets or vendor applications from the network.</p><p>Q2: Do we have any knowledge or reports of actors bypassing WAFs while exploiting this vulnerability?</p><p>A: Yes, CISA has mitigation measures for deploying a WAF, but it is considered an incomplete solution and is not sufficient. Companies must deploy a WAF, move down the mitigation lists, and apply security measures.</p><p>Q3: Does CISA have any tools that can be used to scan environments and identify vulnerable instances:</p><p>A: Carnegie Mellon tools linked to CISA.gov. They also have a cyber hygiene program that can scan participating entities for vulnerable assets.</p><p>Q4: 1. Github list and checking it, authoritative source, a few libraries, and sub-libraries have not made it to the list. The CERTCC tool works but should use a definite scanner in addition. 2. With log4j changing so much, vendors are having a hard time keeping up; what do you recommend for folks in keeping up with vendor patches, and what is your expectation concerning the directive for December 24 when there is so much going on in the patch cycle? We also have seen actors scanning and attempting to exploit WAFs.</p><p>A: Github repo is not a 100% accurate source; it's community-based and is considered the best available for where organizations are looking to start. Look at the list; drop in a request and let us know if something is missing. The list will grow and become more accurate but is an ongoing, crowdsourced project. Use our list with a variety of scanning tools and various products. There has been rolling of CVEs and patches over the last day. The immediate focus is driving companies to update to 2.15, especially if they are exposed to the internet. Initial CVE is not trivial to exploit. The initial CVE should be a priority and be mitigated.</p><p>Q5: Quick Question: Overwhelming to dive through information on CISA's website, asking you to drive a little bit and tell us where these scanning tools are so we can get things going on our end? What's the best way to start diving into this information?</p><p>A: Carnegimellon tools on CISA.gov. Check your assets inventory and compare them with known vulnerable products on CISA's repo. If a weak effect is on that list, Assume compromise and follow the mitigation steps. Complete the same steps for internal devices after those exposed to the WAN have been mitigated.</p><p>Q6: CISA public repository Github, will CISA join efforts with other organizations?</p><p>A: CISA maintains to be the authoritative source and is working with entities nationally for a better outcome.</p><p>Q7: Work with several providers/vendors/ etc.… One of the other challenges is transparency that lets us know what kind of data may have been compromised. Is there any insight back to working with vendors who can also talk about what kind of data has been compromised?</p><p>A: What can we do? How do we build from this situation for improvement? One of the most important things we can do is figure out if the organization knows if they are running log4j. They need to look at the product repo for visibility if they don't know. We need to drive the adoption of software build materials lists. We need to push vendors to adopt and work with CISA and partners, so we do not have the same convo years from now.</p><p>Q8: Are there efforts on the way to look into other standard software that is widely used and put into software like log4j?</p><p>A: Vulnerabilities in software are ubiquitous. When a vulnerability is found, we need to mitigate it quickly.</p><p>Q9: This meeting is recorded. Will it be available after the call?</p><p>A: It is recorded and pasted on the HSIN page. If you need access, email <a href="mailto:central@cisa.gov">central@cisa.gov</a> for access.</p><p>Q10: The Cyber-Hygiene report, it's great. The question is, we just received a report this morning from a Sunday scan and came back clean for log4j. Has Cyber-Hygiene been updated with all of the necessary plugins to identify if log4j can be identified on vulnerable systems?</p><p>A: Yes, but do not stop checking your reports and use additional tools. CH only covers externally-facing IPs; companies must check internal assets, especially those that capture data from the internet.</p><p>Q11: What misinformation have you seen about this?</p><p>How are we working with other countries, and how have they been affected?</p><p>A: There's a lot of info out there; Twitter feed has been 95 percent log4j is good information, some great, and some are not. We are not tracking specific people may be used to obfuscate legitimate information</p><p>A: CISA is working with various countries and counterparts around the world. This is a global challenge; companies around the world have been compromised. We are working very closely with the Netherlands.</p><p>Q12: What do we do if we cannot meet the directive deadline?</p><p>A: Point that question to CISA.gov so we can assist your team in meeting that directive.</p><p>Q13: One quick question; How different is it from a Microsoft server patch?</p><p>A: One of the fundamental challenges compared to others is dealing with a software library embedded in hundreds and thousands of products. The hard part is pinpointing what devices and software are using the vulnerable library. The first place to start is to enumerate products within your environment that may be using log4j.</p><p>Q14: Around embedded devices, things with java code baked in > Firmware. What's the guidance for devices like these? It can be difficult and time-consuming to update.</p><p>A: Huge concern at CISA, especially for critical infrastructure. We know it is prevalent in embedded devices and poses risks. CISA is happy to work with vendors in the control system space.</p><p>Q15: 2.16 completes the 2.15 fix, which addresses the original cve. How important it is to address a DOS effort in 2.16.</p><p>A: Mission-critical Products should be updated to the latest version. From an enterprise risk reduction standpoint, enterprises that are still working to mitigate internet-facing devices using 2.15 should mitigate to some degree instead of moving to and from. However, moving to the latest version is the correct approach.</p><p>Q16: What specific response action could organizations be considering at this time? How can we be more proactive when assuming compromise?</p><p>A: We are not at the point where every organization needs to assume that they have been compromised. Organizations should be monitored for strange traffic patterns coming from vulnerable products.</p><p>Notes from Log4J CISA Call December 20, 2021 Part 2</p><p>Q17: Are references to CISA slack channel updates shared there? Can you share that with this group or provide clarification?</p><p>A: We have several channels open with various companies and vendors. The goal is to make sure that we can abstract anything they see across the network and share the information back out. Our goal is to collaborate with as many entities as possible; please use our website to find more ways to collaborate.</p><p>Q18: Version 2.17, the latest and greatest? Is this the actual fix? Or still vulnerable.</p><p>A: There are no residual vulnerabilities after implementing 2.17, but that could change.</p><p>Q19: Version 1.x vulnerable?</p><p>Q20: They are EOL and unsupported. Actors could compromise 1.x if any EOL products are used and raise vulnerability concerns.</p><p>Q20: How do you get software added to CISA's list?</p><p>A: Open the github repository from CISA's webpage and drop in a poll request.</p><p>Q21: Are cloud-based applications being more targeted/vulnerable to this? Are there specific sectors being targeted more than others?</p><p>A: We are still seeing reasonably widespread scanning and targeting across sectors; we may see more targeted attempts over time.</p><p>A: Data suggests intimate target access sectors. We have not seen specific targets for cloud infrastructure or applications specifically.</p><p>Q22: Systems inside a secure environment (internally, not internet facing). Single click exploits possible?</p><p>A: Yes, absolutely concerned. Given the current threat landscape, we should first focus on external public-facing assets for risk prioritization.</p><p>A: Focus on the perimeter move inward.</p><p>Q23: There have been reports that botnet operators are attempting to make this wormable?</p><p>A: Possible and deeply concerning. But I have not seen it manifest in the wild, but it does reiterate the criticality.</p><p>Q24: Red team notices vendors are releasing scanning tools/processes. When they come back and report within the tools, there may be false negatives. Often, services and applications require authentication before exposing input fields and headers and only exposing a required function's payload. Is one of the CIA's initiatives to vet some of these tools for credential testing and validity? What do you guys think about some of the vettings of scripts and credential scanning?</p><p>A: Tools have been evolving; we have linked on our webpage to a few. Third-Party sites have scripts that can be considered valid and updated continuously - the work is ongoing. We will not endorse a tool and say it is the best one, but we can provide guidance and trusted resources from our key partners.</p><p>Q25: What is the challenge around sharing intel?</p><p>A: We are updating our website continuously and will keep updating as long as possible.</p></blockquote><p></p>
[QUOTE="MJ Shoer, post: 2543, member: 3"] [HEADING=2][COLOR=rgb(0, 168, 133)]TLP: Green[/COLOR] Notes from Log4J CISA Call December 20, 2021[/HEADING] [B]Tags[/B] [LIST=1] [*][B]Critical CVE[/B] [/LIST] Notes from Log4J CISA Call December 20, 2021 Part 1 Opening: House Keeping Items: [LIST] [*]Sensitive period holidays - [*]Threat actors exploit networks during the holidays; security posture is weaker. [*]Next few weeks, as a staff is off, actors will likely attempt to disrupt organizations with malware. [*]Which is why CISA has been flooding the zone with messaging. [*]CISA has released best practices and mitigation measures available on their website, IT-ISAC has shared this information with constituents. [*]Ensure that incident response plans and playbooks are updated [*]Open information-sharing channels have been made available to companies. [*]Focus on continuity of operations [*]A variety of actors are exploiting vulnerabilities in log4j, guidance such as providing information to reduce risk and exposure at cisa[.]gov [*]Catalogs are constantly being updated by vendors and companies that share information. [*]Eric Goldstein - Log4j [*]Points, what the vulnerability is, why it is concerning, walkthrough emergency directive [*]Log4j is a Java-based logging library, fairly ubiquitous across various industries and infrastructure. [*]Any vulnerability in this library is concerning; reporting suggests that the vulnerability can be triggered with a very tiny string remotely for a variety of malicious purposes, [*]Ransomware [*]Crypto Miners, [*]Backdoors [*]CISA is attempting to provide a single source of information for best defense as well as priorities guidance [*]Low-level cyber actors are exploiting> lots of crypto miners [*]Ransomware gangs as well APT are now abusing the vulnerability to achieve their goals. [*]APT activity means that network defenders need to react to prevent exploitation and prevent lateral movement [*]CIO and CISO need to make sure the correct steps are being taken [*]CISA has a single webpage with the latest information regarding the vulnerability, including steps for mitigation. [*]Guidance on the website is aggregated from various sources. [*]A repository of known vulnerable products is available so that companies can check and see if they are using vulnerable products. [*]Visit cisa.gov and check out the repository for vulnerable products; if vulnerable, pivot over to the emergency directive. [*]What is the directive? [*]All organizations focus on risk reduction prioritization. [*]Companies need somewhere to start prioritizing. [*]Internet-facing devices, first. The vulnerability is exploitable over the internet by pinging an internal device that is processing java inquiries even if the devices exposed to the device are not. [*]Once your organization has determined which solution stacks are using log4j, there are a few critical mitigation steps. [*]Update assets where patches are available [*]Many products are still receiving patches. [*]Which products have patches? Deploy them right away [*]Mitigate the risk of exploitation [*]Link in the directive for mitigation measures [*]Example; update WAF with updated rules. [*]Implement one more where applicable [*]Patching not possible? Remove the asset from the network. [*]The vulnerability has been in the wild for 11 days. It is reasonably likely for all organizations that these assets accepting input from the internet are being scanned, and adversaries have found them. [*]Assuming some compromise, look for abnormal network traffic if vulnerable assets were exposed to the internet or have not been remediated. [*]Network defenders are overwhelmed; we need to focus on immediate, most severe threats first = RCE vulnerability, and prevent remote code execution. [/LIST] Q/A Q1: Challenge > Software suppliers using vulnerable versions refusing to patch or take action, what are partner companies doing to dictate their response? A: Concerning hearing that, we are expecting vendors to do the right thing and work with urgency. We want to drive the correct behavior. If you are a member of an ISAC, use information-sharing companies to share the message. Remove the third-party assets or vendor applications from the network. Q2: Do we have any knowledge or reports of actors bypassing WAFs while exploiting this vulnerability? A: Yes, CISA has mitigation measures for deploying a WAF, but it is considered an incomplete solution and is not sufficient. Companies must deploy a WAF, move down the mitigation lists, and apply security measures. Q3: Does CISA have any tools that can be used to scan environments and identify vulnerable instances: A: Carnegie Mellon tools linked to CISA.gov. They also have a cyber hygiene program that can scan participating entities for vulnerable assets. Q4: 1. Github list and checking it, authoritative source, a few libraries, and sub-libraries have not made it to the list. The CERTCC tool works but should use a definite scanner in addition. 2. With log4j changing so much, vendors are having a hard time keeping up; what do you recommend for folks in keeping up with vendor patches, and what is your expectation concerning the directive for December 24 when there is so much going on in the patch cycle? We also have seen actors scanning and attempting to exploit WAFs. A: Github repo is not a 100% accurate source; it's community-based and is considered the best available for where organizations are looking to start. Look at the list; drop in a request and let us know if something is missing. The list will grow and become more accurate but is an ongoing, crowdsourced project. Use our list with a variety of scanning tools and various products. There has been rolling of CVEs and patches over the last day. The immediate focus is driving companies to update to 2.15, especially if they are exposed to the internet. Initial CVE is not trivial to exploit. The initial CVE should be a priority and be mitigated. Q5: Quick Question: Overwhelming to dive through information on CISA's website, asking you to drive a little bit and tell us where these scanning tools are so we can get things going on our end? What's the best way to start diving into this information? A: Carnegimellon tools on CISA.gov. Check your assets inventory and compare them with known vulnerable products on CISA's repo. If a weak effect is on that list, Assume compromise and follow the mitigation steps. Complete the same steps for internal devices after those exposed to the WAN have been mitigated. Q6: CISA public repository Github, will CISA join efforts with other organizations? A: CISA maintains to be the authoritative source and is working with entities nationally for a better outcome. Q7: Work with several providers/vendors/ etc.… One of the other challenges is transparency that lets us know what kind of data may have been compromised. Is there any insight back to working with vendors who can also talk about what kind of data has been compromised? A: What can we do? How do we build from this situation for improvement? One of the most important things we can do is figure out if the organization knows if they are running log4j. They need to look at the product repo for visibility if they don't know. We need to drive the adoption of software build materials lists. We need to push vendors to adopt and work with CISA and partners, so we do not have the same convo years from now. Q8: Are there efforts on the way to look into other standard software that is widely used and put into software like log4j? A: Vulnerabilities in software are ubiquitous. When a vulnerability is found, we need to mitigate it quickly. Q9: This meeting is recorded. Will it be available after the call? A: It is recorded and pasted on the HSIN page. If you need access, email [EMAIL]central@cisa.gov[/EMAIL] for access. Q10: The Cyber-Hygiene report, it's great. The question is, we just received a report this morning from a Sunday scan and came back clean for log4j. Has Cyber-Hygiene been updated with all of the necessary plugins to identify if log4j can be identified on vulnerable systems? A: Yes, but do not stop checking your reports and use additional tools. CH only covers externally-facing IPs; companies must check internal assets, especially those that capture data from the internet. Q11: What misinformation have you seen about this? How are we working with other countries, and how have they been affected? A: There's a lot of info out there; Twitter feed has been 95 percent log4j is good information, some great, and some are not. We are not tracking specific people may be used to obfuscate legitimate information A: CISA is working with various countries and counterparts around the world. This is a global challenge; companies around the world have been compromised. We are working very closely with the Netherlands. Q12: What do we do if we cannot meet the directive deadline? A: Point that question to CISA.gov so we can assist your team in meeting that directive. Q13: One quick question; How different is it from a Microsoft server patch? A: One of the fundamental challenges compared to others is dealing with a software library embedded in hundreds and thousands of products. The hard part is pinpointing what devices and software are using the vulnerable library. The first place to start is to enumerate products within your environment that may be using log4j. Q14: Around embedded devices, things with java code baked in > Firmware. What's the guidance for devices like these? It can be difficult and time-consuming to update. A: Huge concern at CISA, especially for critical infrastructure. We know it is prevalent in embedded devices and poses risks. CISA is happy to work with vendors in the control system space. Q15: 2.16 completes the 2.15 fix, which addresses the original cve. How important it is to address a DOS effort in 2.16. A: Mission-critical Products should be updated to the latest version. From an enterprise risk reduction standpoint, enterprises that are still working to mitigate internet-facing devices using 2.15 should mitigate to some degree instead of moving to and from. However, moving to the latest version is the correct approach. Q16: What specific response action could organizations be considering at this time? How can we be more proactive when assuming compromise? A: We are not at the point where every organization needs to assume that they have been compromised. Organizations should be monitored for strange traffic patterns coming from vulnerable products. Notes from Log4J CISA Call December 20, 2021 Part 2 Q17: Are references to CISA slack channel updates shared there? Can you share that with this group or provide clarification? A: We have several channels open with various companies and vendors. The goal is to make sure that we can abstract anything they see across the network and share the information back out. Our goal is to collaborate with as many entities as possible; please use our website to find more ways to collaborate. Q18: Version 2.17, the latest and greatest? Is this the actual fix? Or still vulnerable. A: There are no residual vulnerabilities after implementing 2.17, but that could change. Q19: Version 1.x vulnerable? Q20: They are EOL and unsupported. Actors could compromise 1.x if any EOL products are used and raise vulnerability concerns. Q20: How do you get software added to CISA's list? A: Open the github repository from CISA's webpage and drop in a poll request. Q21: Are cloud-based applications being more targeted/vulnerable to this? Are there specific sectors being targeted more than others? A: We are still seeing reasonably widespread scanning and targeting across sectors; we may see more targeted attempts over time. A: Data suggests intimate target access sectors. We have not seen specific targets for cloud infrastructure or applications specifically. Q22: Systems inside a secure environment (internally, not internet facing). Single click exploits possible? A: Yes, absolutely concerned. Given the current threat landscape, we should first focus on external public-facing assets for risk prioritization. A: Focus on the perimeter move inward. Q23: There have been reports that botnet operators are attempting to make this wormable? A: Possible and deeply concerning. But I have not seen it manifest in the wild, but it does reiterate the criticality. Q24: Red team notices vendors are releasing scanning tools/processes. When they come back and report within the tools, there may be false negatives. Often, services and applications require authentication before exposing input fields and headers and only exposing a required function's payload. Is one of the CIA's initiatives to vet some of these tools for credential testing and validity? What do you guys think about some of the vettings of scripts and credential scanning? A: Tools have been evolving; we have linked on our webpage to a few. Third-Party sites have scripts that can be considered valid and updated continuously - the work is ongoing. We will not endorse a tool and say it is the best one, but we can provide guidance and trusted resources from our key partners. Q25: What is the challenge around sharing intel? A: We are updating our website continuously and will keep updating as long as possible. [/QUOTE]
Name
Verification
Post reply
Forums
Security
Active Exploits Discussion/Recommendations
Log4j Vulnerability Information
Top
Bottom
Home
Forums
Threat Reports
My.CompTIA
Menu