🚨 Incident Tracking : 2021-12-09 Log4Shell / Log4J2
Summary
The “Log4Shell” vulnerability in log4j2 has an exceptionally simple proof of concept along with pervasive usage in production environments. Exploitation can happen non-deterministically by passing strings anywhere logs may parse them (usernames, user agents, client requests, headers, etc). Immediate exploitation has already been seen.
📅 Discussions
2021-11-26
2021-12-09
2021-12-10
- Apple exploitation
- ITW exploitation seen over Tor egress
- GreyNoise visibility of ITW exploitation
- ⭐️ Arbitrary code execution in iCloud, Twitter, Steam, CloudFlare, Amazon, Tesla, Baidu, Tencent
- ⭐️ Vulnerable Companies
- GreyNoise Monitoring
- @Viss - Tweet to Exploit
- Cisco Talos - Log4j vulnerability exploited in the wild
2021-12-11
- ⭐️ Matthew Prince - “In the wild at least 9 days before publicly disclosed”
- Advisories and Bulletin Reference
- ⭐️ Comprehensive Incident Summary
2021-12-12
- Log4Shell & massive Kinsing deployment - by Yuval Fischer - ProferoSec - Dec, 2021 - Medium
- Apache Log4j Vulnerability Guidance - CISA
- Swiss CERTasdf
2021-12-13
2021-12-14
🐾 IOC, Detection, Forensics
- ⭐️ Proof of Concept
- Greynoise - Attack IPs
- Greynoise - Callback Domains
- ISC - Attack Observations)
- Tanner Barnes - The Log4J formatting is nestable
- Northwave - log4jcheck
- Thinkst Canary
- Mubix - Hashes for vulnerable LOG4J versions
- Florian Roth - Detection ideas
- Florian Roth - YARA Rule
- Splunk - Detection
🛠 Mitigations
- Patch Notes for 2.15.0
- oss-security - Re: CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints
- [LOG4J2-3198] Message lookups should be disabled by default - ASF JIRA
- [LOG4J2-3201] Limit the protocols jNDI can use and restrict LDAP. - ASF JIRA
- Apache - Restrict LDAP access via JNDI
- Cloudflare
- CISA - Software