How Cybereason Detects and Prevents Exploits Leveraging Log4Shell Vulnerability
December 15, 2021 |
2 minute read
Cybereason Security Team
Log4Shell is a vulnerability (CVE-2021-44228) impacting Apache Log4j which was disclosed on the project’s GitHub on December 9, 2021. The flaw has the highest possible severity rating of 10 and is pervasive.
In addition to ensuring all of your systems are protected by Cybereason, we also continue to advise on remediation for the Log4Shell vulnerability directly, either through the vaccine released by Cybereason or through the manual remediation steps detailed at the end of this blog.
In the interactive demonstration linked below, you can walk through an active MalOp™ where a Tomcat server has been compromised as a result of the Log4Shell vulnerability and the attacker is able to deploy a malicious webshell. Upon completion of the investigation, you will remediate the threat from within the AI-driven Cybereason XDR Platform.
In this walkthrough, Prevention features were disabled to show the depth of the detection process; however, enabling the Prevention feature would have blocked the execution of the malicious webshell demonstrated as part of the Cybereason multilayered defense:
You can view a complete demo illustrating how the Cybereason XDR Platform can uncover malicious activity resulting from the exploitation of the Log4Shell vulnerability HERE.
Threat Hunting for Log4Shell Activity
In the event that you have identified potentially impacted systems that were not running Cybereason, or if you have recently deployed Cybereason as part of your incident response, we recommend threat hunting in your environment for malicious activity resulting from the exploitation of this vulnerability.
Cybereason customers can use the following queries by attaching the query to the Cybereason URL like so: customer.cybereason.net/[paste hunt query here]:
Java processes with incoming connections on LDAP ports: /#/s/search?queryString=0<-Process"name:%3Djava"->connections"serverPort:%3D3268%7C389%7C636"
Bash or SH processes spawning on Linux hosts from web server processes: /#/s/search?queryString=1<-Machine"osType:%3DLINUX"->processes"name:%3Dapache%7Capache2%7Chttpd%7Cjava%7Cjavaw"->children"elementDisplayName:%3Dbash%7Csh"
Connections to IOCs confirmed in exploitation of the vulnerability: /#/s/search?queryString=4<-Connection->remoteAddress"elementDisplayName:$18.104.22.168%7C22.214.171.124%7C126.96.36.199%7C188.8.131.52%7C184.108.40.206%7C220.127.116.11%7C18.104.22.168%7C22.214.171.124%7C126.96.36.199"->Connection.remoteAddress->ownerProcess->children
Find applications that use Log4j2: /#/s/search?queryString=0<-Process"commandLine:@Log4j2"&sorting=creationTime&sortingDirection=-1&viewDetails=false
Ken Westin is Director of Security Strategy at Cybereason. Ken has been in the security field for over 15 years, working with companies to bolster their security posture through threat hunting, insider threat programs and vulnerability research. In the past, he has worked closely with law enforcement, helping to unveil organized crime groups. His work has been featured in Wired, Forbes, New York Times, Good Morning America and others, and he is regularly reached out to as an expert on cybersecurity, cybercrime and surveillance.
Justin Buchanan, Director of Product Marketing, is responsible for the go-to-market strategy of Cybereason’s Endpoint Protection Platform (EPP) offerings. Driven by his background in IT and his deep understanding of customers’ desired outcomes, Justin is passionate about how Cybereason can help customers—and the security industry as a whole—reverse the adversary advantage and empower defenders.
About the Author
Cybereason Security Team
The Cybereason Security Team champions cyber defenders by providing future-ready attack protection that unifies security from the endpoint, to the enterprise, to everywhere the battle moves. The Cybereason Defense Platform combines the industry’s top-rated detection and response (EDR and XDR), next-gen anti-virus (NGAV), and proactive threat hunting to deliver context-rich analysis of every element of a Malop (malicious operation). The result: defenders can end cyber attacks from endpoints to everywhere.