CISA, Vendors Refine Scanners for Log4j VulnerabilitiesAgency Official Also Warns of Continued Threat Around Apache's Logging Utility
As network defenders continue to patch or mitigate against the remote code execution vulnerability in the Java-based logging utility Log4j, several cybersecurity vendors have issued scanning and assessment tools to speed up the identification process.
Open-source and commercial scanning tools from the U.S. Cybersecurity and Infrastructure Security Agency and vendors such as CrowdStrike, Microsoft, Trend Micro and Arctic Wolf have provided developers and administrators with new resources to streamline the mitigation process surrounding the Apache flaws, which experts say could be present in hundreds of millions of devices and systems worldwide.
The resources come to light as administrators of the Apache Software Foundation, the nonprofit that manages Apache's open-source projects, continue to push out semi-regular updates for the logging library - the latest being 2.17.1, to address another, less-severe RCE vulnerability - CVE-2021-44832 - disclosed this week by the firm Checkmarx. CVE-2021-44832 carries a "moderate" CVSS score of 6.6 (see: Apache's Log4j Version 2.17.1 Addresses New Flaw).
The widespread Log4j vulnerability was first reported Dec. 9, after allegedly being detected by Alibaba's cloud security unit. It subsequently put security teams on high alert heading into the holiday season.
It is available on the CISA's community-driven GitHub repository.
Microsoft has added a Log4j scanner to its Microsoft 365 Defender to provide a "consolidated view" of an enterprise's exposure to the flaws - including discovery of vulnerable library components on devices and applications, a dedicated dashboard, and a "new schema in advanced hunting."
Microsoft says the scanner's capabilities are supported on Windows 10, Windows 11 and Windows Server 2008, 2012 and 2016, as well as on Linux, though the latter requires updating Defender for Endpoint Linux client to version 101.52.57 (30.121092.15257.0) or later.
When Microsoft expanded its Log4j scanning capabilities in Defender on Monday, some users quickly took to Twitter to highlight what appeared to be false positive alerts. Copying Microsoft, user @CISOwithHoodie wrote, "Anyone else getting 'Possible sensor tampering in memory was detected by Microsoft Defender for Endpoint' alerts created by OpenHandleCollector.exe?"
User @irestartpcs responded: "Same. And looks like it's got something to do with looking for log4j based on commandline. emails started within the last hour for me and haven't stopped."
The reports prompted Tomer Teller, a senior security researcher at the Microsoft Azure Cyber Security group, to respond via Twitter, writing, "Thank you for reporting this. The team is looking into that."
The issue has now reportedly been resolved, according to a Microsoft spokesperson who told VentureBeat on Wednesday: "We have resolved an issue for some customers who may have experienced a series of false positive detections."
CrowdStrike's offering, called CrowdStrike Archive Scan Tool, allows for targeted directory searches for JAR, WAR, ZIP and EAR files and deeper scans on those file types against a known set of checksums for Log4j libraries. The tool is available for Windows, Mac and Linux systems.
CrowdStrike says its CAST tool "helps organizations find any version of the affected Log4j library anywhere on disk, even if it is deeply nested in multiple levels of archive files."
Trend Micro has released a web-based Log4j Vulnerability Scanner that it says can "help users and administrators identify server applications that may be affected."
The company says its self-serve Vulnerability Assessment Tool "leverages complimentary access to the Trend Micro Vision One threat defense platform" to identify endpoints and server applications that may be affected by Log4j. Trend Micro says the tool "provides a detailed view of your attack surface and shares next steps to mitigate risks."
Cybersecurity firm Arctic Wolf has issued Log4Shell Deep Scan Tools to detect CVE-2021-45046 and CVE-2021-44228 within nested JAR files, as well as WAR and EAR files, it says.
"When executed, Arctic Wolf's Log4j detection script will use code analysis and deep scanning of a host's filesystem to identify Java applications and libraries with vulnerable Log4j code," the page reads. "When it identifies the existence of impacted Log4j code, the script will flag it and output its location within the host’s filesystem."
It has been published on GitHub for Windows, macOS and Linux.
CISA: Patch ASAP
With new resources emerging to mitigate Log4j risks, experts still warn defenders to keep their guard up, pointing to active scanning among sophisticated threat actors and advanced persistent threats. CrowdStrike on Wednesday announced that it had deterred a Chinese APT's efforts to leverage Log4j to attack a "large educational institution" (see: Crypto Platform Suffers Log4j-Related Ransomware Attack).
In an event on Tuesday with ISMG's CyberEdBoard, a members-only community of security executives and thought leaders, Eric Goldstein, executive assistant director for cybersecurity at CISA, stressed the significance of Log4j.
"The prevalence here is really extraordinary," Goldstein said during the session. "This vulnerability can [also] be trivial to exploit. We have seen a proof-of-concept of an exploit as small as 12 characters that can be triggered through a chat message, through a text message or through an email header.
"At least theoretically, it's really trivial to exploit and then because of the nature of the vulnerability, it gives the potential for real deep access in a target system."
Goldstein said: "We [have seen] this vulnerability being used pervasively, but what we call lower-level activity. So, for example, hijacking resources for cryptomining or hijacking assets for use in botnets. But now, we're starting to see a bit more concerns about more sophisticated activity. … [And] we presume that [more] is yet to come."
He also warned that threat actors may have already compromised targets and gained a foothold, but may opt to wait a few weeks before executing their payload.
"Organizations running instances of vulnerable Log4j, particularly where those instances are accepting data from the internet, should really assume that they are subject to a deep compromise that could affect their critical functions and core infrastructure," Goldstein said.
In the wake of this explosive flaw, he added, federal officials will continue to advocate for machine-readable software bills of materials, or SBOMs, so security teams can almost immediately understand which elements make up their software and thus avoid time-consuming manual identification processes.