21 Days of Log4Shell

It has now been 21 days now since CVE-2021-44228 streaked across our horizon like a surface-to-air missile, perfectly aimed at shooting down Santa’s Sleigh.?For many, a couple weeks of round-the-clock work stopped Christmas from getting cancelled, while others were not so lucky.?And, new discoveries and versions made our holiday preamble seem like a game of “Who’s Log4J 2 Version is it Anyway” as we all jumped from version to version, in response to the latest updates.?

At this point, the barrage of continuous exploit attempts of Log4Shell has slowed and well-organized shops hopefully have remediated most of the vulnerable software and tuned security tools and response processes extensively (if not, make haste).

So, where does this leave us – are we good now??

Of course, as we all know due to a variety of factors many organizations will be behind the power curve – and, still others, will have a list of outlier systems that were lower risk but still need to be managed.?Remember that the way risk needs to be evaluated for Log4Shell is a little bit different than we are used to, since the system that receives the malicious thread may not always be the vulnerable host that later processes that string as a log.?It is a vulnerability where someone may kick you in the shin and give you a headache, so we need to be looking more broadly than usual.?

The short answer is, even for organizations that did everything right, most are far from good.?

?One thing that is important to remember about Log4Shell is that it is an exploit for Initial Access (IRT MITRE ATT&CK).?This is both a blessing and a curse; insofar as, it means the usual SOC/DFIR best practices work just as well if the entry point is Log4Shell as with any other attack, the aforementioned caveat notwithstanding.?It also means that if someone established initial access and reached a point of persistence, they may stop and wait at this point for quite some time.?

There was a brief window of time where many systems could be compromised; all the while, there were far too many exploitable systems to properly triage.?So, it was a feeding frenzy of threat actors (and some researchers) finding and/or exploiting vulnerable hosts indiscriminately, without necessarily understanding which hosts were of most value.?

What does this mean to us now?

Since Access-as-a-Service is a growing trend, this may mean someone worked their way to the stage of persistence and then may sell access to various environments, introducing a significant latency between establishing an initial foothold and expanding that foothold.?This latency may also come into play if a more powerful actor has hooked many systems and needs to quietly prioritize which among them to actually leverage.?

Simply put, organizations who have done quality work at tuning security controls, remediating Log4j vulnerabilities and refining SOC processes are on the right track (if you are not there yet, do these things now).?That said, the next step is to assume someone got an initial foothold during this period of immense vulnerability.?So, take experts from the Incident Response and Engineering teams and put them in full threat hunting mode for the next several weeks. ??

Organizations that spot the critical moment an initial foothold escalates privileges / seeks credentials, scans, exploits other hosts and works to expand reach to achieve objectives… may be able to avert disastrous outcomes through intelligent response.

Looking Forward

The scenario of vulnerable or compromised software components is something we definitely expect to see more of going forward.?It is essential that we continue to elevate defensive controls, reduce attack surface and improve response capability in the new year, so we are more prepared with each new crisis that arrives.?

Happy New Year and Happy Hunting!!