Responding to the Log4j Exploit
Security researchers published a proof-of-concept exploit code for CVE-2021-44228, a remote code execution vulnerability in Log4j, a Java logging library used in a significant number of internet applications.
Multiple campaigns emerge, exploiting CVE-2021-44228 against vulnerable public facing systems to deploy a variety of malware, ranging from crypto miners to Trojan backdoors.
Within hours Arctic Wolf deploys new detections for exploitation attempts of the vulnerability. We also released a security bulletin assuring customers that we were actively searching for indicators of compromise in their environments.
Arctic Wolf completed the first pass investigation on all customers within 1 day.
With comprehensive detections for the exploit in place, Arctic Wolf was able to focus on building a new standalone deep analysis tool that would detect this vulnerability at source as well as integrating signatures being provided by 3rd parties.
Arctic Wolf develops a deep scan tool with a broad scope utilizing not only metadata but also the latest research and facts that were still emerging over the weekend.
Within 2 days, the scanning tool was deployed and tested in live customer environments to verify effectiveness and consistency.
This proved successful and Arctic Wolf released it to all customers. Arctic Wolf currently has detections for both the vulnerability and the exploitation of the vulnerability available.
After successful deployment to Arctic Wolf’s customer community of more than 2,300 organizations worldwide, today we are making “Log4Shell Deep Scan” publicly available on GitHub.
Log4Shell Deep Scan enables detection of both CVE-2021-45046 and CVE-2021-44228 within nested JAR files, as well as WAR and EAR files.
Download Log4Shell Deep Scan here.
This script—provided for both Windows and macOS/Linux devices—will conduct a deep scan of a host’s filesystem to identify Java applications and libraries with vulnerable Log4j code. When it identifies the existence of impacted Log4j code, the script will flag it and output its location within the host’s filesystem.