Arctic Wolf Log4Shell Deep Scan

Arctic Wolf's open source Log4Shell Deep Scan enables detection of both CVE-2021-45046 and CVE-2021-44228
More Details

- or -

Download the Log4j Deep Scan Tool

How Arctic Wolf Helps Mitigate the Log4j Exploit

A zero-day threat is creating waves through the cybersecurity industry more than any other in years.

On Thursday, December 9, security researchers published a proof-of-concept exploit code for CVE-2021-44228, a remote code execution vulnerability in Log4j, a Java logging library used in a significant number of internet applications.

In the week since its discovery businesses worldwide frantically worked to identify and mitigate the exploit, while security pros and experts are desperately attempting to release patches and guide organizations as new information becomes known.

Responding to the Log4j Exploit

Security researchers published a proof-of-concept exploit code for CVE-2021-44228, a remote code execution vulnerability in Log4j, a Java logging library used in a significant number of internet applications.

Multiple campaigns emerge, exploiting CVE-2021-44228 against vulnerable public facing systems to deploy a variety of malware, ranging from crypto miners to Trojan backdoors.

  • PHASE 1:
    Within hours Arctic Wolf deploys new detections for exploitation attempts of the vulnerability. We also released a security bulletin assuring customers that we were actively searching for indicators of compromise in their environments.

    Arctic Wolf completed the first pass investigation on all customers within 1 day.

  • PHASE 2:
    With comprehensive detections for the exploit in place, Arctic Wolf was able to focus on building a new standalone deep analysis tool that would detect this vulnerability at source as well as integrating signatures being provided by 3rd parties.

    Arctic Wolf develops a deep scan tool with a broad scope utilizing not only metadata but also the latest research and facts that were still emerging over the weekend.

  • PHASE 3:
    Within 2 days, the scanning tool was deployed and tested in live customer environments to verify effectiveness and consistency.

    This proved successful and Arctic Wolf released it to all customers. Arctic Wolf currently has detections for both the vulnerability and the exploitation of the vulnerability available.

    After successful deployment to Arctic Wolf’s customer community of more than 2,300 organizations worldwide, today we are making “Log4Shell Deep Scan” publicly available on GitHub.

    Log4Shell Deep Scan enables detection of both CVE-2021-45046 and CVE-2021-44228 within nested JAR files, as well as WAR and EAR files. 

    Download Log4Shell Deep Scan here.

    This script—provided for both Windows and macOS/Linux devices—will conduct a deep scan of a host’s filesystem to identify Java applications and libraries with vulnerable Log4j code. When it identifies the existence of impacted Log4j code, the script will flag it and output its location within the host’s filesystem.  



Access the Arctic Wolf Log4j Deep Scan Script

The Arctic Wolf script is a complement, not a replacement, to the other detection sources. The script is a deep, cold scan that can detect the Log4j vulnerabilities in applications with higher confidence than the NVTs. The script will also detect CVE-2021-44228, where the network scan cannot test and detect within internal applications. The script is not only deep but application-agnostic.

The script is to be executed on each host. It will crawl through the entire local filesystem searching for Java applications and libraries with the Log4j code. Once it identifies the existence of this code, the script will flag it and output the code’s file path. This enables targeted remediation by exposing exactly which application is affected and where the vulnerability exists.

Arctic Wolf
Sample Title Intro

Ipsum primis in cubilia laoreet augue

Quaerat sodales sapien euismod purus blandit a purus ipsum primis in cubilia laoreet augue luctus magna dolor luctus at egestas sapien vitae nemo egestas volute and turpis dolores aliquam quaerat sodales a sapien

Sample Title Intro

Ipsum primis in cubilia laoreet augue

  • Quaerat sodales sapien euismod purus blandit a purus ipsum primis in cubilia laoreet augue luctus magna and luctus and egestas sapien egestas vitae volute

  • Nemo ipsam egestas volute turpis dolores ut aliquam quaerat sodales sapien undo pretium a purus mauris

Arctic Wolf
Arctic Wolf
Sample Title Intro

Ipsum primis in cubilia laoreet augue

Quaerat sodales sapien euismod purus blandit a purus ipsum primis in cubilia laoreet augue luctus magna dolor luctus at egestas sapien vitae nemo egestas volute and turpis dolores aliquam quaerat sodales a sapien

Using Arctic Wolf’s Open Source Log4Shell Detection Script

Join Arctic Wolf Product Marketing Manager Sule Tatar and Arctic Wolf’s Security Services Team to understand:

  1. What CVE-2021-45046 is
  2. Why we developed the Open Source Log4Shell Detection Script
  3. How to run the script in Windows

Connect With Your Concierge Security Team Today

Arctic Wolf’s Recommendations for Log4j Remediation:

We recommend upgrading to Log4j version 2.17.1 when feasible or during your normal patching cycle. We assess the newest vulnerability, CVE-2021-44832, does not warrant immediate or out of band patching. The latest version can be downloaded here.

Apache released version 2.17.0 on December 18th, 2021. We strongly recommend upgrading all instances of Log4j to version 2.17.0 to remediate both CVE-2021-44228 and CVE-2021-45046. Log4j version 2.17.0 is available here.

If patching is not immediately feasible, do not manually enable %m{lookups}. Configuring Log4j 2.15.0 in this manner introduces CVE-2021-45046 to your network and increases your risk of exploitation.

You can download Log4Shell Deep Scan here.

For more recommendations for Log4j (Log4Shell) Remediation visit: https://arcticwolf.com/resources/blog/log4j

Arctic Wolf offers IVA (Iinternal Vulnerability Assessment), EVA (External Vulnerability Assessment), and on host scans for existing customers. Contact your CST at [email protected] and stay up to date by following our Log4j blog here.

STAYING AHEAD OF LOG4J DISRUPTIONS

Log4j underscores the advantage of security operations and Arctic Wolf’s concierge delivery model.

Our teams worked side by side with customers in the immediate wake of the attack to identify known indicators and prioritize mitigation and patching to impacted systems.

With such a broad array of potentially vulnerable apps and services, this scope of implementing patches can be time- consuming and complex for customers—and some security patches may not be automatically applied or immediately available.

In collaboration with our customers, Arctic Wolf continually updated and distributed lists of affected services, identified patches, and worked with customers to design workarounds when upgrading to Log4j 2.15.0 was not immediately feasible. This real-time communication and concierge delivery model enabled Arctic Wolf customers to quickly mitigate the immediate impact of this and other 0-day threats.

Have more questions? Ask your question here

Arctic Wolf Security Operations

Built on an open XDR architecture, The Arctic Wolf Platform combines with our Concierge Security Model to work as an extension of your team. We provide 24×7 monitoring, detection, and response, ongoing risk management, as well as security awareness training to proactively protect your environment while continually strengthening your security posture.


Complete the form to unlock access

Access the Complimentary Arctic Wolf Log4j Deep Scan Script Here