Log4j Mitigation Tips for Microsoft Security and IT Administrators
Unless you’ve been to a remote island with no internet access, you’ve seen the headlines and articles regarding the vulnerability of the logging software called Log4j. Log4j is a Java-based logging library used in many third-party applications. It is also part of the Apache Logging Services. Large companies that code their own in-house applications likely have coders on staff who know they have used this software and are already taking steps to mitigate it. For internal applications, you must update the Log4j software to the latest versions.
Consultants and small to medium-sized businesses, however, may not be aware that they have installed vulnerable software that is susceptible to this vulnerability. the Hunting team has prepared many resources for consultants and companies that may not have internal teams with the resources to determine if they are vulnerable.
Log4J Vulnerability Testing Tool
Huntress also offers a test tool which allows you to test internal applications if they are vulnerable. They generate a unique string to use for testing your internal applications. You can enter the string in a location that would normally require user input, such as a username or password location. Once you enter the input string, review the resulting test page of the Huntress team site and check if your apps are vulnerable. If there is no evidence of an external “leak”, it is a good sign that your internal applications are safe from this style of attack.
Perform this test only on applications and resources that you own or over which you have contractual control. Testing an application to which you do not have legal rights is a violation of most Internet Service Provider terms and agreements. the Hunter blog points out that attackers are already attempting to use it to gain entry into systems typically using a Lightweight Directory Access Protocol (LDAP) request. Huntress has provided a tool that generates a request which will then be reported to you. Just cut and paste the payload from the Log4Shell site into your application. John Hammond of Huntress also provided a video showing how vulnerability works.
Test applications that include logging first
The CNC group recommended that you examine your software applications and vendors for possible vulnerabilities. Think in terms of applications that include logging and test those applications first, but also think in terms of applications that can rely on LDAP, which runs on a layer above the TCP / IP stack. It provides a mechanism used to connect, search and modify Internet directories. As Microsoft Remarks, “A common model of exploitation risk, for example, is a web application with code designed to process usernames, referrers, or user agent strings in logs. “
Microsoft Log4j Mitigation Tips
Microsoft claims that if you use Microsoft Defender Antivirus on your Windows or Linux devices, it will prevent exploitation. Current exploits have been the insertion of bitcoin mining software into systems as well as Cobalt Strike Beacon loaders. Microsoft also recommends that you review the firewall logs for suspicious commands as well as LDAP queries.
Natively, Windows is not vulnerable to the Log4j exploit, so don’t look for evidence of the attack in your Windows event logs. Instead, look for this in any apps you have purchased or developed, as this is usually where the Log4j logging routines are located.
Microsoft recommends that you activate the attack surface reduction rule to block executable files from running unless they meet a prevalence, age, or trusted list criteria. This will keep you safe while you investigate if your network is in danger.
Monitor outgoing traffic
Review your options and tools that you can use to monitor outgoing traffic. Before the pandemic, most businesses used a traditional network behind a firewall which could then be used to examine outbound risks. We now need cloud-based tools to examine outgoing connections from geographically distributed desktops. You may need to contact your antivirus or monitoring tool vendors and add solutions to allow you to remotely monitor machines on your network.
Check to see if any connections are leaving your domain to websites that have been identified in the ongoing attacks. Ideally, also consider your options for blocking connections from your network to the URLs listed.
the NCC Group identified the domains and IP addresses used in the attacks. Keep an eye on this list as it is sure to increase in the days to come. In addition, contact your firewall providers for their query recommendations so that you can examine your environment for vulnerable systems calling servers. You can view the safety advisories and lists at This site also.
Events like this will happen again. Check whether you have the resources and personnel who can perform analyzes and queries. If you don’t have the staff available to assess whether you have a potential for these types of attacks, consider adding cloud services and monitoring tools that can track outgoing connections and provide you with this information. Small businesses or consultants might consider adding Microsoft Defender for Business, a public preview platform that can monitor such exit attacks, or Microsoft Lighthouse, a console that will allow you to monitor multiple companies for such styles of attacks.
Copyright © 2021 IDG Communications, Inc.