Protect Yourself Against The Apache Log4j Vulnerability

Initially published: 10.12.2021
Last updated: 20.12.2021 01:30 AM PST

What happened?

On December 9^th, an acute remote code execution (RCE) vulnerability was reported  in the Apache logging package Log4j 2 versions 2.14.1 and below (CVE-2021-44228).
Apache Log4j is the most popular java logging library with over 400,000 downloads from its GitHub project. It used by a vast number of companies worldwide, enabling logging in a wide set of popular applications.
Exploiting this vulnerability is simple and allows threat actors to control java-based web servers and launch remote code execution attacks.

The Log4j library is embedded in almost every Internet service or application we are familiar with, including Twitter, Amazon, Microsoft, Minecraft and more.
At present most of the attacks focus on the use of a cryptocurrency mining at the expense of the victims, however under the auspices of the noise more advanced attackers may act aggressively against quality targets.

Since Friday we witnessed what looks like an evolutionary repression, with new variations of the original exploit being introduced rapidly- over 60 in less than 24 hours.
For example, it can be exploited either over HTTP or HTTPS (the encrypted version of browsing). The number of combinations of how to exploit it give the attacker many alternatives to bypass newly introduced protections. It means that one layer of protection is not enough and only multi layered security posture would provide a resilient protection.

Check Point’s Infinity Platform is the only security platform that offered pre-emptive protection for customers against the recent Log4j exploit (Log4Shell). Leveraging contextual AI, the platform provides precise prevention of even the most sophisticated nascent attacks, without generating false positives. Customer web applications remain safe as the security auto updates without the need for human intervention or rule sets, as the app and threat landscape evolve and expands.

What do you need to do in order to remain protected?

Check Point already released a new Quantum Gateway protection powered by Threat Cloud, designed to prevent this attack, and by using it- you’ll stay protected.
If your Quantum gateways are updated with automatic new protections, you are already protected. Otherwise, you need to implement a new protection by following the guidelines here. We urge IT and Security teams to take immediate remediation measures on the matter.

Is Check Point affected by the Log4j vulnerability?

The Check Point Infinity architecture is not impacted by the Log4j.
We thoroughly verified that the vulnerability does not affect our Infinity portfolio including Quantum Gateways, SMART Management, Harmony Endpoint, Harmony Mobile, ThreatCloud and CloudGuard.

What’s next? 

Check Point Research is thoroughly investigating the Log4j vulnerability

Check Point Research (CPR) closely monitors the massive scans and exploit attempts. While the activity as we write these lines is limited to scanners and mostly crypto mining threat actors, it does not mean more advanced threat actors are just sitting back enjoying the noise activity. In fact, they are acting silently behind the scenes.

It is clearly one of the most serious vulnerabilities on the internet in recent years.
When we discussed the Cyber pandemic, this is exactly what we meant – quickly spreading devastating attacks.

The numbers behind CVE-2021-44228

This CVE joins the general atmosphere of cyber pandemic where major vulnerabilities in popular software and services impact enormous number of organizations.

Since we started to implement our protection we prevented over 4,300,000 attempts to allocate the vulnerability, over 46% of those attempts were made by known malicious groups.
We have so far seen an attempted exploit of over 48% of corporate networks globally.

*Updated 20.12.2021 1:30 AM PST

Diagram : Top Impacted Geographies

On Tuesday (12/14/21), we showed how such an attempt resulted in real life attack of a crypto mining group on 5 countries.

Wednesday (12/15/21), we can report that a known Iranian hacking group (commonly associated with the local regime),named “Charming Kitten” or APT 35, is also behind an attempt to exploit the Log4j vulnerability against 7 targets in Israel (from the government and business sector) in the last 24 hours.

We have blocked these attacks, as we witnessed communications between a server used by this group and the targets in Israel.

The scope of this attack was between 6am -4pm PST (1600-0200 TLV time). There’s no evidence for the group’s related activity on targets outside of Israel.

We will continue to investigate attacks related to Log4j. Our reports of the last 48 hours prove that both criminal hacking groups and nation state actors are engaged in the exploration of this vulnerability, and we should all assume more such actors’ operation are to be revealed in the coming days.

Read more about The numbers behind a cyber pandemic – detailed dive

Check Point Software released a Quantum Gateway Protection  against the Apache Log4j Remote Code Execution (CVE-2021-44228) vulnerability. We urge all customers to make sure the protection is set on prevent, to avoid the exploitation of their assets.

Additionally, Apache has provided a patch (Log4j 2.15.0) to mitigate the vulnerability. Users may update their version accordingly.

If not possible, according to Apache advisory, other remediation steps are possible:

• For Log4j 2.10 or higher: add -Dlog4j.formatMsgNoLookups=true as a command line option or add log4j.formatMsgNoLookups=true to the log4j2.component.properties file on the classpath to prevent lookups in log event messages.
• For Log4j 2.7 or higher: specify %m{nolookups} in the PatternLayout configuration to prevent lookups in log event messages.
• Consider blocking LDAP and RMI outbound traffic to the internet from vulnerable servers.

Remove the JndiLookup and JndiManager classes from the log4j-core jar.

Note that removal of the JndiManager causes the JndiContextSelector and JMSAppender not to function.

• CloudGuard AppSec provides zero-day protection from exploiting this vulnerability using Check Point Web Application Best Practice in Prevent mode

In addition all customers that use CloudGuard AppSec IPS, also got an automatic signature update with the relevant CVE number.
Our next generation WAF used for application protection, is utilizing AI based prevention and by that Check Point ensures all your web applications are automatically protected without the need to implement, proactively update or install anything.

How can Check Point continue to help you?

We will continue to update on any new development of this significant security event.
Our technical support teams are available for you 24/7 and we are all at your service to make sure you’ll stay protected.
We invite you to visit our dedicated website to learn more about this vulnerability and how Check Point products ensure you stay protected

Last updated December 20, 2021 01:30 AM PST