Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability – Microsoft

Updates:

[12/22/2021] Added new protections across Microsoft 365 Defender, including Microsoft Defender for Office 365.

[12/21/2021] Added a note on testing services and assumed benign activity and additional guidance to use the Need help? button in the Microsoft 365 Defender portal.

[12/17/2021] New updates to observed activity, including more information about limited ransomware attacks and additional payloads; additional updates to protections from Microsoft 365 Defender and Azure Web Application Firewall (WAF), and new Microsoft Sentinel queries.

[12/16/2021] New Microsoft Sentinel solution and additional Microsoft Defender for Endpoint detections.

[12/15/2021] Details about ransomware attacks on non-Microsoft hosted Minecraft servers, as well as updates to product guidance, including Threat and Vulnerability Management.

[12/14/2021] New insights about multiple threat actors taking advantage of this vulnerability, including nation-state actors and access brokers linked to ransomware.

Microsoft’s unified threat intelligence team, comprising the Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team, RiskIQ, and the Microsoft Detection and Response Team (DART), among others, have been tracking threats taking advantage of CVE-2021-44228, a remote code execution (RCE) vulnerability in Apache Log4j 2 referred to as “Log4Shell”.

In this blog:

  1. Remote code execution vulnerability in Log4j 2
  2. Attack vectors and observed activity
  3. Microsoft security solutions help protect against and detect attacks
  4. Indicators of compromise (IoCs)

Remote code execution vulnerability in Log4j 2

The CVE-2021-44228 vulnerability allows unauthenticated remote code execution, and it is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component. For more technical and mitigation information about the vulnerability, please read the Microsoft Security Response Center blog.

This week, Apache disclosed another RCE vulnerability, CVE-2021-45046. As we continue to investigate the vulnerabilities affecting Log4j 2, we highly recommend applying security patches and updating affected products and services as soon as possible. For technical information on these vulnerabilities and mitigation recommendations, please read the Microsoft Security Response Center blog.

The bulk of attacks that Microsoft has observed at this time have been related to mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers. An example pattern of attack would appear in a web request log with strings like the following:

An attacker performs an HTTP request against a target system, which generates a log using Log4j 2 that leverages JNDI to perform a request to the attacker-controlled site. The vulnerability then causes the exploited process to reach out to the site and execute the payload. In many observed attacks, the attacker-owned parameter is a DNS logging system, intended to log a request to the site to fingerprint the vulnerable systems.

The specially crafted string that enables execution of this vulnerability can be identified through several components. The string contains “jndi”, which refers to the Java Naming and Directory Interface. Following this, the protocol, such as “ldap”, “ldaps”, “rmi”, “dns”, “iiop”, or “http”, precedes the attacker domain.

As security teams work to detect the exploitation of the vulnerability, attackers have added obfuscation to these requests to evade detections based on request patterns. We’ve seen things like running a lower or upper command within the exploitation string and even more complicated obfuscation attempts, such as the following, that are all trying to bypass string-matching detections:

The vast majority of observed activity has been scanning, but exploitation and post-exploitation activities have also been observed. Based on the nature of the vulnerability, once the attacker has full access and control of an application, they can perform a myriad of objectives. Microsoft has observed activities including installing coin miners, Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems. 

Attack vectors and observed activity

Microsoft has observed multiple threat actors leveraging the CVE-2021-44228 vulnerability in active attacks. Microsoft will continue to monitor threats taking advantage of this vulnerability and provide updates as they become available. To protect against these threats, we recommend that organizations follow the guidance detailed in succeeding sections.

Exploitation continues on non-Microsoft hosted Minecraft servers

Minecraft customers running their own servers are encouraged to deploy the latest Minecraft server update as soon as possible to protect their users. More information can be found here: https://aka.ms/mclog.

Microsoft can confirm public reports of the Khonsari ransomware family being delivered as payload post-exploitation, as discussed by Bitdefender. In Microsoft Defender Antivirus data we have observed a small number of cases of this being launched from compromised Minecraft clients connected to modified Minecraft servers running a vulnerable version of Log4j 2 via the use of a third-party Minecraft mods loader.

In these cases, an adversary sends a malicious in-game message to a vulnerable Minecraft server, which exploits CVE-2021-44228 to retrieve and execute an attacker-hosted payload on both the server and on connected vulnerable clients. We observed exploitation leading to a malicious Java class file that is the Khonsari ransomware, which is then executed in the context of javaw.exe to ransom the device.

While it’s uncommon for Minecraft to be installed in enterprise networks, we have also observed PowerShell-based reverse shells being dropped to Minecraft client systems via the same malicious message technique, giving an actor full access to a compromised system, which they then use to run Mimikatz to steal credentials. These techniques are typically associated with enterprise compromises with the intent of lateral movement. Microsoft has not observed any follow-on activity from this campaign at this time, indicating that the attacker may be gathering access for later use.

Due to the shifts in the threat landscape, Microsoft reiterates the guidance for Minecraft customers running their own servers to deploy the latest Minecraft server update and for players to exercise caution by only connecting to trusted Minecraft servers.

Nation-state activity

MSTIC has also observed the CVE-2021-44228 vulnerability being used by multiple tracked nation-state activity groups originating from China, Iran, North Korea, and Turkey. This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives.

For example, MSTIC has observed PHOSPHORUS, an Iranian actor that has been deploying ransomware, acquiring and making modifications of the Log4j exploit. We assess that PHOSPHORUS has operationalized these modifications.

In addition, HAFNIUM, a threat actor group operating out of China, has been observed utilizing the vulnerability to attack virtualization infrastructure to extend their typical targeting. In these attacks, HAFNIUM-associated systems were observed using a DNS service typically associated with testing activity to fingerprint systems.

Access brokers associated with ransomware

MSTIC and the Microsoft 365 Defender team have confirmed that multiple tracked activity groups acting as access brokers have begun using the vulnerability to gain initial access to target networks. These access brokers then sell access to these networks to ransomware-as-a-service affiliates. We have observed these groups attempting exploitation on both Linux and Windows systems, which may lead to an increase in human-operated ransomware impact on both of these operating system platforms.

Mass scanning activity continues

The vast majority of traffic observed by Microsoft remains mass scanners by both attackers and security researchers. Microsoft has observed rapid uptake of this vulnerability into existing botnets like Mirai, existing campaigns previously targeting vulnerable Elasticsearch systems to deploy cryptocurrency miners, and activity deploying the Tsunami backdoor to Linux systems. Many of these campaigns are running concurrent scanning and exploitation activities for both Windows and Linux systems, using Base64 commands included in the JDNI:ldap:// request to launch bash commands on Linux and PowerShell on Windows.

Microsoft has also continued to observe malicious activity performing data leakage via the vulnerability without dropping a payload. This attack scenario could be especially impactful against network devices that have SSL termination, where the actor could leak secrets and data.

Ransomware update

Microsoft has not observed significant spikes in ransomware attacks, whether human-operated or commodity. We have previously reported ransomware delivered via modified Minecraft clients and have seen continued exploitation and payload delivery via this mechanism, but these remain to be a small number of cases. As previously discussed, we continue to observe access brokers who are associated with ransomware-as-a-service affiliates including this vulnerability in their initial access toolkit. We have not seen a human-operated ransomware incident involving this vulnerability in our threat data to date.

What Microsoft has seen are non-human-operated and older ransomware payloads which are in limited use being deployed by security researchers and a small number of attackers. In some instances, they appear to be experimenting with deployments via scanning and modified Minecraft servers. As part of these experiments, some ransomware payloads seem to have been deployed to systems that were previously compromised and were originally dropping coin miner payloads.

Additional RAT payloads

We’ve observed the dropping of additional remote access toolkits and reverse shells via exploitation of CVE-2021-44228, which actors then use for hands-on-keyboard attacks. In addition to the Cobalt Strike and PowerShell reverse shells seen in earlier reports, we’ve also seen Meterpreter, Bladabindi, and HabitsRAT. Follow-on activities from these shells have not been observed at this time, but these tools have the ability to steal passwords and move laterally.

This activity is split between a percentage of small-scale campaigns that may be more targeted or related to testing, and the addition of CVE-2021-44428 to existing campaigns that were exploiting vulnerabilities to drop remote access tools. In the HabitsRAT case, the campaign was seen overlapping with infrastructure used in prior campaigns.

Webtoos

The Webtoos malware has DDoS capabilities and persistence mechanisms that could allow an attacker to perform additional activities. As reported by RiskIQ, Microsoft has seen Webtoos being deployed via the vulnerability. Attackers’ use of this malware or intent is not known at this time, but the campaign and infrastructure have been in use and have been targeting both Linux and Windows systems prior to this vulnerability.

A note on testing services and assumed benign activity

While services such as interact.sh, canarytokens.org, burpsuite, and dnslog.cn may be used by IT organizations to profile their own threat footprints, Microsoft encourages including these services in your hunting queries and validating observations of these in environments to ensure they are intentional and legitimate activity.

Microsoft security solutions help protect against and detect attacks

Microsoft 365 Defender

Microsoft 365 Defender coordinates multiple security solutions that detect components of observed attacks taking advantage of this vulnerability, from exploitation attempts to remote code execution and post-exploitation activity.

Diagram of attack chain of threats taking advantage of the Log4j RCE vulnerabilities

Figure 1. Microsoft 365 Defender solutions protect against related threats

Microsoft 365 Defender customers can click Need help? in the portal to open up a search widget. Customers can key in “Log4j” to search for in-portal resource, check if their network is affected, and work on corresponding actionable items to mitigate them.

Threat and vulnerability management

We have begun rolling out updates to the Threat and Vulnerability Management capabilities in Microsoft Defender for Endpoint to surface Log4j library components that are vulnerable to CVE-2021-44228 or CVE-2021-45046. These capabilities automatically discover vulnerable Log4j libraries in products and services installed on Windows clients and Windows servers.

As of this writing (12/16/2021), discoverability is based on the presence of vulnerable Log4j Java ARchive (JAR) files on Windows 10, Windows 11, and Windows Server 2008, 2012, and 2016. Cases where Log4j is packaged into an Uber-JAR or shaded are currently not discoverable, but coverage for these instances and other packaging methods is in-progress. Support for Linux and macOS is also in-progress and will roll out soon

Discovery results are seamlessly integrated into the existing Threat and Vulnerability Management experience, including a dedicated recommendation with full data about scan findings, providing visibility into all devices and all paths where vulnerable versions of Log4j were identified on the device:

  • Attention required: Devices found with vulnerable Apache Log4j versions

Screenshot of Threat and Vulnerability Management recommendation

Figure 2. Threat and Vulnerability recommendation “Attention required: Devices found with vulnerable Apache Log4j versions”

Screenshot of Threat and Vulnerability Management recommendation Exposed path tab

Figure 3. Threat and Vulnerability Management recommendation provides customers the capability to investigate possibly vulnerable devices via Exposed devices and Exposed paths

Note: Scan results may take some time to reach full coverage, and the number of discovered devices may be low at first but will grow as the scan reaches more devices. Beyond the aforementioned file scanning approach to identify vulnerable JAR files, a regularly updated list of vulnerable products can be viewed in the Microsoft 365 Defender portal with matching recommendations. As Microsoft and the industry develops a more comprehensive understanding of the impact of this vulnerability, we anticipate this list will continue to grow and be continuously reviewed and updated for greater precision and coverage based on new feedback.

Through device discovery, unmanaged devices with products and services this vulnerability are also surfaced so they can be onboarded and secured.

Screenshot of software inventory in Microsoft Defender for Endpoint

Figure 4. Finding vulnerable applications and devices via software inventory

Microsoft Defender Antivirus

Turn on cloud-delivered protection in Microsoft Defender Antivirus to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block the majority of new and unknown variants. Microsoft Defender Antivirus detects components and behaviors related to this threat as the following detection names:

On Windows:

On Linux:

Microsoft Defender for Endpoint

Users of Microsoft Defender for Endpoint can turn on the following attack surface reduction rule to block or audit some observed activity associated with this threat.

  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion

Due to the broad network exploitation nature of vectors through which this vulnerability can be exploited and the fact that applying mitigations holistically across large environments will take time, we encourage defenders to look for signs of post-exploitation rather than fully relying on prevention. Observed post exploitation activity such as coin mining, lateral movement, and Cobalt Strike are detected with behavior-based detections.

Alerts with the following titles in the Security Center can indicate threat activity related to exploitation of CVE-2021-44228 on your network. Alerts that support both Windows and Linux platforms are indicated below:

  • Possible Log4j exploitation (CVE-2021-44228) – detects multiple behaviors, including suspicious command launch post-exploitation
  • Possible exploitation of CVE-2021-44228 (detects coin miners, shells, backdoor, and payloads such as Cobalt Strike used by attackers post-exploitation)
  • Possible Log4j exploitation (detects multiple behaviors, including suspicious command launch post-exploitation)
  • Suspicious script launched

The following alerts may indicate either successful exploitation or testing/scanning activity. Microsoft urges caution and advises customers to investigate:

  • Possible target of Log4j exploitation (CVE-2021-44228) – detects a possible attempt to exploit the CVE-2021-44228 vulnerability in a Log4j component of an Apache server in communication received by this device
  • Possible source of Log4j exploitation (CVE-2021-44228) – detects a possible attempt to exploit the CVE-2021-44228 vulnerability in a Log4j component of an Apache server in communication initiated from this device
  • Possible target of Log4j vulnerability (CVE-2021-44228) scanning – detects a possible attempt to scan for the CVE-2021-44228 vulnerability in a Log4j component of an Apache server in communication received by this device
  • Network connection seen in CVE-2021-44228 exploitation (detects network traffic connecting to an address associated with CVE-2021-44228 scanning or exploitation activity)
  • Log4j exploitation detected – detects known behaviors that attackers perform following successful exploitation of the CVE-2021-44228 vulnerability

Alerts with the following titles in the Security Center can indicate threat activity on your network but may not necessarily be related to exploitation of CVE-2021-44228. We are listing them here as well as these generic behavioral alerts can also trigger in customer environments and it is also highly recommended that they are triaged and remediated immediately:

  • Suspicious remote PowerShell execution
  • Download of file associated with digital currency mining
  • Process associated with digital currency mining
  • Cobalt Strike command and control detected
  • Suspicious network traffic connection to C2 Server
  • Ongoing hands-on-keyboard attacker activity detected (Cobalt Strike)
  • Suspicious PowerShell command line
  • Suspicious LDAP query

Alerts with the following titles in the Security Center can indicate exploitation attempts against your network that may be successful or not, depending on whether the specially crafted exploit string ends up being processed by a vulnerable Log4j instance in your environment:

  • Exploitation attempt against Log4j (CVE-2021-4428) – This is part of a Microsoft 365 Defender chain event detection triggered in Microsoft Defender for Cloud Apps (formerly Microsoft Cloud Application Security) that detects attempts to exploit the CVE-2021-44228 vulnerability using a specially-crafted JDNI string (such as in the User-Agent) against cloud applications.

Screenshot of Microsoft 365 Defender alert

Figure 5. Microsoft 365 Defender alert “Exploitation attempt against Log4j (CVE-2021-4428)”

Microsoft 365 Defender advanced hunting queries

To locate possible exploitation activity, run the following queries:

Possible Malicious Indicators in Cloud Application Events

This query is designed to flag exploitation attempts for cases where the attacker is sending the crafted exploitation string using vectors such as User-Agent, Application or Account name. The hits returned from this query are most likely unsuccessful attempts, however the results can be useful to identity attackers’ details such as IP address, Payload string, Download URL, etc.

CloudAppEvents
| where Timestamp > datetime("2021-12-09")
| where UserAgent contains "jndi:" or AccountDisplayName contains "jndi:"
or Application contains "jndi:"
or AdditionalFields contains "jndi:"
| project ActionType, ActivityType, Application, AccountDisplayName, IPAddress, UserAgent, AdditionalFields

Possible vulnerable applications via Threat and Vulnerability Management

This query looks for possibly vulnerable applications using the affected Log4j component. Triage the results to determine applications and programs that may need to be patched and updated.

DeviceTvmSoftwareInventory
| where SoftwareName contains "log4j"
| project DeviceName, SoftwareName, SoftwareVersion

Screenshot of Microsoft 365 Defender advanced hunting

Figure 6. Finding vulnerable software via advanced hunting

Microsoft Defender for Office 365

To add a layer of protection against exploits that may be delivered via email, Microsoft Defender for Office 365 flags suspicious emails (e.g., emails with the “jndi” string in email headers or the sender email address field), which are moved to the Junk folder.

We also added the following new alert, which detects attempts to exploit CVE-2021-44228 through email headers:

  • Log4j Exploitation Attempt – Email Headers (CVE-2021-44228)

Figure 7. Sample alert on malicious sender display name found in email correspondence

This detection looks for exploitation attempts in email headers, such as the sender display name, sender, and recipient addresses. The alert covers known obfuscation attempts that have been observed in the wild. If this alert is surfaced, customers are recommended to evaluate the source address, email subject, and file attachments to get more context regarding the authenticity of the email.

Figure 8. Sample email with malicious sender display name

In addition, this email event as can be surfaced via advanced hunting:

Figure 9. Sample email event surfaced via advanced hunting

Microsoft Defender for Cloud

Microsoft Defender for Cloud’s threat detection capabilities have been expanded to surface ensure that exploitation of CVE-2021-44228 in several relevant security alerts:

On Windows:

  • Detected obfuscated command line
  • Suspicious use of PowerShell detected

On Linux:

  • Suspicious file download
  • Possible Cryptocoinminer download detected
  • Process associated with digital currency mining detected
  • Potential crypto coin miner started
  • A history file has been cleared
  • Suspicious Shell Script Detected
  • Suspicious domain name reference
  • Digital currency mining related behavior detected
  • Behavior similar to common Linux bots detected

Organizations using Microsoft Defender for Cloud can use Inventory tools to begin investigations even before there’s a CVE number. With Inventory tools, there are two ways to determine exposure across hybrid and multi-cloud resources:

Screenshot of Microsoft Defender for Cloud inventory tools searching by filters

Figure 10. Searching vulnerability assessment findings CVE identifier

Screenshot of Microsoft Defender for Cloud inventory tools

Figure 11. Searching software inventory by installed applications

Note that this doesn’t replace a search of your codebase. It’s possible that software with integrated Log4j libraries won’t appear in this list, but this is helpful in the initial triage of investigations related to this incident. For more information about how Microsoft Defender for Cloud finds machines affected by CVE-2021-44228, read this tech community post.

Microsoft Defender for IoT

Microsoft Defender for IoT has released a dedicated threat Intelligence update package for detecting Log4j 2 exploit attempts on the network (example below).  

Screenshot of Microsoft Defender for IoT detection for suspicious activity

Figure 12. Microsoft Defender for IoT alert 

The package is available for download from the Microsoft Defender for IoT portal (Click Updates, then Download file (MD5: 4fbc673742b9ca51a9721c682f404c41).  

Screenshot of Microsoft Defender for IoT intelligence udpate

Figure 13. Microsoft Defender for IoT sensor threat intelligence update

Microsoft Defender for IoT now pushes new threat intelligence packages to cloud-connected sensors upon release, click here for more information. Starting with sensor version 10.3, users can automatically receive up-to-date threat intelligence packages through Microsoft Defender for IoT.

Working with automatic updates reduces operational effort and ensures greater security. Enable automatic updating on the Defender for IoT portal by onboarding your cloud-connected sensor with the toggle for Automatic Threat Intelligence Updates turned on. For more information about threat intelligence packages in Defender for IoT, please refer to the documentation.

Microsoft Sentinel

A new Microsoft Sentinel solution has been added to the Content Hub that provides a central place to install Sentinel specific content to monitor, detect, and investigate signals related to exploitation of the CVE-2021-44228 vulnerability.

Screenshot of Log4j vulnerability detection solution in Microsoft Sentinel

Figure 14. Log4j Vulnerability Detection solution in Microsoft Sentinel

To deploy this solution, in the Microsoft Sentinel portal, select Content hub (Preview) under Content Management, then search for Log4j in the search bar. Select the Log4j vulnerability detection solution, and click Install. Learn how to centrally discover and deploy Microsoft Sentinel out-of-the-box content and solutions.

Figure 15. Microsoft Sentinel Analytics showing detected Log4j vulnerability

NOTE: We recommend that you check the solution for updates periodically, as new collateral may be added to this solution given the rapidly evolving situation. This can be verified on the main Content hub page.

Microsoft Sentinel queries

Microsoft Sentinel customers can use the following detection queries to look for this activity:

This hunting query looks for possible attempts to exploit a remote code execution vulnerability in the Log4j component of Apache. Attackers may attempt to launch arbitrary code by passing specific commands to a server, which are then logged and executed by the Log4j component.

This query hunts through EXECVE syslog data generated by AUOMS to find instances of cryptocurrency miners being downloaded. It returns a table of suspicious command lines.

This hunting query looks in Azure Web Application Firewall data to find possible exploitation attempts for CVE-2021-44228 involving Log4j vulnerability.

This hunting query identifies a match across various data feeds for IP IOCs related to the Log4j exploit described in CVE-2021-44228.

This hunting query helps detect post-compromise suspicious shell scripts that attackers use for downloading and executing malicious files. This technique is often used by attackers and was recently used to exploit the vulnerability in Log4j component of Apache to evade detection and stay persistent or for more exploitation in the network.

This query alerts on a positive pattern match by Azure WAF for CVE-2021-44228 Log4j exploitation attempt. If possible, it then decodes the malicious command for further analysis.

This hunting query helps detect suspicious encoded Base64 obfuscated scripts that attackers use to encode payloads for downloading and executing malicious files. This technique is often used by attackers and was recently used to the Log4j vulnerability in order to evade detection and stay persistent in the network.

This query alerts on attempts to terminate processes related to security monitoring. Attackers often try to terminate such processes post-compromise as seen recently to exploit the CVE-2021-44228 vulnerability.

This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to Log4j CVE-2021-44228. 

This query uses syslog data to alert on any suspicious manipulation of firewall to evade defenses. Attackers often perform such operations as seen recently to exploit the CVE-2021-44228 vulnerability for C2 communications or exfiltration.

This query uses various log sources having user agent data to look for CVE-2021-44228 exploitation attempt based on user agent pattern.

This hunting query looks for connection to LDAP port to find possible exploitation attempts for CVE-2021-44228.

This query uses syslog data to alert on any attack toolkits associated with massive scanning or exploitation attempts against a known vulnerability

This query uses syslog data to alert on possible artifacts associated with containers running images related to digital cryptocurrency mining.

This query looks for outbound network connections using the LDAP protocol to external IP addresses, where that IP address has not had an LDAP network connection to it in the 14 days preceding the query timeframe. This could indicate someone exploiting a vulnerability such as CVE-2021-44228 to trigger the connection to a malicious LDAP server.

Microsoft Sentinel also provides a CVE-2021-44228 Log4Shell Research Lab Environment for testing the vulnerability: https://github.com/OTRF/Microsoft-Sentinel2Go/tree/master/grocery-list/Linux/demos/CVE-2021-44228-Log4Shell

RiskIQ EASM and Threat Intelligence

View Threat Intelligence on this CVE, including mitigation guidance and IOCs, here. Both Community users and enterprise customers can search within the threat intelligence portal for data about potentially vulnerable components exposed to the Internet. For example, it’s possible to surface all observed instances of Apache or Java, including specific versions. Leverage this method of exploration to aid in understanding the larger Internet exposure, while also filtering down to what may impact you. 

For a more automated method, registered users can view their attack surface to understand tailored findings associated with their organization. Note, you must be registered with a corporate email and the automated attack surface will be limited. Digital Footprint customers can immediately understand what may be vulnerable and act swiftly and resolutely using the Attack Surface Intelligence Dashboard Log4J Insights tab. 

Azure Firewall Premium 

Customers using Azure Firewall Premium have enhanced protection from the Log4j RCE CVE-2021-44228 vulnerability and exploit. Azure Firewall premium IDPS (Intrusion Detection and Prevention System) provides IDPS inspection for all east-west traffic and outbound traffic to internet. The vulnerability rulesets are continuously updated and include CVE-2021-44228 vulnerability for different scenarios including UDP, TCP, HTTP/S protocols since December 10th, 2021. Below screenshot shows all the scenarios which are actively mitigated by Azure Firewall Premium.

Recommendation: Customers are recommended to configure Azure Firewall Premium with both IDPS Alert & Deny mode and TLS inspection enabled for proactive protection against CVE-2021-44228 exploit.  

Screenshot of Azure Firewall Premium

Figure 16. Azure Firewall Premium portal

Customers using Azure Firewall Standard can migrate to Premium by following these directions. Customers new to Azure Firewall premium can learn more about Firewall Premium.

Azure Web Application Firewall (WAF)

In response to this threat, Azure Web Application Firewall (WAF) has updated Default Rule Set (DRS) versions 1.0/1.1 available for Azure Front Door global deployments, and OWASP ModSecurity Core Rule Set (CRS) version 3.1 available for Azure Application Gateway V2 regional deployments. We have updated rule 944240 “Remote Command Execution” under Managed Rules to help in detecting and mitigating this vulnerability by inspecting requests’ headers, URI, and body.

This rule is already enabled by default in block mode for all existing WAF Default Rule Set (DRS) 1.0/1.1 or OWASP ModSecurity Core Rule Set (CRS) 3.1 configurations. Customers using WAF Managed Rules would have already received enhanced protection for the Log4j 2 vulnerability (CVE-2021-44228); no additional action is needed.

Recommendation: Customers are recommended to enable WAF policy with Default Rule Set 1.0/1.1 on their Front Door deployments, or with OWASP ModSecurity Core Rule Set (CRS) version 3.1 on Application Gateway V2 to immediately enable protection from this threat, if not already enabled. For customers who have already enabled DRS 1.0/1.1 or CRS 3.1, no action is needed. We will continue to monitor threat patterns and modify the above rule in response to emerging attack patterns as required. 

Screenshot of Managed rules in Azure Web Application Firewall

Figure 17. Remote Code Execution rule for Default Rule Set (DRS) versions 1.0/1.1 

Screenshot of OWASP CRS Managed rules in Azure Web App Firewall

Figure 18. Remote Code Execution rule for OWASP ModSecurity Core Rule Set (CRS) version 3.1

Note: The above protection is also available on Default Rule Set (DRS) version 2.0, and and OWASP ModSecurity Core Rule Set (CRS) version 3.2, which is available under preview on Azure Front Door Premium and Azure Application Gateway V2 respectively. Customers using Azure CDN Standard from Microsoft can also turn on the above protection by enabling DRS 1.0. 

More information about Managed Rules and Default Rule Set (DRS) on Web Application Firewall can be found here. More information about Managed Rules and OWASP ModSecurity Core Rule Set (CRS) on Web Application Firewall can be found here.

Indicators of compromise (IOCs)

Microsoft Threat Intelligence Center (MSTIC) has provided a list of IOCs related to this attack and will update them with new indicators as they are discovered: https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample Data/Feeds/Log4j_IOC_List.csv

Microsoft will continue to monitor this dynamic situation and will update this blog as new threat intelligence and detections/mitigations become available.

Total
0
Shares
Leave a Reply

Your email address will not be published.

Previous Post

The difficulties of policing remote work – The Economist

Next Post

Microsoft Edge: 5 Features To Turn Off Right Now – Forbes

Related Posts