Getting Ahead of Log4Shell-enabled Cyberattacks: New Attack Scenarios and Technical Recommendations

Newly developed MITRE ATT&CK-aligned scenarios test your security controls using AttackIQ’s Network Control Validation Module and the AttackIQ Anatomic Engine, emulating the adversary with specificity and realism to validate your compensating controls and improve your overall cybersecurity readiness. Written by Mark Bagley, VP for Product, and Jonathan Reiber, Senior Director… Read More

Newly developed MITRE ATT&CK-aligned scenarios test your security controls using AttackIQ’s Network Control Validation Module and the AttackIQ Anatomic Engine, emulating the adversary with specificity and realism to validate your compensating controls and improve your overall cybersecurity readiness.

Written by Mark Bagley, VP for Product, and Jonathan Reiber, Senior Director for Cybersecurity Strategy and Policy

Introduction

When a new security vulnerability is discovered, security teams work diligently to understand the risks that it poses and to patch the vulnerability. The problem is exacerbated when the new vulnerability is severe, like the new Log4Shell vulnerability. Discovered on December 9, 2021, Log4Shell has strained normal security operations and teams, and led the U.S. Cybersecurity and Infrastructure Agency (CISA) to release guidance and an emergency directive requiring government agencies to patch the vulnerability and urging the private sector to do the same.

This article focuses on what is known about the vulnerability and outlines specific technical steps that security teams can take now with the MITRE ATT&CK framework and AttackIQ’s Security Optimization Platform and Network Control Validation module to validate that your compensating security controls will perform against the potential attack tactics, techniques, and procedures that intruders might employ using the exploit. Our goal in releasing new content is to help you elevate your defensive performance – your people, processes, and technologies – against the threat behaviours likely to impact your organization.

First, let us start with what we know about the vulnerability.

Log4j and the Log4Shell Vulnerability: What Is It and How Does it Work?

Log4j is an open-source logging framework, created by the Apache Foundation, which has been used in a myriad of software applications and frameworks. As CISA said in its guidance about the vulnerability, “Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.” Written in Java, it is general-purpose software that allows applications to log various data points depending on what function the application performs and what data needs to be captured.

Because of Log4j’s free Apache license and flexibility to run anywhere, it has become ubiquitous. Subsequently, the scale of its usage, trivial remote exploitability, and other factors makes its exploitation and potential exploitation deeply impactful. The Log4Shell exploit targets a critical vulnerability in Log4j – CVE-2021-44228 – which, when exploited, allows for unauthenticated remote code execution (RCE) anywhere a vulnerable instance of Log4j is running. Versions from 2.0–beta9 to 2.15.0 are vulnerable.

How does it work?

The vulnerability is exploited by sending a specific input string, which leads Log4j to perform a lookup and then executes the injected code via the Java Naming and Directory Interface (JNDI). Injected code is provided by a server under control of the adversary running the exploit, thus making this multi-step exploit tremendously flexible. To wit, adversaries have been observed using this exploit to land remote-access trojans (RATs), ransomware, and toolchains such as Cobalt Strike to systems post-exploitation, achieving persistence and the ability to run reconnaissance inside the environment they have exploited.

Using MITRE ATT&CK to Validate Your Security Against Log4Shell

The MITRE ATT&CK matrix and its catalogue of tactics, techniques, and procedures (TTP) helps you reduce complexity in understanding the techniques that an adversary uses in conducting an attack from the exploit, as described in this pictogram:

As the pictogram illustrates:

  • The vulnerability permits a public-facing application to be exploited (ATT&CK T1190).
  • Once the vulnerability has been successfully exploited, it permits reflective code loading – the transfer of the initial remote code execution (ATT&CK T1620).
  • These tactics allow additional adversary payloads to be delivered for persistence and subsequent activities both on target and in the target’s environment (ATT&CK T1105).

For additional technical details, including the formatted string and the format for initial reflexive code loading, please review our first blog here. For more on the alignment of MITRE Common Vulnerabilities and Exposure (CVE) catalogue to the MITRE ATT&CK framework, please see the CISO’s Guide to Better Vulnerability Management Using MITRE ATT&CK and the research of MITRE Engenuity’s Center for Threat-Informed Defense, found on its GitHub page, Mapping ATT&CK to CVEs for Impact.

How AttackIQ Can Help with Log4Shell

AttackIQ helps security teams by offering a simple and effective means of evaluating the performance of defensive technologies capable of blocking attempts to exploit the Log4Shell vulnerability. We do this by executing our adversary behaviour content, called “scenarios,” in a variety of testing modalities that emulate the adversary with realism and specificity through two capabilities: the Network Control Validation module and the AttackIQ Anatomic Engine (embedded in the platform).

AttackIQ’s Network Control Validation module, coupled with our scenarios, allows for a single selection to be made in the AttackIQ platform with a realistic emulation of Log4Shell’s full exploitation, even in multi-protocol use-cases across complex Internet-facing topologies. For users who want more control of their emulation, or to drive additional validation by altering the remote code execution phases of the exploit, AttackIQ’s Anatomic Engine can help by stringing tactics and techniques into a chain. By chaining the tactics and techniques together in an attack graph (what some call “attack flows”), you can test your compensating security controls automatically and continuously at scale across your organization to ensure that they perform as intended.

The AttackIQ Anatomic Engine is uniquely suited to executing a multi-stage attack for the purposes of control validation, useful for altering the remote code execution phases of the exploit to incorporate user-observed adversary activity from cyberthreat intelligence sources, and when channels for incursion and exfiltration of data differ, as we have observed in the early days of exploitation in the wild. The AttackIQ Security Optimization Platform performs this testing safely in a production environment to mirror adversary behaviours with realism.

In response to Log4Shell, to date AttackIQ has released a blog and hosted a webinar discussing Log4Shell, and will host a technical demonstration of these capabilities on December 21, 2021, at 10 AM PT / 1 PM ET / 6 PM GMT. In advance of that technical demonstration, the remainder of this paper will discuss the technical content that we have released and describe how you can put it to use.

AttackIQ Scenarios

The first two AttackIQ scenarios relevant for evaluating your compensating security control’s performance are:

  1. Log4Shell (CVE-2021-44228) Signature-Based Web Request
  2. Log4Shell (CVE-2021-44228) Signature-Based Web Requests (multiple payloads)

These scenarios work on the first part of the exploitation process detailed above in the “How does it work?” by sending the crafted string or strings with benign payloads to validate blocking the crafted web request. This directly corresponds to MITRE ATT&CK technique T1190.

Anatomic Engine

As we discussed above in “How AttackIQ Can Help,” these scenarios can be combined into an attack graph which is executed by the Anatomic Engine. This attack graph combines steps observed by AttackIQ in real-world intrusions with those that have been observed by other organizations in the wild, and addresses ATT&CK techniques T1620 and T1105. For additional context, please see Microsoft’s observations here.

The attack graph example below shows how an attacker can use Log4Shell to place a Cobalt Strike payload on a system, which then engages both a cryptominer and takes the additional step of establishing registry persistence. This attack graph is a good jumping-off point for establishing the validation of multiple security technologies behind the Log4Shell method of initial access, uncovering other potential coverage gaps in an organization’s defensive stack. To gain additional insights into your security control technologies’ performance, simply change out the final payload and persistence methods with one of the many already included in the AttackIQ Security Optimization Platform.

Log4Shell (CVE-2021-44228) – 2021-12-14 – Post-Compromise Example Attack Graph

Example Attack Graph

Network Control Validation

As we discussed earlier in “How AttackIQ Can Help,” we have included other scenarios in the AttackIQ Security Optimization platform to offer a one-touch approach for evaluating defensive performance across a full exploitation flow, with the addition of employing a multi-protocol approach to exploiting the vulnerability. Simply select a control technology, your desired test points, and you are ready to test.

Network Control Validation Scenarios

  • PCAP (packet capture) Replay – Log4Shell exploit (CVE-2021-44228)

The above scenario includes the initial web request, followed by an LDAP query, and the insertion of Java code from the adversary’s server-side, which then brings the remote code execution to life. All the previous MITRE ATT&CK TTPs (T1190, T1610, and T1105) are reflected in this scenario.

  • PCAP Replay – Exfiltrate AWS credentials over DNS using Log4Shell (CVE-2021-44228)

This scenario demonstrates the further combination of a DNS exfiltration technique that illustrates how an adversary could exploit the vulnerability to leak environment variables containing AWS credentials and progress through subsequent tactics across the kill-chain in an infrastructure-as-a-service environment. All previously referenced MITRE ATT&CK TTPs (T1190, T1610, and T1105) are reflected in this scenario, as is Automated Collection (T1119) and Automated Exfiltration (T1020).

Conclusion

The AttackIQ Security Optimization Platform emulates a range of attack patterns and supports multiple testing modalities to validate your security program effectiveness during a dynamic situation. Not only can you use the AttackIQ Security Optimization Platform to test individual compensating controls, but with the Anatomic Engine you can test your security program against a chain of evolving payloads, beginning with the Log4Shell vulnerability. By conducting a comprehensive evaluation, informed by the MTIRE ATT&CK framework, you can get ahead of the adversary by testing your program beyond what has already been observed in the wild. In short, you can use the platform to anticipate tactics and techniques and validate your controls in advance of a real-world attack.

AttackIQ’s got your six. To learn more, please join our live demo on December 21, 2021. Register here.