On December 9, 2021, the Apache Log4j vulnerability – which affects the popular Apache Foundation Log4j library – was disclosed to the public over Twitter. In the days following the event, IT and SecOps teams scrambled to patch these vulnerabilities. But log4j is a popular piece of code, which means that patching takes time. That’s why, in this blog, we highlight the ways that Cisco Umbrella can protect uses against attacks leveraging this vulnerability while IT teams patch their infrastructure.
Understanding the Need for Defense
The Apache Log4j vulnerability – tracked as CVE-2021-444228 – received a CVSS severity score of a maximum 10.0. It’s widely believed to be an easy exploit, and the additional vulnerabilities found prompted the release of CVE-2021-45046 and CVE-2021-4104.
Cisco Talos first released updated Snort rules on December 10, 2021. As of the writing of this post, the relevant cumulative list of Snort SIDs is:
- 58722-58744
- 58751
- 58784-58790
- 58795 300055-300058
Cisco Secure customers should continue to check for Snort rule updates out of band via automatic or manual updates as needed. Checking for new Snort SRU/LSP updates at least daily is recommended.
Detecting and Blocking Threats With Cisco Umbrella
Cisco Umbrella Secure Internet Gateway (SIG) is a cloud-delivered security service that blocks users from connecting malicious domains, IPs, and URLs. It protects networks against threat-related activities associated with the Apache Log4j vulnerability in multiple ways, including by:
- Protecting users both on and off the corporate network
- Leveraging the log4j-related rules in cloud-delivered firewall with Snort IPS to detect malicious activity associated with this vulnerability
Additionally, security teams may update the Cisco Umbrella dashboard to provide attribution for the currently known and future IoCs related to the Apache Log4j exploit within Umbrella’s threat reporting.
Want to know what further steps you can take to mitigate the risk of compromise in your organization using Cisco Umbrella? Here’s where you can start:
Use DNS-Layer Security to Block Certain Threats Early
Cisco Umbrella DNS-layer security blocks any requests initiated by malicious domains known to be associated with the Apache Log4j vulnerability. By forwarding your external DNS traffic to Cisco Umbrella, your team can utilize faster, more reliable, and more secure connectivity.
Because DNS is the first step in most internet connections, Cisco Umbrella serves as a first line of defense against many cyber threats. Using Umbrella, your team can:
- See all internet traffic across users
- Block attacks earlier, before they reach endpoints or your organization’s network
- Contain malware that is already in your network by blocking callbacks to attacker infrastructure
- Easily enforce web filtering using 80+ content categories
- Manage and block cloud applications
- Gain context for faster investigations
In short, Cisco Umbrella DNS-layer security allows administrators to block known malware, DNS tunneling, and even newly seen domains.
What does this have to do with the Apache Log4j vulnerability? As of publication, the following related domains have been flagged as malicious by Cisco Talos and are blocked by Cisco Umbrella:
- x41[.]me
- m3[.]wtf
- cuminside[.]club
- abrahackbugs[.]xyz
- pwn[.]af
- rce[.]ee
- psc4fuel[.]com
- rs3c1[.]com
- leakix[.]net
- dnslog[.]cn
- requestbin[.]net
As seen in the figure below, a quick query against the Umbrella Investigate API will show them as malicious or risky.
Cisco Umbrella has many security controls that can be implemented on DNS requests, including those that block requests associated with malware, DNS tunneling, newly seen domains, and more.
Use Cloud-Delivered Firewall and IPS to Prevent Vulnerability Exploits
Cisco Umbrella cloud-delivered firewall layers 3, 4, and 7 (application visibility and control) now include intrusion prevention system (IPS), a powerful added layer of protection that examines network traffic and prevents vulnerability exploits. Cisco Umbrella IPS uses the latest Snort 3 technology, as well as signature-based detection from Cisco Talos (which features 40,000+ signatures). With IPS, your team can create firewall policies that analyze traffic from requests originating in your organization. You can also automate actions to catch and drop dangerous packets before they reach their target.
In the weeks immediately following the announcement of the Apache Log4j vulnerability, Cisco Talos created and updated Snort signatures for the detection and blocking of related malicious traffic. Cisco Umbrella IPS immediately received and enforced protection related to those updates. In the image below, you can see these signatures’ presence in the IPS Signature List under Policy Components:
Utilize Cisco Umbrella Secure Web Gateway on All Web Traffic
Cisco Umbrella Secure Web Gateway (SWG) provides more control, transparency, and protection for web traffic. The SWG functionality provides cloud-native full proxy capabilities to improve performance and reduce risk. It efficiently logs, inspects, and controls web traffic at the URL level.
Cisco Umbrella SWG can block the IPs listed in the threat feeds it consumes. Your team can securely test what is blocked or not within the Umbrella SWG by utilizing the web policy tester available at the top, right-hand side of the Web Policies dashboard (as seen in the figure below).
For example, if you can test Cisco Umbrella against one of the log4j IOC IPs listed by Cisco Talos, like 210.141.105[.]67, and one of their listed IOC URLs, like hxxp[:]//18.288.7[.]109/.l/pty1. When we do this, we can see that Cisco Umbrella effectively blocks HTTP communications, protecting networks from exploitation.
Leverage Threat Intel Provided by Umbrella Investigate
Of course, Cisco Umbrella does more than provide enforcement based on Cisco Talos intel. This cybersecurity solution also provides users with access to that information via the Umbrella Investigate console and API. This allows for better, faster triage.
Umbrella Investigate is designed to:
- Be a single, correlated source with the most complete view of the relationships between (and the evolution of) domains, IPs, autonomous systems (ASNs), and file hashes
- Add the security context a team needs to help uncover and predict threats
- Provide rich intelligence and visibility that enables analysts to better prioritize their incidents and speed up investigations
- Be integrated with existing security data in a SIEM tool
One of the biggest differentiators that sets Umbrella Investigate apart is the fact that it brings together many pieces of information automatically. Without the correlated intelligence of Umbrella Investigate, organizations would need to gather this information from other sources. Not only is this time-consuming, but it only shows one piece of the puzzle. Security teams would have to figure out correlations and connections manually.
When it comes to log4j, the Umbrella Investigate console can help teams examine domains associated with threat actors exploiting the vulnerability. For example, Full DNS View shows the categories associated with the domain zupertech[.]com and provides a full timeline of associated DNS activity:
Not only does Umbrella Investigate have information on domain security and history, but it also has information on malicious file samples associated with the domain.
Use Cisco Umbrella and SecureX to Perform Threat Hunting
While Cisco Umbrella combines robust threat intelligence with the ability to block threats at the DNS or IP layers, what can security teams do if a new threat is announced? Is there a way to see if anything in the organization has been compromised? Well, actually, there is.
When used in tandem with SecureX, Umbrella Investigate API can scan articles in search of the IoCs. Teams can then take those IoCs and cross-reference them against Umbrella Reporting API to see if any device in the environment has had traffic that matches any of the IoCs. This can all be accomplished by leveraging the SecureX Orchestrator capabilities in the platform.
When Cisco Umbrella data is integrated into SecureX, teams can:
- Reduce research and response times with workflows and playbooks that execute at machine speed
- Eliminate repetitive tasks and reduce MTTR to increase productivity and focus on mission-critical projects
- Leverage automation that scales indefinitely and never takes a day off, delivering the same SLA around the clock
Below, we can see an example of workflow automation in SecureX Orchestrator that periodically runs a playbook for querying a blog or feed. As you can see, building the workflow is intuitive:
In the following image, you can see some Threat Response Casebooks created with the observables found:
Ready to Strengthen Your Response to the Apache Log4j Vulnerability?
Request a demo of Cisco Umbrella today to learn how this solution can fit into your cybersecurity stack. Or, start a free trial to experience the threat hunting and remediation capabilities of Umbrella.
Note: The steps and information above show how Cisco Umbrella can provide enhanced visibility into unusual or suspicious activity. The examples are not meant to be all-encompassing for the Apache Log4j vulnerability, as additional attack vectors have recently been identified and will continue to be identified in the coming days. Readers should use the examples above to examine their own environment based on up-to-date threat intelligence.
While information regarding the attack techniques is still evolving, the most common vectors involve a vulnerable server accessing a malicious LDAP server to be full exploited. With this in mind, these are steps that the Cisco Umbrella network and security administrators can take to verify activity and mitigate attacks on their systems.
