{"id":263,"date":"2021-12-21T23:28:00","date_gmt":"2021-12-21T23:28:00","guid":{"rendered":"https:\/\/www.cycognito.com\/blog\/?p=263"},"modified":"2024-01-22T09:01:28","modified_gmt":"2024-01-22T17:01:28","slug":"two-cycognito-log4j2-testing-modules","status":"publish","type":"post","link":"https:\/\/www.cycognito.com\/blog\/two-cycognito-log4j2-testing-modules\/","title":{"rendered":"Two CyCognito Log4j2 Testing Modules"},"content":{"rendered":"\n<p>We here at CyCognito have been talking about the importance of visibility, specifically external visibility into your attack surface and the vulnerabilities and security gaps in that attack surface, for several years now. The\u00a0<a href=\"\/blog\/how-to-improve-security-posture\/\">SolarWinds<\/a>\u00a0and\u00a0<a href=\"\/blog\/accellion-supply-chain-attack\/\">Accellion<\/a>\u00a0attacks, the\u00a0<a href=\"\/blog\/what-the-microsoft-exchange-zero-days-tell-us-about-the-attack-surface\/\">MS Exchange zero-day<\/a>\u00a0and the\u00a0<a href=\"\/blog\/all-organizations-such-as-colonial-pipeline-are-under-threat-of-ransomware\/\">Colonial Pipeline<\/a>\u00a0ransomware, and now the Apache Log4j vulnerabilities (aka Log4Shell) each prove just how important this contextualized visibility really is. When something like Log4j is uncovered it\u2019s imperative to know what your attack surface looks like the way your attackers do and respond quickly to combat them. To help you understand how we do that and how we ourselves respond when a critical vulnerability like this is uncovered, here\u2019s a quick timeline of when how we responded and a technical walk-through of our Active Detection Module and other steps we\u2019ve taken to keep our customers and our own infrastructure protected.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Query-Based Response<\/h2>\n\n\n\n<p>When news hit of\u00a0<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-44228\">CVE-2021-44228<\/a>\u00a0on Friday, December 10, CyCognito security researchers swung into action building a\u00a0<a href=\"\/blog\/setup-your-log4j-response-plan\/\">response plan<\/a>. By Saturday night we had released a\u00a0<a href=\"\/blog\/apache-log4j-vulnerability-cve-2021-44228-aka-log4shell\/\">post<\/a>\u00a0explaining the issues, describing the actions we were taking,\u00a0and guiding our customers on how to take action using insights from the CyCognito platform to find and eliminate this issue in their environments before attackers could take advantage of the critical vulnerability in the ubiquitous Apache Log4j open source code. The first part of that response was what we dubbed our \u201cQUERY-BASED RESPONSE\u201d.<\/p>\n\n\n\n<p>While this was happening, CyCognito analysts began compiling a list from GitHub, threat intelligence sources and our own research to determine what enumerated platforms, services, and applications were affected and that list of\u00a0<a href=\"\/blog\/log4j-risky-business\/\">Technologies Impacted by Log4j2<\/a>\u00a0went live immediately. Next, our developers pushed an in-platform message to users of the CyCognito platform that provides customers with a passive query they can run in the platform to filter on the technologies from the vulnerable products list and see if they are present in their attack surface.The message includes the ability to automatically search their organization\u2019s attack surface for vulnerable assets because the CyCognito platform already has detailed classification and fingerprinting information about all technologies in the customer\u2019s external attack surface.<\/p>\n\n\n\n<p>The underlying query and the list of impacted technologies are continuously updated as new vulnerable technologies are identified. And, as of December 17, looks like:&nbsp;service contains_any {logstash, flink, druid, struts, solr, atlassian, jboss, vmware, metabase, cisco:sd-wan_vmanage, cisco:identity_services_engine, cisco:unified_communications_manager, ibm:curam_social_program_management, sysaid, coldfusion, spark, epolicy_orchestrator, tapestry, oracle:e-business_suite, kaseya:virtual_system_administrator, manageengine:adaudit_plus, graylog, ibm:websphere_portal, couchbase:couchbase_server, forcepoint:email_security, github_enterprise, netiq:access_manager, linoma:goanywhere_mft, graylog}<\/p>\n\n\n\n<p>It should also be noted that when news broke that a&nbsp;<em>second<\/em>&nbsp;related vulnerability (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-45046\">CVE-2021-45046<\/a>) affected assets with log4j2&nbsp;<em>already patched<\/em>&nbsp;to version 2.15.0 the existing Query-Based Response was already detecting that issue based on technologies known to be impacted. And while writing this post a third vulnerability (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-45105\">CVE-2021-45105<\/a>) which affected patch levels below 2.16.0 with&nbsp;an exploit using infinite recursion in lookup evaluation&nbsp;that results in a denial of service was uncovered&nbsp;(FYI: your current version should now be&nbsp;<a href=\"https:\/\/logging.apache.org\/log4j\/2.x\/security.html\">2.17.0<\/a>). If there is a bright side in this messy situation with three vulnerabilities and patches in a week is that the two subsequent exploits result in denial of services rather than remote code execution. And that is not much of a bright side.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Active Detection Module<\/h2>\n\n\n\n<p>CyCognito\u2019s second response was to develop an \u201cACTIVE DETECTION MODULE\u201d because of shortcomings in the Query-Based Response, notably, false positives.&nbsp; While the query is fast and runs against existing data, it could not distinguish between vulnerable and not vulnerable systems. In other words, it was a perfect place to start in self-assessment, tracing, and prioritization of the external attack surface, but wasn\u2019t accurate enough after vaccines and cures were applied. We needed a 100% accurate test! So we built an LDAP system (Step 0) that could benignly receive responses from vulnerable systems and we used the CyCognito anonymous botnet to send challenges to all active IP addresses (Steps 1 and 2). Each challenge is sent from the botnet with a unique identifier (UID) that maps to the IP address being challenged (Step 3).<\/p>\n\n\n\n<p>An interesting aspect of this Log4Shell exploit is that the challenge is \u201ccontagious.\u201d Systems will pass the logged message to other systems they are connected to which means it acts like an attack (Step 4). Perhaps the first implementation of the vulnerability as a contagious inoculation was&nbsp;<a href=\"https:\/\/github.com\/Cybereason\/Logout4Shell\">Cybereason\u2019s LogOut4Shell<\/a>. The primary difference the CyCognito solution has is that no code is being placed on or changed on the vulnerable systems. When they are vulnerable they contact our LDAP system telling our platform the UID they are responding to (Step 5).&nbsp; And the CyCognito platform system correlates response UIDs with our IP list to show a Log4j vulnerability with 100% confidence (Steps 6 &amp; 7).<\/p>\n\n\n\n<p>Thus it\u2019s time to cure, vaccinate, quarantine, or mask those systems that respond because we are 100% confident they are exploitable.<\/p>\n\n\n\n<p>To respond as quickly as possible the CyCognito system has tremendously flexible and powerful workflows to assist. As always at CyCognito we are here to help and if you have any questions please&nbsp;<a href=\"\/contact\/\">contact us<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A timeline of how we responded to Log4j and a technical walk-through of our Active Detection Module and other steps we\u2019ve taken .<\/p>\n","protected":false},"author":15,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[79,88],"class_list":["post-263","post","type-post","status-publish","format-standard","hentry","category-product","tag-log4j","tag-log4shell"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Two CyCognito Log4j2 Testing Modules | CyCognito Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.cycognito.com\/blog\/two-cycognito-log4j2-testing-modules\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Two CyCognito Log4j2 Testing Modules | CyCognito Blog\" \/>\n<meta property=\"og:description\" content=\"A timeline of how we responded to Log4j and a technical walk-through of our Active Detection Module and other steps we\u2019ve taken .\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.cycognito.com\/blog\/two-cycognito-log4j2-testing-modules\/\" \/>\n<meta property=\"og:site_name\" content=\"CyCognito Blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-12-21T23:28:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-01-22T17:01:28+00:00\" \/>\n<meta name=\"author\" content=\"Jim Wachhaus\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jim Wachhaus\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/two-cycognito-log4j2-testing-modules\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/two-cycognito-log4j2-testing-modules\/\"},\"author\":{\"name\":\"Jim Wachhaus\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/26e362ecf750edd0380a7de5746cf8d0\"},\"headline\":\"Two CyCognito Log4j2 Testing Modules\",\"datePublished\":\"2021-12-21T23:28:00+00:00\",\"dateModified\":\"2024-01-22T17:01:28+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/two-cycognito-log4j2-testing-modules\/\"},\"wordCount\":901,\"publisher\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\"},\"keywords\":[\"Log4j\",\"Log4Shell\"],\"articleSection\":[\"Product\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/two-cycognito-log4j2-testing-modules\/\",\"url\":\"https:\/\/www.cycognito.com\/blog\/two-cycognito-log4j2-testing-modules\/\",\"name\":\"Two CyCognito Log4j2 Testing Modules | CyCognito Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#website\"},\"datePublished\":\"2021-12-21T23:28:00+00:00\",\"dateModified\":\"2024-01-22T17:01:28+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/two-cycognito-log4j2-testing-modules\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.cycognito.com\/blog\/two-cycognito-log4j2-testing-modules\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/two-cycognito-log4j2-testing-modules\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.cycognito.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Two CyCognito Log4j2 Testing Modules\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#website\",\"url\":\"https:\/\/www.cycognito.com\/blog\/\",\"name\":\"Cycognito Blog\",\"description\":\"Research, Product News and Latest Updates\",\"publisher\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.cycognito.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\",\"name\":\"Cycognito\",\"url\":\"https:\/\/www.cycognito.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png\",\"contentUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png\",\"width\":1720,\"height\":550,\"caption\":\"Cycognito\"},\"image\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/26e362ecf750edd0380a7de5746cf8d0\",\"name\":\"Jim Wachhaus\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/79b6bf97cd7168a87f54b0b9f6ce82be?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/79b6bf97cd7168a87f54b0b9f6ce82be?s=96&d=mm&r=g\",\"caption\":\"Jim Wachhaus\"},\"description\":\"Was Director of Technical Product Marketing at CyCognito\",\"url\":\"https:\/\/www.cycognito.com\/blog\/author\/jim-wachhaus\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Two CyCognito Log4j2 Testing Modules | CyCognito Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.cycognito.com\/blog\/two-cycognito-log4j2-testing-modules\/","og_locale":"en_US","og_type":"article","og_title":"Two CyCognito Log4j2 Testing Modules | CyCognito Blog","og_description":"A timeline of how we responded to Log4j and a technical walk-through of our Active Detection Module and other steps we\u2019ve taken .","og_url":"https:\/\/www.cycognito.com\/blog\/two-cycognito-log4j2-testing-modules\/","og_site_name":"CyCognito Blog","article_published_time":"2021-12-21T23:28:00+00:00","article_modified_time":"2024-01-22T17:01:28+00:00","author":"Jim Wachhaus","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Jim Wachhaus","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.cycognito.com\/blog\/two-cycognito-log4j2-testing-modules\/#article","isPartOf":{"@id":"https:\/\/www.cycognito.com\/blog\/two-cycognito-log4j2-testing-modules\/"},"author":{"name":"Jim Wachhaus","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/26e362ecf750edd0380a7de5746cf8d0"},"headline":"Two CyCognito Log4j2 Testing Modules","datePublished":"2021-12-21T23:28:00+00:00","dateModified":"2024-01-22T17:01:28+00:00","mainEntityOfPage":{"@id":"https:\/\/www.cycognito.com\/blog\/two-cycognito-log4j2-testing-modules\/"},"wordCount":901,"publisher":{"@id":"https:\/\/www.cycognito.com\/blog\/#organization"},"keywords":["Log4j","Log4Shell"],"articleSection":["Product"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.cycognito.com\/blog\/two-cycognito-log4j2-testing-modules\/","url":"https:\/\/www.cycognito.com\/blog\/two-cycognito-log4j2-testing-modules\/","name":"Two CyCognito Log4j2 Testing Modules | CyCognito Blog","isPartOf":{"@id":"https:\/\/www.cycognito.com\/blog\/#website"},"datePublished":"2021-12-21T23:28:00+00:00","dateModified":"2024-01-22T17:01:28+00:00","breadcrumb":{"@id":"https:\/\/www.cycognito.com\/blog\/two-cycognito-log4j2-testing-modules\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.cycognito.com\/blog\/two-cycognito-log4j2-testing-modules\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.cycognito.com\/blog\/two-cycognito-log4j2-testing-modules\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.cycognito.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Two CyCognito Log4j2 Testing Modules"}]},{"@type":"WebSite","@id":"https:\/\/www.cycognito.com\/blog\/#website","url":"https:\/\/www.cycognito.com\/blog\/","name":"Cycognito Blog","description":"Research, Product News and Latest Updates","publisher":{"@id":"https:\/\/www.cycognito.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.cycognito.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.cycognito.com\/blog\/#organization","name":"Cycognito","url":"https:\/\/www.cycognito.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png","contentUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png","width":1720,"height":550,"caption":"Cycognito"},"image":{"@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/26e362ecf750edd0380a7de5746cf8d0","name":"Jim Wachhaus","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/79b6bf97cd7168a87f54b0b9f6ce82be?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/79b6bf97cd7168a87f54b0b9f6ce82be?s=96&d=mm&r=g","caption":"Jim Wachhaus"},"description":"Was Director of Technical Product Marketing at CyCognito","url":"https:\/\/www.cycognito.com\/blog\/author\/jim-wachhaus\/"}]}},"_links":{"self":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/263","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/comments?post=263"}],"version-history":[{"count":3,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/263\/revisions"}],"predecessor-version":[{"id":690,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/263\/revisions\/690"}],"wp:attachment":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/media?parent=263"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/categories?post=263"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/tags?post=263"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}