Randori Attack Team CVE-2021-44228 Log4j 2 Vulnerability Analysis

December 15, 2021

Using Randori Recon to Understand Your Log4j Exposure

By: Ian Lee

Share on facebook
Share on twitter
Share on linkedin

This is an evolving situation. If you need to understand your exposure, please reach out in the chat below or click here to see if you have Log4j on your external attack surface.

Since news of the Log4j vulnerability broke on Thursday, December 9, Randori has been at the forefront of helping the community understand this bug and why it’s such a big deal. In this blog, I want to focus on what Log4j says about the state of Attack Surface Management (ASM) and how our customers have used Randori to quickly understand if (and how badly) they’re exposed. 

Right now the internet is on fire. Attackers are actively scanning the internet, looking for systems to exploit. At the same time, defenders are hard at work trying to determine their exposure. Our data here at Randori suggests that nearly every medium or large company is impacted.

While Randori customers began receiving notifications of their exposure within hours, it’s clear that many organizations are still struggling to understand what’s running, what’s vulnerable, and what their real-time exposure is to Log4Shell.

 Log4J Discovery & Exploitation Timeline

On average, according to data from ESG, it takes organizations more than 100 hours and data from 10 tools to compile a complete view of their attack surface. For comparison, it took the Randori Attack Team just over 5 hours of research to have a working Log4j exploit developed and landed in customer environments. We don’t expect it took the bad guys any longer. 

This has to change. If Log4Shell has exposed anything about security it’s the the gap between our perception and the hard reality of our situation is bigger than we thought. 

Before the Log4Shell news, 7 in 10 organizations had already admitted to having been compromised via an internet-facing device. When the dust has cleared from Log4Shell, that number is likely to be more like 9 in 10. 

The Case for ASM: Closing the Gap Between Perception & Reality

Right now, security teams are in the early stages of a marathon. The task of identifying and mitigating the risk from Log4j is not going away anytime soon. If Shellshock and Heartbleed have taught us anything, it’s that organizations will be finding vulnerable Log4j systems for years to come. The race is on right now to find those that are internet-facing before attackers do. 

In their latest guidance, CISA has made clear that the first step any organization must take is to close the gap between perception and reality, by enumerating every internet-facing assets using Log4j. 

Unfortunately, this is no easy task. The average enterprise attack surface is made up of more than 65,000 assets. Compiling this data takes the average organization more than 100 hours, but External Attack Surface Management (EASM) solutions can answer the same questions in seconds. 

Being able to quickly understand what’s exposed when critical vulnerabilities break doesn’t only saves security teams time – it can mean the difference between a successful rapid response and security incident. 

In the case of Log4j, hours matter. GreyNoise saw attackers begin to exploit exposed services within hours of release. Within 24 hours, they were seeing signs of widespread exploitation across the internet. More recently, Cloudflare said they were seeing 1,000/exploitation attempts a second.  

Attackers have invested millions in technology to quickly scan the internet and identify vulnerable systems; less than 1 in 3 security teams have the same view for their environment.  

Attack Surface Management solutions like Randori Recon provide organizations with the same visibility. Recon, and tools like it, allow security teams to quickly understand what’s exposed, what’s most exploitable and which assets are most likely to be hit first. 

If you don’t have access to an ASM solution and need to understand your exposure, please reach out. Due to the severity of this issue, Randori is offering any enterprise free access to Randori Recon during this time. 

What Sets Randori Apart: Attacker Insight Into Every Target

Within a matter of hours of hours of learning about the bug on Twitter, the Randori Attack Team were perhaps the first in the world to develop a working exploit and confirm exploitability in real-world environments. 

More importantly, we were the first ASM solution to begin notifying our customers of their exposure to this bug. Randori customers were receiving notifications before a CVE # had even been assigned. This provides our customers not only with technical insight into the bug within hours, but more importantly a specific list of their internet-facing assets we suspected to be impacted. 

To help ensure the security of the broader community, we concurrently published our technical analysis and spent hours throughout the night and following day working with vendors to provide their teams with technical knowledge of how this was exploited to assist their teams in the development of patches & mitigations. 

In comparison, it took some of our ASM competitors more than 96 hours to begin providing customers with similar insights. 

Why? Randori is backed by real attackers. This enables us to not only aggregate existing threat and vulnerability intelligence but also, in the case of Log4j, quickly apply our expertise to validate claims and develop new insights. 

We’ve invested millions in building out the world’s first Hacker Operations Center – staffed 24/7 with some of the world’s foremost experts in offensive security. While every ASM tool provides scan data, when big news breaks only Randori provides the attacker’s perspective. 

How Randori is Helping Organizations Understand Their Log4j Exposure

In the video below, Alon Sadeh, director of sales engineering, demonstrates how Randori customers can use our Recon EASM product to understand their exposure to Log4j. 

How We’re Future Proofing Our Customers for the Next Log4j   

In the 96 hours following the release of this bug, two-thirds of Randori Attack customers were proving to be highly resilient to exploitation. While the vulnerability allowed us to gain a foothold, exfiltrating data or moving laterally was much harder thanks to the proactive investments they had made.

For those asking how could I prevent this next time? Here is the advice we have been giving our customers: 

  1. There will always be another bug. This has always been our reality. It’s our reality today. It will be our reality tomorrow. 
  2. Patching can’t be the only answer. Regarding CVE-2021-44228, the community will be finding new vulnerable apps for months to come — we cannot patch our way out of this one anytime soon. In lieu of a catch-all solution, we need to make our networks resilient to attack.
  3. Exploitation increases after disclosure. The market is in a fever — an exploit has been published, new apps are being targeted, and the countdown is on to news of the first compromise breaking.
  4. You can be resilient in the face of a compromise. It requires investments in the fundamentals, a commitment to proactive testing and a redefinition of success. Success cannot be lack of compromise — you’ll never win. But if you can focus on the fundamentals, respond quickly when compromise occurs and protect what matter’s most under pressure — you can win.

Steps You Can Take Right Now To Reduce Your Log4j risk

  1. Enumerate your internet-facing exposures: If you don’t have access to an ASM solution and need to understand your exposure, please request a free review. Due to the severity of this issue, Randori is offering any enterprise free access to Randori Recon during this time. Request a free report here.
  2. Implement our recommendations and remediation guidance: This situation is evolving quickly, but our team is monitoring the situation closely and will update this blog as new information develops. For the latest updates, follow @RandoriAttack on twitter.
  3. Assume Breach & Look For Signs of Compromise: If you have not yet remediated internet-facings systems, Randori highly encourages organizations adopt an assumed-breach mentality and review logs and alerts for signs of compromise. Both GreyNoise and Cloudflare have observed large scale scanning and exploitation attempts by opportunistic attackers – so it is likely that internet-facing systems have already been compromised.

Understand Your Risk to Log4j

Uncover your true attack surface with the only ASM platform built by attackers. Stay one step ahead of cyber-criminals, hacktivists and nation-state attackers, by seeing your perimeter as they see it.