Arctic Wolf, a leading company in the field of security operations, makes the detection script "Log4Shell Deep Scan" for the detection of CVE-2021-45046 and CVE-2021-44228 in JAR files as well as in WAR and EAR files publicly available on Github Disposal. The script has already been used successfully by more than 2.300 Arctic Wolf customers worldwide.
Available for both Windows and macOS and Linux devices, the script performs a deep scan of the file system of hosts to identify Java applications and libraries with vulnerable Log4j code. If the affected Log4j code is recognized, the script marks it and outputs the storage location within the file system. Companies can thus identify applications and systems that are affected by the Log4J chess point.
Download "Log4Shell Deep Scan" from Github here
For more information, see the relevant readme.txt on GitHub. Arctic Wolf continues to invite the security community to further develop “Log4Shell Deep Scan” for their own use cases. No information is collected by Arctic Wolf or sent to Arctic Wolf.
Why use Log4Shell Deep Scan?
The identification of all vulnerable instances of Log4j within a company is currently a major challenge for IT and security teams. The criticality upgrade of the latest CVE-2021-45046 will require rescanning and patching the systems and assets.
Log4Shell Deep Scan should be used as a supplement and not as a replacement for existing network-based solutions for scanning vulnerabilities. Arctic Wolf recommends companies first run the tool on their most critical and publicly accessible IT systems and then scan all other systems - including the systems that are located behind a security perimeter.
By showing which applications are affected and where the individual weak points are, the tool enables IT and security teams to quickly prioritize and correct them in a targeted manner.
Log4j / Log4Shell vulnerabilities are exploited in the long term
Arctic Wolf has observed a large number of scanning activities related to the Log4j / Log4Shell vulnerabilities as well as attacks in which threat actors attempt to spread crypto-miner malware. Ransomware threat actors have also started to actively use Log4Shell as an entry vector for their attacks.
Arctic Wolf tracks several well-known groups of attackers, including those from China, Iran, North Korea and Turkey who are exploiting the Log4J vulnerability. These and other threat actors have been active since the week before last since they became aware of a zero-day vulnerability. As soon as the public attention in the company subsides, it is to be expected that further attack steps and activities will be carried out after the initial compromise, so that constant attention and detailed security monitoring will be necessary in the near future.
What's next for Log4Shell?
Log4Shell has been keeping the IT world in suspense for a week and a half. The situation is constantly evolving and it is to be expected that this weak point and the associated effects will keep companies busy for a long time to come. The security and R&D teams at Arctic Wolf therefore developed additional detection tools based on the new methods (e.g. TTPs) that the attackers are very likely to use. This also includes detecting the variations in the Log4J attack methods and immediately recognizing, containing and eradicating successful exploitation.
It can be assumed that sophisticated threat actors use the widespread Log4J scanning and commodity attacks to “fly under the radar” with their activities in order to compromise high-level targets. It is also to be expected that significantly more ransomware cases will occur in the near future, which monetize the successful Log4j attacks. More information on the effects of Log4Shell can be found in Arctic Wolf's On Demand Webinar.
More at ArcticWolf.com
About Arctic Wolf
Arctic Wolf® is a global market leader in security operations and offers the first cloud-native security operations platform to protect against cyber risks. Based on threat telemetry, which includes endpoint, network and cloud sources, the Arctic Wolf® Security Operations Cloud analyzes more than 1,6 trillion security events per week worldwide. It provides business-critical insights into almost all security use cases and optimizes the customers' heterogeneous security solutions. The Arctic Wolf® platform is used by more than 2.000 customers worldwide. It offers automated threat detection and response and enables companies of all sizes to set up first-class security operations at the push of a button.