Log4j is a library used by Java developers to record or log network events. Many developers add this utility to their web applications, web servers and network devices in order to obtain information relating to events that take place within these entities. Various kinds of data such as user logins, user login attempts, session duration, and memory usage are recorded and stored in the system administrator through Log4j. This makes Log4j a valuable tool for the security, diagnostics and management of today’s applications and servers.
A mighty loophole
However, recently it has come to light that Log4j allows for significant security breaches and attacks. On Dec. 9 2021, security researchers found a Log4j vulnerability that could be present in over 100 million instances globally due to the ubiquity of Log4j.[1]
The following week, two more vulnerabilities were found, followed by news on Dec. 20 2021 that Log4j was being exploited to transmit the Dridex malware and Meterpreter attack payload.[2]
Overall, it is expected that the vulnerabilities associated with Log4j will lead to billions of dollars in losses.
These vulnerabilities are present due to Log4j’s capacity to allow custom code. Administrators and developers use custom code to specify their own parameters for logging data in addition to the default parameters that Log4j is built with. For example, thanks to Log4j, on top of the user’s IP address, a developer can insert a custom code that fetches the name of the location associated with that IP address from another server on the network.
Unfortunately, this custom code feature can be exploited by hackers to send queries made of malicious text, which are then processed by Log4j. This exploit, known as Log4Shell, can be used to execute instructions that can corrupt a server’s code and database or cause it to leak critical data over the Internet. It can also be used to manipulate an application or a server to launch attacks on other devices, applications, or servers.
An extra pair of eyes for Log4j
These Log4j vulnerabilities and the fact that most applications may have outdated versions of their library built into their components and sub-components have left many software developers, system administrators and IT engineers, in recent weeks, seeking ways to address the huge risks they pose. Given that patching of Log4j may not be feasible across all scenarios, there is now a need for a more comprehensive approach to securing these assets. A potential solution could be deep packet inspection (DPI), a technology that allows real-time, granular visibility into network traffic, including log4j traffic.
Why DPI?
Advanced DPI engines, such as ipoque's R&S®PACE 2, deliver deep network traffic insights using a regularly updated library of known signatures that are reflective of known protocols, applications and service types. The network visibility provided by DPI software can be used to identify suspicious traffic patterns and to dig deeper into the underlying network event. For example, email messages with unusual queries/parameters may suggest that attackers are trying to target the mail server, instead of the recipients, using instructions tailored for Log4j. Protocol and application classification by R&S®PACE 2 enables network administrators to identify the email application, and repetitive messages carried by a set of replicated packets.
At the same time, R&S®PACE 2’s’s metadata extraction provides additional information in terms of surges in bandwidth or the presence of increased latency or jitter associated with the packets processed by the email server. The IP probes can use the extracted metadata to alert network monitoring systems of any impending maliciousness. More importantly, R&S®PACE 2 is able to identify traffic anomalies, even for encrypted and obfuscated traffic. Network security tools such as firewalls and intrusion prevention systems can use this ability to identify, manage and block threats unleashed by an adversary in control of Log4j.
Enhancing checkpoint security
R&S®PACE 2’s’s role in addressing loopholes in Log4j can be separated broadly into the monitoring of IP traffic heading towards the server, and monitoring of traffic exiting it. The monitoring of incoming IP traffic comes into play when threat actors try to send malicious instructions to Log4j. One way R&S®PACE 2 can monitor incoming traffic is by scrutinizing suspicious host IPs. This information enables security tools to allow or deny these packets before they penetrate further into the network. R&S®PACE 2 can also register the frequency of these instructions to see if the packet rates surpass standard thresholds for a given type of protocol or application. At the same time, it can assess the length of such instructions by looking at the bytes transmitted. Executable instructions are generally longer than regular browser queries.
DPI tools can, in fact, go a step further by inspecting the associated payloads for traffic patterns that may reveal the use of text that are indicative of Log4j instructions instead of regular communications. DPI can identify if these patterns match the use of certain phrases, symbols and rules used for executing server commands. It can also identify the unnatural repetition of such instructions by identifying all similar queries.
Similar visibility is offered into traffic flows precipitated by network events triggered by the execution of unauthorized instructions sent to Log4j. Where the compromised server or application itself is the target, the server or application will display self-sabotaging behavior, e.g. by overloading its own bandwidth usage. Abnormally slow response times for normal queries and unusually frequent delivery of server-down messages can indicate that a server is being harmed in a way that is leading to its own breakdown. Such irregularities are captured by the DPI engine R&S®PACE 2, which offers a high degree of scalability with its unlimited processing capacity which ensures all flows are logged in, in real time.
The compromised application or server in a Log4j exploit can be repositioned as an attack agent or repurposed to execute resource-heavy processing such as crypto coin mining. In this case, R&S®PACE 2 can identify traffic patterns associated with repeated queries to other servers, indicating that the host is now part of a botnet and is partaking in DDoS attacks. Again, surges in bandwidth usage analyzed using packet metadata, can demonstrate that a server is being misused. Last but not the least, R&S®PACE 2 can put together application information with the destination IP address to identify suspicious flows. If these are abnormal, e.g. a cloud-based CRM application querying a known malicious site, a government agency, or a crypto application, it can be used to alert the system of a potential Log4jShell attack.
No stone is left unturned
Not every security vulnerability can be patched in time, especially in environments where such vulnerabilities remain hidden under heaps of codes, plug-ins, modules and APIs in very complex architectures. Application developers and IT engineers will benefit tremendously from including DPI in their network architectures, within or alongside their IP probes and network security tools. Having deep packet inspection in the system safeguards not only against Log4j vulnerabilities but also other similar susceptibilities that could have fallen under the IT department’s monitoring radar. In a world of growing known unknowns such as Log4j and lurking unknown unknowns, R&S®PACE 2 ensures that the network keeps its guard up at all times.
Sources
[1] Log4j Zero-Day Vulnerability Response - Center for Internet Security - 2022 - https://www.cisecurity.org/log4j-zero-day-vulnerability-response/
[2] The Apache Log4j vulnerabilities: A timeline - CSO - 2022 - https://www.csoonline.com/article/3645431/the-apache-log4j-vulnerabilities-a-timeline.html