News

Microsoft Warns Orgs May Already Be Compromised by Log4Shell Attacks

• By Kurt Mackie
• 01/05/2022

Microsoft updated its Dec. 11 Log4j vulnerability tools guidance on Monday, offering advice on detecting and addressing possible "Log4Shell" exploits.

Log4Shell is the name given to an exploit that uses a certain vulnerability in the Log4j Java logging framework, which is widely used in Apache Web servers. Microsoft characterized Log4Shell as based on three vulnerabilities, namely CVE-2021-44228, CVE-2021-45046 and CVE-2021-44832.

The announcement offered some news on the detection capabilities available in Microsoft's multiple software security tools, as earlier reported. On Jan. 3, Microsoft added a new "recap" section to the announcement that included a grim warning to organizations.

'May Already Be Compromised'
Organizations may have been unwittingly compromised by a Log4j exploit, Microsoft suggested:

Organizations may not realize their environments may already be compromised. Microsoft recommends customers to do additional review of devices where vulnerable installations are discovered. At this juncture, customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments. Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance.

For a long list of software affected by the Log4j vulnerability, see the archive kept by the U.S. Cybersecurity and Infrastructure Security Agency (available via a link at the end of this page).

Microsoft noted that Log4j exploit attempts and probes by security researchers were "high during the last weeks of December." Attackers attempted to drop coin miners or conducted "hands-on-keyboard attacks," the announcement indicated.

Microsoft 365 Defender Improvements
The updated announcement included some news about specific tooling additions for detecting Log4Shell, including Microsoft 365 Defender improvements.

On Dec. 15, Microsoft began issuing Microsoft 365 Defender updates to help detect "vulnerable Log4j library components" and vulnerable installed applications for devices using "Windows 10, Windows 11, and Windows Server 2008, 2012, and 2016."

Microsoft 365 Defender also provides such detections for Linux, provided that the Microsoft Defender for Endpoint Linux client is updated to "version 101.52.57 (30.121092.15257.0) or later."

Microsoft 365 Defender also got a dedicated dashboard for Log4j and new advanced file-level hunting schema. Detections are based on "application CPEs" and "vulnerable Log4j Java Archive (JAR) files" as of Dec. 27, the announcement added.

Microsoft 365 Defender still can't detect vulnerabilities in "Uber-JAR or shaded" packages, but Microsoft is working on that issue. Microsoft is also working to add macOS support.

Microsoft Defender for Containers
A new addition capable of detecting Log4j vulnerabilities is Microsoft Defender for Containers. It automatically scans container images when pushed to, or pulled from, an Azure container registry. It also checks container images on Kubernetes clusters for vulnerabilities.

Microsoft Defender for Containers is a newly renamed product that was formed via the combination of two existing Microsoft products, namely Microsoft Defender for Kubernetes and Microsoft Defender for Container Registries.

Microsoft Defender for Office 365
On Dec. 22, Microsoft Defender for Office 365 was described as getting the ability to detect suspicious e-mails containing a "jndi" string that's used to implement the attacks.

The product also alerts organizations when such exploit strings are detected in e-mail headers.