To work with this script, you'll need a Java project and a user with sudo privileges. That's it. Let's get to work. This script can be used on Linux, macOS and Windows. I'll be demonstrating on Linux (via Ubuntu Server 20.04). How to download and install Log4j DetectThe first thing to be done is the installation of Log4j Detect. To do that, log into your Linux server and download the script by first setting your system architecture as an environment variable with: ARCH=amd64 If your architecture is ARM, that command would be: ARCH=arm64 Next, download the script with: wget "https://github.com/whitesource/log4j-detect-distribution/releases/latest/download/log4j-detect-1.3.0-darwin-$ARCH.tar.gz" Unpack the file with: tar -xzvf log4j-detect-1.3.0-darwin-$ARCH.tar.gz Give the file the proper permissions with: chmod +x log4j-detect Move the file into /usr/local/bin with: sudo mv log4j-detect /usr/local/bin/ How to scan your project with Log4j-detect Now that the installation is complete, let's scan a project for Log4j vulnerabilities. Let's say your project is housed in a directory named JAVAWeb-Project. Change into that directory and issue the command: log4j-detect scan Depending on how large your project is, the scan shouldn't take too long to complete. When it does, it'll report back if there are any issues. Below are the results of a Log4j-detect scan on a random Java project I found on GitHub As you can see, the Java project I tested has Log4j issues that must be addressed. The script will point out the problems as well as how to remediate the issue. Once you've addressed everything, run the script again to see if the vulnerabilities are no longer detected. What?🔗
NTHashes.com provides a free API that allows for querying of more than 850 million passwords which have been exposed via data breaches. The passwords are in NT-Hash format, which is the algorithm used by Microsoft’s Active Directory. Why?🔗 To provide a simple and frictionless means for organisations to audit AD account passwords and determine whether any have been leaked in a data breach. Use of leaked passwords is discouraged as it places accounts at greater risk of credential stuffing. The NIST guidelines also recommend against their use. How?🔗 The API uses the k-Anonymity model to provide a level of privacy. In practice, the individual querying the API provides the first 5 characters of the NT Hash. The API responds with all hashes that begin with the provided characters (omitting the 5 characters provided). On average around 800 hashes will be returned per query. Using this method ensures the service has no means of knowing which actual hash the API consumer is interested in, and whether or not it is present in the compromised passwords list. The user takes the returned hashes and locally compares them to the remainder of the NT Hash that was not sent. If there is a match, the password has been leaked in a data breach and should not be used. API Endpoint🔗 https://api.nthashes.com/search/{first-5-characters-of-nthash} No authentication is required. https://nthashes.com/ 1. Amazon Inspector and AWS: The Amazon Inspector team has created coverage for identifying the existence of this vulnerability in your Amazon EC2 instances and Amazon Elastic Container Registry Images (Amazon ECR), according to Amazon. With the new Amazon Inspector, scanning is automated and continual, the company said. Continual scanning is driven by events such as new software packages, new instances, and new common vulnerability and exposure (CVEs) being published, AWS added.
2. Arctic Wolf made the Log4Shell Deep Scan tool publicly available on GitHub. Log4Shell Deep Scan enables detection of both CVE-2021-45046 and CVE-2021-44228 within nested JAR files, as well as WAR and EAR files. 3. Bi.Zone developed a scanner that uses YARA rules. The tool, deployed now on GitHub, scans the memory of Java processes for Log4j signatures. The scanner functions directly on the host, rather than through the Internet. The scan output is a list of hosts that contain applications with Log4j, which enables MSSPs and users to personally check if the library version is vulnerable. If it does turn out to be vulnerable, the BI.ZONE WAF cloud service will help you protect against external attacks using Log4j. It is not going to eliminate the need to install patches, but it will mitigate the risk of successful Log4Shell exploitation. 4. Binary Defense: Randy Pargman, VP of threat hunting and counterintelligence at Binary Defense, developed this open source tool. Also, Pargman described why he developed the tool in a LinkedIn update. 5. CyberCNS: The company’s vulnerability scanner supports detection of the Log4j vulnerability, according to a CyberCNS home page message. Hundreds of MSPs and MSSPs run the CyberCNS Vulnerability Manager to help small businesses meet regulatory and compliance frameworks, the company says. 6. Datto, the MSP software, backup appliance and technology provider, has created the Log4Shell Enumeration, Mitigation and Attack Detection Tool for Windows and Linux. The tool downloads and executes the latest detection methods published by Florian Roth. 7. Huntress: The MDR provider to MSPs and MSSPs introduced this Log4Shell vulnerability tester. 8. Liongard: The automation software company, focused on MSPs, released a Log4j Audit report within the Liongard platform to make it easy for partners to see how the Log4j vulnerabilities are impacting their customers and their systems, Liongard to MSSP ALert. 9. Microsoft Defender for Endpoint: Microsoft has updated the Threat and Vulnerability Management capabilities in Microsoft Defender for Endpoint to surface Log4j library components that are vulnerable to CVE-2021-44228. These capabilities automatically discover vulnerable Log4j libraries in products and services installed on Windows clients and Windows servers. 10. Qualys is making its Web Application Scanning (WAS) solution available free for 30 days, beginning December 17, 2021. The tool can scan web applications and APIs for the Log4Shell (CVE-2021-44228) vulnerability, Qualys included. 11. Tanium: The software platform allows MSSPs to find and remediate the vulnerability. A free Tanium trial is here, and a quick video overview is here. 12. Tenable: The company has released scan templates for Tenable.io, Tenable.sc, Tenable.io WAS and Nessus Professional which are p”re-configured to allow quick scanning for this vulnerability.” Dashboards are also available in Tenable.io and Tenable.sc. 13. Trend Micro Log4j Vulnerability Tester: This web-based tool can help identify server applications that may be affected by the Log4Shell (CVE-2021-44228, CVE-2021-45046) vulnerability. Bonus – Log4j Guidance From CISA: Here is regularly updated Log4j vulnerability mitigation guidance from the CISA (Cybersecurity and Infrastructure Security Agency). Mandiant is releasing an auditing script, Azure AD Investigator, through its GitHub repository that organizations can use to check their Microsoft 365 tenants for indicators of some of the techniques used by UNC2452. The script will alert administrators and security practitioners to artifacts that may require further review to determine if they are truly malicious or part of legitimate activity.
find it here. |
Author: <see article>
These links serve as tributes to those who have written them. Please find contributor details in the links provided Archives
April 2024
Categories |