By Noa Goldstein, Product Marketing Manager, Shlomi Gvili, Senior Product Manager and Gal Carmeli, Harmony Endpoint R&D Group Manager
On December 9th, an acute remote code execution (RCE) vulnerability was reported in the Apache logging package Log4j 2 versions 2.14.1 and below (CVE-2021-44228).
Apache Log4j is the most popular Java logging library with over 400,000 downloads from its GitHub project. The Log4j library is embedded in almost every Internet service or application we are familiar with, including Twitter, Amazon, Microsoft, Minecraft, and more.
The exploit allows threat actors to control java-based web servers and launch remote code execution attacks. Check Point teams have reacted quickly and implemented dedicated detection and prevention enhancements to Harmony Endpoint to ensure full protection.
Prevention of Log4j related attacks
Check Point’s security research team created several detection and prevention signatures to protect your endpoints from the log4j vulnerability. These signatures apply to both Windows and Linux endpoints.
The signatures have been added to the Harmony Endpoint behavioral guard engine.
The engine adds a protection layer against advanced attacks by detecting suspicious operations in the behavior of processes. The engine inspects dozens of features and has multiple updateable rules.
Once Harmony Endpoint detects an exploitation attempt, it kills the relevant process and sends all files to quarantine, thus assuring an uncompromised network.
Check Point constantly develops additional signatures ensuring that Harmony Endpoint can dynamically adapt to attacks trying to exploit the log4j vulnerability.
These signatures are automatically deployed on your endpoints as more information is being collected. This process is fully automated and does not require any action on your part.
To guarantee full protection, make sure your behavioral guard is set to Prevent mode:
- In Harmony Endpoint, choose Policy
- Click the Behavioral Protection tab
- Open the Anti-Ransomware Mode dropdown menu and click on Prevent
Detection and Investigation of Log4J
Check Point provides two methods to detect log4j vulnerability in Endpoint devices.
To help you check your Endpoints security posture and determine if your endpoint devices are vulnerable to the Log4j exploit, our teams have developed investigation scripts for both Windows and Linux.
The scripts can be distributed to all your endpoints using the Push Operations function in the Harmony Endpoint management web portal.
Once the Push Operation is set, the scripts run on all of your endpoints, and you can monitor the results.
If a potential vulnerability is found, we recommend taking immediate action to secure the endpoint, such as upgrading or uninstalling the software containing the vulnerable files.
For further information and step-by-step instructions, refer to sk176951.
A second method of verifying the existence of vulnerable files is using Threat Hunting.
The Threat Hunting engine collects all activities from endpoints to allow you to investigate suspicious behavior and uncover advanced stealth attacks. The collected data is enriched with Threat Intelligence information.
As shown in the screenshot below, Check Point has updated Threat Hunting pre-defined queries with Log4j vulnerability. The query provides a list of machines containing the compromised version of log4j. It is then checking for any recent access to the compromised log4j files and provides you with a full path, including the application name and the process that called it.