Views:

Protection Against Exploitation

First and foremost, it is always highly recommended that users apply the vendor's patches when they become available.

A new version of Log4j 2 has been released which reportedly resolves the issue:  Version 2.17.1 is now available and is the suggested update.   Users with affected installations should consider updating this library at the earliest possible time.

Note:  due to additional waves of new exploits, the previous manual mitigation steps published have proven not to be sufficient and have been removed.
 

Trend Micro Protection and Investigation

In addition to the vendor patch(s) that should be applied, Trend Micro has released some supplementary rules, filters and detection protection that may help provide additional protection and detection of malicious components associated with this attack servers that have not already been compromised or against further attempted attacks.

The following demo video highlights ways in which Trend Micro can help customers discover, detect and provide protection:  https://www.youtube.com/watch?v=r_IggE3te6s.
 

Using Trend Micro Products for Investigation


Trend Micro Log4j Vulnerability Scanner
 
Trend Micro Research has created a quick web-based scanning tool that can help users and administrators identify server applications that may be affected but the Log4Shell vulnerability.
 
The tool can be found at: https://log4j-tester.trendmicro.com/ and a demo video can be found at: https://youtu.be/7uix6nDoLBs.


Trend Micro Log4Shell Vulnerability Assessment Tool
 
Trend Micro also has created a free assessment tool that can quickly identify endpoints and server applications that may have Log4j using the power of Trend Micro Vision One.
 
This quick and easy self-serve security assessment tool leverages complimentary access to the Trend Micro Vision One threat defense platform, so you can identify endpoints and server applications that may be affected by Log4Shell. The assessment instantly provides a detailed view of your attack surface and shares next steps to mitigate risks.

The free assessment tool can be found at: https://resources.trendmicro.com/Log4Shell-Vulnerability-Assessment.html .

Please note, if you are already a Trend Micro Vision One customer, you do not need to complete the form. Simply log into your console and you will be provided instructions to complete the assessment of your exposure.


Trend Micro Vision One™

Trend Micro Vision One customers benefit from XDR detection capabilities of the underlying products such as Apex One. In addition, depending on their data collection time range, Trend Micro Vision One customers may be able to sweep for IOCs retrospectively to identify if there was potential activity in this range to help in investigation.

Vision One Threat Intelligence Sweeping

Indicators for exploits associated with this vulnerability are now included in the Threat Intelligence Sweeping function of Trend Micro Vision One. Customers who have this enabled will now have the presence of the IOCs related to these threats added to their daily telemetry scans.  

The first sweep, "Vulnerable version of log4j...." is slightly different than the others in that instead of specific IOCs, it is looking for specific instances of log4j libraries on systems which can help a customer narrow down or give additional insights on potentially vulnerable systems.

The results of the intelligence scans will populate in the WorkBench section of Vision One (as well as the sweep history of each unfolded threat intelligence report).
 

Module state


Please note that customers may also manually initiate a scan at any time by clicking the 3 dots at the right of a rule and selecting the "Start Sweeping" option.


Vision One Search Queries for Deep Security Deep Packet Inspection

Customers who have Trend Micro Cloud One - Workload Security or Deep Security may utilize the following search query to identify hosts and then additional queries can be made with a narrowed timeframe on those hosts as additional information is learned about exploits.

eventName:DEEP_PACKET_INSPECTION_EVENT AND (ruleId:1008610 OR ruleId:1011242 OR ruleId:1005177) AND ("${" AND ("lower:" OR "upper:" OR "sys:" OR "env:" OR "java:" OR "jndi:"))
 

Module state



Trend Micro Cloud One™ - Conformity

Trend Micro Cloud One - Conformity allows gives customers central visibility and real-time monitoring of their cloud infrastructure by enabling administrators to auto-check against nearly 1000 cloud service configuration best practices across 90+ services and avoid cloud service misconfigurations. 

The following rules are available to all Trend Micro Cloud One - Conformity customers that may help provide more insight to customers looking to isolate affected machines (more information can be found here for rule configuration):
  • Lambda-001 :  identifies all Lambdas that are running Java which may be vulnerable.

Module state


 

Module state

 

Module state


 

Preventative Rules, Filters & Detection


A demo video of how Trend Micro Cloud One can help with this vulnerability can be found at: https://youtu.be/CorEsXv3Trc.


Trend Micro Cloud One - Workload Security and Deep Security IPS Rules
  • Rule 1011242 - Log4j Remote Code Execution Vulnerability (CVE-2021-44228)
This rule is recommended by default, and please note that the port lists may need to be updated for applications running on non-default ports.
 
  • Rule 1005177 - Restrict Java Bytecode File (Jar/Class) Download
  • Rule 1008610 - Block Object-Graph Navigation Language (OGNL) Expressions Initiation In Apache Struts HTTP Request
Rule 1008610 is a SMART rule that can be manually assigned to assist in protection/detection against suspicious activity that may be associated with this threat.  This is not a comprehensive replacement for the vendor's patch.
 
Please also note that rule 1008610 is shipped in DETECT, and must be manually changed to PREVENT if the administrator wishes to apply this.  Also, please be aware that due to the nature of this rule, there may be False Positives in certain environments, so environment-specific testing is recommended. 
  • Rule 1011249 - Apache Log4j Denial of Service Vulnerability (protects against CVE-2021-45105)

Trend Micro Cloud One - Workload Security and Deep Security Log Inspection
  • LI Rule 1011241 - Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)
  • A custom LI rule can also be created to detect patterns as discovered in the future.  More information can be found here.

Trend Micro Apex One Integrated Vulnerability Protection (iVP) Rules
  • Rule 1011242 - Log4j Remote Code Execution Vulnerability (CVE-2021-44228)
  • Rule 1011249 - Apache Log4j Denial of Service Vulnerability (protects against CVE-2021-45105)


Trend Micro Deep Discovery Inspector (DDI) Rules
  • Rule 4280:  HTTP_POSSIBLE_USERAGENT_RCE_EXPLOIT_REQUEST
  • Rule 4641 : CVE-2021-44228 - OGNL EXPLOIT - HTTP(REQUEST)
  • Rule 4642 : POSSIBLE HTTP HEADER OGNL EXPRESSION EXPLOIT - HTTP(REQUEST)
  • Rule 4643:  POSSIBLE HTTP BODY OGNL EXPRESSION EXPLOIT - HTTP (REQUEST) - Variant 2

Trend Micro Cloud One - Network Security and TippingPoint Recommended Actions
  • Filter 40627 : HTTP: JNDI Injection in HTTP Header or URI

This was released in Digital Vaccine #9621 and has replaced CSW C1000001 that was previously released.

Trend Micro recommends customers enable this filter in a block and notify posture for optimal coverage. Starting with Digital Vaccines released on 12/21/2021, it will be enabled by default. Since it may not be enabled in your environment, Trend Micro strongly recommends you confirm the filter is enabled in your policy.  

  • Filter 40652: HTTP: Apache Log4j StrSubstitutor Denial-of-Service Vulnerability (ZDI-21-1541)
    • Covers CVE-2021-45105
 


What other controls can be used to disrupt the attack?

This attack is successful when the exploit is used to initiate a transfer of a malicious attack payload.  In addition to the filter above, these techniques can help disrupt that chain:

  • Geolocation filtering can be used to reduce possible attack vectors. Geolocation filtering can block inbound and outbound connections to any specified country, which may limit the ability for attackers to exploit the environment. In cases where a business only operates in certain regions of the globe, proactively blocking other countries may be advisable.
 
  • For TippingPoint IPS, TPS, and vTPS products
    Trend Micro also recommends enabling DNS and URL reputation as a proactive means of securing an environment from this vulnerability. Leveraging Trend Micro's rapidly evolving threat intelligence, TippingPoint appliances can help disrupt the chain of attack destined to known malicious hosts.

    Additionally, Reputation filtering can be leveraged to block Anonymous proxies that are commonly used in exploit attempts. Any inbound or outbound connections to/from an anonymous proxy or anonymizer service can be blocked by configuring a reputation filter with “Reputation DV Exploit Type” set to “Tor Exit” to a Block action.
 
  • For Cloud One – Network Security
    Anonymous proxies are also an independent, configurable "region" that can be selected as part of Geolocation filtering. This will block any inbound or outbound connection to/from an anonymous proxy or anonymizer service, which can be commonly used as part of exploit attempts.

    Domain filtering can also be used to limit the attack vectors and disrupt the attack chain used to exploit this vulnerability. In this case, any outbound connection over TCP is dropped unless the domain being accessed is on a permit list. If the attacker's domain, e.g. http://attacker.com, is not on the permit list, then it would be blocked by default, regardless of IPS filter policy.



Trend Micro Malware Detection Patterns (VSAPI, Predictive Learning, Behavioral Monitoring and WRS) for Endpoint, Servers, Mail & Gateway (e.g. Apex One, Worry-Free Business Security Services, Worry-Free Business Security Standard/Advanced, Deep Security w/Anti-malware, etc.)

  • Web Reputation (WRS):  Trend Micro has added over 1700 URLs (and growing) to its WRS database to block that are linked to malicious reporting and communication vectors associated with observed exploits against this vulnerability.
  • Ransomware Detection - there have been observations about a major ransomware campaign (Khonsari) being utilized in attacks and Trend Micro detects components related to this as Ransom.MSIL.KHONSARI.YXBLN.
  • VSAPI (Pattern) Detections:  the following detections have been released in the latest OPR for malicious code associated with exploits -
    • Trojan.Linux.MIRAI.SEMR
    • HS_MIRAI.SMF
    • HS_MIRAI.SME
    • Trojan.SH.CVE20207961.SM
    • Backdoor.Linux.MIRAI.SEMR
    • Trojan.SH.MIRAI.MKF
    • Coinminer.Linux.KINSING.D
    • Trojan.FRS.VSNTLB21
    • Trojan.SH.MALXMR.UWELI
    • Backdoor.SH.KIRABASH.YXBLL
    • Backdoor.Linux.MIRAI.SMMR1
    • Coinminer.SH.MALXMR.UWEKG
    • Coinminer.Linux.MALXMR.SMDSL64
    • Backdoor.Linux.GAFGYT.SMMR3
    • Coinminer.Win64.MALXMR.TIAOODGY
    • Rootkit.Linux.PROCHID.B
    • ELF_SETAG.SM
    • Backdoor.Linux.TSUNAMI.AMZ
    • Coinminer.PS1.MALXMR.PFAIQ
    • Trojan.SH.TSUNAMI.A
    • Trojan.PS1.METERPRETER.E
    • Coinminer.Linux.MALXRMR.PUWENN


Trend Micro Cloud One - Application Security

Trend Micro Cloud One - Application Security can monitor a running application and stop unexpected shell commands from executing.   The product's RCE configuration can be adjusted to help protect against certain exploits associated with this vulnerability using the following steps:
  1. Log into Trend Micro Cloud One and navigate to Application Security.
  2. Select "Group;s Policy" in the left-hand menu and find your application's Group.
  3. Enable "Remote Command Execution" if not already enabled.
  4. Click the hamburger icon for "Configure Policy" and then click the " < INSERT RULE > " icon.
  5. Input (?s).* in the "Enter a pattern to match" field and hit "Submit" and "Save Changes."
  6. Double-check that "Mitigate" is selected in your "Remote Command Execution" line item.

Trend Micro Cloud One - Open Source Security by Snyk

Trend Micro Cloud One - Open Source Security by Snyk can identify vulnerable versions of the log4j library across all organization source code repositories with very little integration effort.  Once installed, it can also monitor progress on updating to non-vulnerable versions.

 

Module state



TXOne Preventative Rules for Edge Series Products

Several rules for the TXOne Edge Series of products can be found here: https://www.txone-networks.com/blog/content/critical-log4shell-vulnerability .


Trend Micro is continuing to actively research the potential exploits and behavior around this vulnerability and is actively looking for malicious code that may be associated with any exploit attempts against the vulnerability and will be adding additional detection and/or protection as they become available.
-

Impact on Trend Micro Products

Trend Micro is currently doing a product/service-wide assessment to see if any products or services may be affected by this vulnerability.  Products will be added to the lists below as they are validated.

Products Confirmed Not Affected (Including SaaS Solutions that have been patched):

 
5G Mobile Network SecurityNot Affected
ActiveUpdateNot Affected
Apex Central (including as a Service)Not Affected
Apex One (all versions including SaaS, Mac, and Edge Relay))Not Affected
Cloud App SecurityResolved / Not Affected
Cloud EdgeNot Affected
Cloud One - Application SecurityNot Affected
Cloud One - Common ServicesNot Affected
Cloud One - ConformityNot Affected
Cloud One - Container SecurityNot Affected
Cloud One - File Storage SecurityNot Affected
Cloud One - Network SecurityNot Affected
Cloud One - Workload SecurityNot Affected
Cloud SandboxNot Affected
Deep Discovery AnalyzerNot Affected
Deep Discovery Email InspectorNot Affected
Deep Discovery InspectorNot Affected
Deep Discovery Web InspectorNot Affected
Deep SecurityNot Affected
Endpoint EncryptionNot Affected
FraudbusterNot Affected
Home Network SecurityNot Affected
HousecallNot Affected
Instant Messaging SecurityNot Affected
Internet Security for Mac (Consumer)Not Affected
Interscan Messaging SecurityNot Affected
Interscan Messaging Security Virtual Appliance (IMSVA)Not Affected
Interscan Web Security SuiteNot Affected
Interscan Web Security Virtual Appliance (IWSVA)Not Affected
Mobile Secuirty for EnterpriseNot Affected
Mobile Security for AndroidNot Affected
Mobile Security for iOSNot Affected
MyAccount (Consumer Sign-on)Not Affected
Network ViruswallNot Affected
OfficeScanNot Affected
Password ManagerNot Affected
Phish InsightNot Affected
Policy ManagerNot Affected
Portable SecurityNot Affected
PortalProtectNot Affected
Public Wifi Protection / VPN Proxy One ProNot Affected
Rescue DiskNot Affected
Rootkit BusterNot Affected
Safe Lock (TXOne Edition)Not Affected
Safe Lock 2.0Not Affected
Sandbox as a ServiceResolved / Not Affected
ScanMail for ExchangeNot Affected
ScanMail for IBM DominoNot Affected
Security for NASNot Affected
ServerProtect (all versions)Not Affected
Smart Home NetworkNot Affected
Smart Protection CompleteNot Affected
Smart Protection for EndpointsNot Affected
Smart Protection Server (SPS)Not Affected
TippingPoint AccessoriesNot Affected
TippingPoint IPS (N-, NX- and S-series)Not Affected
TippingPoint Network Protection (AWS & Azure)Not Affected
TippingPoint SMSNot Affected
TippingPoint Threat Management Center (TMC)Resolved / Not Affected
TippingPoint ThreatDVNot Affected
TippingPoint TPSNot Affected
TippingPoint TX-SeriesNot Affected
TippingPoint Virtual SMSNot Affected
TippingPoint Virtual TPSNot Affected
TMUSBNot Affected
Trend Micro Email Security & HESResolved / Not Affected
Trend Micro Endpoint SensorNot Affected
Trend Micro ID SecurityNot Affected
Trend Micro Remote ManagerNot Affected
Trend Micro Security (Consumer)Not Affected
Trend Micro Virtual Patch for EndpointNot Affected
Trend Micro Web SecurityResolved / Not Affected
TXOne (Edge Series)Not Affected
TXOne (Stellar Series)Not Affected
Vision OneResolved / Not Affected
Worry-Free Business Security (on-prem)Not Affected
Worry-Free Business Security ServicesNot Affected

 

Affected Products:
Deep Discovery DirectorAffectedPlease click here for more info

  

References