As we all know by now, the world was shook on December 9, 2021, with the public revelation of a critical vulnerability (CVE-2021-44228) in Apache Log4j, a popular Java logging library widely used since 2001. Some are calling it “the most significant vulnerability in the last decade.”
The United States’ Cybersecurity & Infrastructure Security Agency (CISA) added this vulnerability to its catalog for Known Exploited Vulnerabilities (KEVs) established in Binding Operational Directive 22-01 and issued an urgent alert as did many other global organizations, with Germany’s BSI issuing a “red alert” and Australia labeling it “critical.” On Friday, December 17, 2021, the U.S. CISA issued Emergency Directive 22-02 directing federal civilian executive branch agencies to identify and address all Log4j vulnerabilities through patching or approved mitigation strategies by December 23, 2021.
In both the public and private sectors, infosec teams around the world continue to work feverishly to patch vulnerable software and mitigate the tremendous risk that this threat poses to the world.
During the early days of this zero-day threat, the Onapsis Research Labs were also working around the clock to understand the impact of this vulnerability on some of the most widely used SAP products. The Onapsis Research Labs maintains a network of sensors that we call the Onapsis Threat Intelligence Cloud. Back in April 2021, this cloud provided much of the data that fueled our joint threat intelligence report with SAP. Very early on, we observed some mass exploitation attempts where threat actors were probing with the exploit in multiple parts of the HTTP request across our Threat Intelligence Cloud to see what would stick and what would not.
As of Monday, December 20, 2021, here are some data we can share based on real-life attacks observed from the Onapsis Threat Intelligence Cloud:
- The first attack we saw was logged on 10 December 2021 @ 3:44 AM EST (“-0500”), which is under 24 hours from when the initial advisory was reported. (This is consistent with our prior findings of how quickly threat actors can take action with new vulnerability information.)
- We’ve seen a total of 3096 attack attempts since that first one.
- We’ve observed more than 50 variants of the attack, with the majority of them being automated attacks and/or from bots.
- There have been over 277 unique hosts attempting to exploit the Log4j vulnerability on our cloud.
- 70 different variants of malware, such as the Mirai botnet and Elknot, have been observed exploiting this vulnerability.
- Threat actors’ attempts to bypass firewalls include using base64 encoding; using uppercase/lowercase letter combinations; and leveraging obfuscation in order to avoid string matching.
- Post-exploitation attempts have involved installing cryptominers and stealing AWS Secrets (i.e., they were using the exploit to attempt to read the environment variables used to store AWS credentials in order to retrieve the keys/passwords)
While the threat of Log4j is very real and very dangerous, if we can offer one potential positive note here, as of the publication of this blogpost, the Onapsis Research Labs have not observed any probing or exploitation attempts specific for SAP-related products. As of December 20, 2021, according to the activity collected and monitored in the Onapsis Threat Intelligence Cloud, we’ve primarily seen only indiscriminate mass scanning to probe any web server in our cloud. This fact is, arguably, good news for defenders as it demonstrates that, at least publicly, there aren't widely known ways of exploiting CVE-2021-44228 to compromise SAP systems. In comparison, when the proof of concept for RECON was made public in Github, the Onapsis Research Labs detected probing and exploitation just hours later.
Luckily, as per SAP Note #3129883, a default installation of SAP Netweaver Java is NOT affected by CVE-2021-44228, which could have made things significantly much worse for SAP Security teams.
Onapsis and the Onapsis Research Labs continue to monitor this situation very closely, looking for any and all potential threats that might affect our customers. Defenders should not soften their defenses, and keep patching their SAP systems as soon as possible and/or applying the proposed mitigations.
For the most up-to-date information from Onapsis regarding the Log4j vulnerability, please refer to our security advisory which you can find here. We also have a write-up on SAP’s Log4j updates in the most recent Patch Tuesday, which you can find here.
SAP & Onapsis Cyber Tech Talk Series
During this session Richard Puckett, Chief Information Security Officer at SAP and Sadik Al-Abdulla, Chief Product Officer at Onapsis discussed:
- Threat intelligence around the Log4j vulnerability captured by Onapsis Research Labs
- Implications of the vulnerability on SAP applications
- Considerations for building comprehensive vulnerability management for SAP and business critical applications
Watch it here.