Skip to main content

Log4j From the Trenches

Abstract:

As your company winds down for the holiday season, like clockwork, another fresh CVE with publicly available exploit code drops. The Apache Log4j exploit (CVE-2021-44832), also dubbed as Log4Shell, had widespread fallout as a result of the exploit being made publicly available, and organizations are still dealing with the associated problems even months later. This talk will discuss three unique scenarios observed as a result of Log4j being exploited on VMWare Horizon servers and include 1) exploitation for persistent access via a webshell, 2) exploitation leading to a Cobalt Strike beacon, and 3) exploitation leading to a cryptocurrency miner. The talk will demonstrate the exploit chain, artifacts of each investigation, and how you can detect the activity in your network using commercially available tools such as Microsoft Defender ATP, CrowdStrike Falcon, Carbon Black, and FireEye HX. On top of that, sources for threat intelligence pertinent to these types of attacks will also be discussed, as well as prevention mechanisms.