Attention: We will be transitioning to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access.
This threat is a Cobalt Strike Beacon payload associated with prior exploitation of the remote code execution (RCE) vulnerability CVE-2021-44228 (also referred to as “Log4Shell”) in the Log4j component of Apache. This vulnerability affects Java-based applications that use Log4j 2 versions 2.0 through 2.14.1.
Cyberattackers gain access to the target device and launch arbitrary remote code loaded from LDAP servers, which are logged and launched by the Log4j component. This can allow them to set up a Cobalt Strike Beacon on a target, allowing communication with and persistent access to the device.
Users should take the following steps to mitigate the threat:
Confirm that this server has Apache and the Log4j component installed.
Check for possible post-exploitation activities, such as unusual behavior from users with elevated privileges or suspicious spawned processes.
Stop suspicious processes, isolate affected devices, decommission compromised accounts or reset passwords, block IP addresses and URLs, and install security updates. Update the Log4j component to log4j-2.15.0 or ensure that the device is set to start with log4j2.formatMsgNoLookups set to True.
Contact your incident response team or contact Microsoft support for investigation and remediation services.
Cyberattackers exploit the CVE-2021-44228 vulnerability to gain access to the target device and launch arbitrary remote code loaded from LDAP servers, which are logged and launched by the Log4j component.
Prevention
Apply these mitigations to reduce the impact of this threat.
Vulnerability-specific mitigations
Update all Log4j2 deployments to use log4j-2.15.0 and apply the security updates for CVE-2021-44228. Upgrade all products, applications, and components that use Log4j2. Apply all security updates for Log4J listed in this advisory.
In case the Log4j vulnerable component cannot be updated, configure the parameter log4j2.formatMsgNoLookups to be set to ‘true’ when starting the Java Virtual Machine.
All systems, including those that are not customer facing, are possibly vulnerable to this exploit, so back-end systems and microservices should also be upgraded. For Apache Maven or Gradle projects, update Log4j to 2.15.0 on the dependency tree of the project.
General hardening mitigations that might help detect exploitation and post-exploitation activities
Run the latest version of your operating systems and applications. Turn on automatic updates or deploy the latest security updates as soon as they become available.
Use a supported platform to take advantage of regular security updates.
Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block majority of new and unknown variants.
Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
Use device discovery to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.
Microsoft Defender Antivirus raises an alert if it detects this threat on your device. Microsoft Defender Antivirus automatically removes threats as they are detected. It quarantines the binary even if the process is running. If this threat is detected in your environment, we recommend that you immediately investigate it.
