Microsoft launches new Defender capabilities for fixing Log4j

Microsoft announced it has rolled out new capabilities in its Defender for Containers and Microsoft 365 Defender offerings for identifying and remediating the widespread vulnerabilities in Apache Log4j.

Defender for Containers debuted December 9, merging the capabilities of the existing Microsoft Defender for Kubernetes and Microsoft Defender for container registries and adding new features such as Kubernetes-native deployment, advanced threat detection, and vulnerability assessment.

On Monday night, Microsoft disclosed it has updated the Defender for Containers solution to enable the discovery of container images that are vulnerable to the flaws in Log4j, a widely used logging software component.

Defender for Containers can now discover images affected by the three vulnerabilities in Log4j that have been disclosed and now patched, starting with the initial report of a remote code execution flaw in Log4j on December 9.

Vulnerability scanning

Container images are scanned automatically for vulnerabilities when they are pushed to an Azure container registry, when pulled from an Azure container registry, and when running on a Kubernetes cluster, Microsoft’s threat intelligence team wrote in an update to its blog post about the Log4j vulnerability.

The capability that enables scanning for vulnerabilities in container images running on a Kubernetes cluster is powered by technology from cyber firm Qualys, Microsoft noted.

“We will continue to follow up on any additional developments and will update our detection capabilities if any additional vulnerabilities are reported,” the team said in the post.

Microsoft Defender for Containers supports any Kubernetes clusters certified by the Cloud Native Computing Foundation. Along with Kubernetes, it has been tested with the Azure Kubernetes Service (AKS), Amazon Elastic Kubernetes Service (EKS), Azure Kubernetes Service on Azure Stack HCI, AKS Engine, Azure Red Hat OpenShift, Red Hat OpenShift (version 4.6 or above), VMware Tanzu Kubernetes Grid, and Rancher Kubernetes Engine.

Microsoft 365 Defender updates

Meanwhile, for Microsoft 365 Defender, the company said it has introduced a consolidated dashboard for managing threats and vulnerabilities related to the Log4j flaws. The dashboard will “help customers identify and remediate files, software, and devices exposed to the Log4j vulnerabilities,” Microsoft’s threat intelligence team tweeted.

These capabilities are supported on Windows and Windows Server, as well as on Linux, Microsoft said. However, for Linux, the capabilities require an update to version 101.52.57 or later of the Microsoft Defender for Endpoint Linux client.

This “dedicated Log4j dashboard” provides a “consolidated view of various findings across vulnerable devices, vulnerable software, and vulnerable files,” the threat intelligence teams said in the blog post.

Additionally, Microsoft said it has launched a new schema in advanced hunting for Microsoft 365 Defender, “which surfaces file-level findings from the disk and provides the ability to correlate them with additional context in advanced hunting.”

“These new capabilities integrate with the existing threat and vulnerability management experience and are gradually rolling out,” Microsoft’s threat intelligence teams said in the post.

The discovery capabilities cover installed application CPEs (Common Platform Enumerations) that are known to have vulnerabilities to the Log4j RCE, along with vulnerable Log4j Java Archive (JAR) files, the post says.

Support coming for macOS

Microsoft said it’s working to add support for the capabilities in Microsoft 365 Defender for Apple’s macOS, and said the capabilities for macOS devices “will roll out soon.”

The new capabilities to protect against the Log4j vulnerability join other capabilities available in Microsoft offerings for addressing the vulnerability, known as Log4Shell. Those other offerings include Microsoft Sentinel, Azure Firewall Premium, Azure Web Application Firewall, RiskIQ EASM and Threat Intelligence, Microsoft Defender Antivirus, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud, and Microsoft Defender for IoT.

Along with providing some of the largest platforms and cloud services used by businesses, Microsoft is a major cybersecurity vendor in its own right with 650,000 security customers.

Microsoft has reported observing activities exploiting Log4Shell such as attempted ransomware deployment, crypto mining, credential theft, lateral movement, and data exfiltration.

The company previously said it has observed activities by multiple cybercriminal groups seeking to establish network access by exploiting the vulnerability in Log4j. These suspected “access brokers” are expected to later sell that access to ransomware operators.

Their arrival suggests that an “increase in human-operated ransomware” may follow against both Windows and Linux systems, the company said.

Widespread vulnerability

Microsoft and cyber firm Mandiant have also said they’ve observed activity from nation-state groups — tied to countries including China and Iran — seeking to exploit the Log4j vulnerability. An Iranian group known as Phosphorus, which has previously deployed ransomware, has been seen “acquiring and making modifications of the Log4j exploit,” Microsoft said.

Additionally, the company previously said it has observed a new family of ransomware, known as Khonsari, used in attacks on non-Microsoft hosted Minecraft servers by exploiting the vulnerability in Apache Log4j.

Many enterprise applications and cloud services written in Java are potentially vulnerable due to the flaws in Log4j prior to version 2.17.1, which was released today. The open source logging library is believed to be used in some form — either directly or indirectly by leveraging a Java framework — by the majority of large organizations.

Version 2.17.1 of Log4j addresses a newly discovered vulnerability (CVE-2021-44832), and is the fourth patch for vulnerabilities in the Log4j software since the initial discovery of the RCE vulnerability.

The newly discovered vulnerability in Log4j “requires a fairly obscure set of conditions to trigger,” said Casey Ellis, founder and chief technology officer at Bugcrowd, in a statement shared with VentureBeat. “So, while it’s important for people to keep an eye out for newly released CVEs for situational awareness, this CVE doesn’t appear to increase the already elevated risk of compromise via Log4j.”

Updated to reference the release of version 2.17.1 of Log4j and add comments from Bugcrowd’s Casey Ellis.