Microsoft Launches New Defender Features To Fix Log4j

Hear from CIOs, CTOs, and other senior executives and leaders on data and AI strategies at the Future of Work Summit on January 12, 2022. Learn more

Microsoft has announced that it has deployed new features in its Defender for Containers and Microsoft 365 Defender offerings to identify and correct generalized vulnerabilities in Apache Log4j.

Defender for Containers debuted on December 9, merging the capabilities of Microsoft Defender for Kubernetes and Microsoft Defender for container registries and adding new features such as native Kubernetes deployment, advanced threat detection and assessment. vulnerabilities.

On Monday evening, Microsoft revealed that it updated the Defender for Containers solution to enable the discovery of container images vulnerable to flaws in Log4j, a widely used logging software component.

Defender for Containers can now discover images affected by the three Log4j vulnerabilities that have been disclosed and now fixed, starting with the initial report of a remote code execution vulnerability in Log4j on December 9.

Vulnerability analysis

Container images are automatically scanned for vulnerabilities when they are pushed to an Azure container registry, when they are pulled from an Azure container registry, and when they run on a Kubernetes cluster, the team Microsoft’s Threat Intelligence Officer wrote in an update to their blog post about the Log4j vulnerability.

The ability to scan for vulnerabilities in images of containers running on a Kubernetes cluster is powered by technology from e-company Qualys, Microsoft noted.

“We will continue to monitor any further development and update our detection capabilities if additional vulnerabilities are reported,” the team said in the post.

Microsoft Defender for Containers supports all Kubernetes clusters certified by the Cloud Native Computing Foundation. With Kubernetes, it has been tested with Azure Kubernetes Service (AKS), Amazon Elastic Kubernetes Service (EKS), Azure Kubernetes Service on Azure Stack HCI, AKS Engine, Azure Red Hat OpenShift, Red Hat OpenShift (version 4.6 or higher), VMware Tanzu Kubernetes Grid and Rancher Kubernetes Engine.

Microsoft 365 Defender Updates

Meanwhile, for Microsoft 365 Defender, the company said it has introduced a consolidated dashboard for managing threats and vulnerabilities related to Log4j vulnerabilities. The dashboard “will help customers identify and remediate files, software and devices exposed to Log4j vulnerabilities,” Microsoft’s threat intelligence team. tweeted.

These capabilities are supported on Windows and Windows Server, as well as Linux, Microsoft said. However, for Linux, the features require an update to version 101.52.57 or later of the Microsoft Defender for Endpoint Linux client.

This “dedicated Log4j dashboard” provides a “consolidated view of various findings on vulnerable devices, vulnerable software and vulnerable files,” threat intelligence teams said in the blog post.

Additionally, Microsoft said it has launched a new advanced search scheme for Microsoft 365 Defender, “which highlights file-level results from disk and provides the ability to correlate them with additional context in advanced search.” .

“These new capabilities build on the existing experience of managing threats and vulnerabilities and are being rolled out over time,” Microsoft’s threat intelligence teams said in the message.

Discovery capabilities cover installed Common Platform Enumerations (CPE) applications that are known to have vulnerabilities in Log4j RCE, as well as vulnerable Log4j Java Archive (JAR) files, the message says.

Upcoming support for macOS

Microsoft has said it is working on adding support for Microsoft 365 Defender capabilities for Apple’s macOS, and said the capabilities of macOS devices “will be rolled out soon.”

The new Log4j vulnerability protection capabilities join other capabilities available in Microsoft’s offerings to address the vulnerability, known as Log4Shell. These other offerings include Microsoft Sentinel, Azure Firewall Premium, Azure Web Application Firewall, RiskIQ EASM and Threat Intelligence, Microsoft Defender Antivirus, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud, and Microsoft Defender for IoT.

In addition to providing some of the largest cloud platforms and services used by businesses, Microsoft is a leading cybersecurity provider in its own right with 650,000 security customers.

Microsoft has reported observing activity exploiting Log4Shell, such as attempted ransomware deployment, crypto mining, credential theft, lateral movement, and data exfiltration.

The company has previously said that it has observed activities of several cybercriminal groups seeking to establish network access by exploiting the vulnerability of Log4j. These alleged “access brokers” are expected to later sell this access to ransomware operators.

Their arrival suggests that an “increase in the number of human-exploited ransomware” could follow against Windows and Linux systems, the company said.

Widespread vulnerability

Microsoft and cyber company Mandiant also said they have observed activity by groups of nation states – linked to countries like China and Iran – seeking to exploit the Log4j vulnerability. An Iranian group known as Phosphorus, which has previously deployed ransomware, has been seen to “acquire and modify the Log4j exploit,” Microsoft said.

Additionally, the company previously said it has observed a new family of ransomware, known as Khonsari, being used in attacks on Minecraft servers not hosted by Microsoft by exploiting the Apache Log4j vulnerability.

Many enterprise applications and cloud services written in Java are potentially vulnerable due to vulnerabilities in Log4j prior to version 2.17.1, released today. The open source logging library is believed to be used in one form or another – directly or indirectly by leveraging a Java framework – by the majority of large organizations.

Log4j version 2.17.1 fixes a newly discovered vulnerability (CVE-2021-44832) and is the fourth patch for vulnerabilities in Log4j software since the initial discovery of the RCE vulnerability.

The newly discovered vulnerability in Log4j “requires a fairly obscure set of conditions to trigger,” said Casey Ellis, founder and chief technology officer at Bugcrowd, in a statement shared with VentureBeat. “So while it’s important for people to keep an eye out for newly released CVEs for situational awareness, this CVE doesn’t appear to increase the already high risk of compromise through Log4j. “

Updated to reference version 2.17.1 of Log4j and add comments from Casey Ellis of Bugcrowd.


VentureBeat’s mission is to be a digital public place for technical decision-makers to learn about transformative technology and conduct transactions. Our site provides essential information on data technologies and strategies to guide you in managing your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the topics that interest you
  • our newsletters
  • Closed thought leader content and discounted access to our popular events, such as Transform 2021: Learn more
  • networking features, and more

Become a member

Source link

Steven L. Nielsen