Microsoft launches new Defender capabilities for fixing Log4j

Microsoft introduced it has rolled out new capabilities in its Defender for Containers and Microsoft 365 Defender choices for figuring out and remediating the widespread vulnerabilities in Apache Log4j.

Defender for Containers debuted December 9, merging the capabilities of the prevailing Microsoft Defender for Kubernetes and Microsoft Defender for container registries and including new options corresponding to Kubernetes-native deployment, superior menace detection, and vulnerability evaluation.

On Monday evening, Microsoft disclosed it has up to date the Defender for Containers resolution to allow the invention of container photos which are weak to the failings in Log4j, a extensively used logging software program part.

Defender for Containers can now uncover photos affected by the three vulnerabilities in Log4j which were disclosed and now patched, beginning with the preliminary report of a distant code execution flaw in Log4j on December 9.

Vulnerability scanning

Container photos are scanned robotically for vulnerabilities when they’re pushed to an Azure container registry, when pulled from an Azure container registry, and when working on a Kubernetes cluster, Microsoft’s menace intelligence workforce wrote in an replace to its weblog submit concerning the Log4j vulnerability.

The potential that permits scanning for vulnerabilities in container photos working on a Kubernetes cluster is powered by expertise from cyber agency Qualys, Microsoft famous.

“We are going to proceed to comply with up on any further developments and can replace our detection capabilities if any further vulnerabilities are reported,” the workforce stated within the submit.

Microsoft Defender for Containers helps any Kubernetes clusters licensed by the Cloud Native Computing Basis. Together with Kubernetes, it has been examined with the Azure Kubernetes Service (AKS), Amazon Elastic Kubernetes Service (EKS), Azure Kubernetes Service on Azure Stack HCI, AKS Engine, Azure Crimson Hat OpenShift, Crimson Hat OpenShift (model 4.6 or above), VMware Tanzu Kubernetes Grid, and Rancher Kubernetes Engine.

Microsoft 365 Defender updates

In the meantime, for Microsoft 365 Defender, the corporate stated it has launched a consolidated dashboard for managing threats and vulnerabilities associated to the Log4j flaws. The dashboard will “assist clients determine and remediate information, software program, and gadgets uncovered to the Log4j vulnerabilities,” Microsoft’s menace intelligence workforce tweeted.

These capabilities are supported on Home windows and Home windows Server, in addition to on Linux, Microsoft stated. Nonetheless, for Linux, the capabilities require an replace to model 101.52.57 or later of the Microsoft Defender for Endpoint Linux consumer.

This “devoted Log4j dashboard” supplies a “consolidated view of assorted findings throughout weak gadgets, weak software program, and weak information,” the menace intelligence groups stated within the weblog submit.

Moreover, Microsoft stated it has launched a brand new schema in superior looking for Microsoft 365 Defender, “which surfaces file-level findings from the disk and supplies the flexibility to correlate them with further context in superior searching.”

“These new capabilities combine with the prevailing menace and vulnerability administration expertise and are progressively rolling out,” Microsoft’s menace intelligence groups stated within the submit.

The invention capabilities cowl put in software CPEs (Widespread Platform Enumerations) which are identified to have vulnerabilities to the Log4j RCE, together with weak Log4j Java Archive (JAR) information, the submit says.

Assist coming for macOS

Microsoft stated it’s working so as to add assist for the capabilities in Microsoft 365 Defender for Apple’s macOS, and stated the capabilities for macOS gadgets “will roll out quickly.”

The brand new capabilities to guard in opposition to the Log4j vulnerability be part of different capabilities out there in Microsoft choices for addressing the vulnerability, referred to as Log4Shell. These different choices embody Microsoft Sentinel, Azure Firewall Premium, Azure Internet Utility Firewall, RiskIQ EASM and Menace Intelligence, Microsoft Defender Antivirus, Microsoft Defender for Endpoint, Microsoft Defender for Workplace 365, Microsoft Defender for Cloud, and Microsoft Defender for IoT.

Together with offering a few of the largest platforms and cloud companies utilized by companies, Microsoft is a serious cybersecurity vendor in its personal proper with 650,000 safety clients.

Microsoft has reported observing actions exploiting Log4Shell corresponding to tried ransomware deployment, crypto mining, credential theft, lateral motion, and information exfiltration.

The corporate beforehand stated it has noticed actions by a number of cybercriminal teams searching for to ascertain community entry by exploiting the vulnerability in Log4j. These suspected “entry brokers” are anticipated to later promote that entry to ransomware operators.

Their arrival means that an “enhance in human-operated ransomware” could comply with in opposition to each Home windows and Linux techniques, the corporate stated.

Widespread vulnerability

Microsoft and cyber agency Mandiant have additionally stated they’ve noticed exercise from nation-state teams — tied to international locations together with China and Iran — searching for to use the Log4j vulnerability. An Iranian group referred to as Phosphorus, which has beforehand deployed ransomware, has been seen “buying and making modifications of the Log4j exploit,” Microsoft stated.

Moreover, the corporate beforehand stated it has noticed a brand new household of ransomware, referred to as Khonsari, utilized in assaults on non-Microsoft hosted Minecraft servers by exploiting the vulnerability in Apache Log4j.

Many enterprise functions and cloud companies written in Java are probably weak as a result of flaws in Log4j previous to model 2.17.1, which was launched right now. The open supply logging library is believed for use in some type — both immediately or not directly by leveraging a Java framework — by the vast majority of massive organizations.

Model 2.17.1 of Log4j addresses a newly found vulnerability (CVE-2021-44832), and is the fourth patch for vulnerabilities within the Log4j software program for the reason that preliminary discovery of the RCE vulnerability.

The newly found vulnerability in Log4j “requires a reasonably obscure set of circumstances to set off,” stated Casey Ellis, founder and chief expertise officer at Bugcrowd, in a press release shared with VentureBeat. “So, whereas it’s vital for individuals to maintain an eye fixed out for newly launched CVEs for situational consciousness, this CVE doesn’t seem to extend the already elevated threat of compromise through Log4j.”

Up to date to reference the discharge of model 2.17.1 of Log4j and add feedback from Bugcrowd’s Casey Ellis.