December 13, 2021
Datto releases Log4Shell RMM component for Datto partners and MSP community
On Friday, December 10, 2021, news broke widely of active exploitation of a critical vulnerability (CVE-2021-44228) in a common component of Java-based software, referred to as Log4j.
More information on the vulnerability and Datto’s initial response can be found in our Datto Response to Log4Shell blog.
The extent to which this software package is integrated into the world's technologies and platforms is still being discovered, and enumeration of vulnerable instances or potential attacks can be difficult at scale.
Today, Datto has released both a Datto RMM component for its partners, and a community script for all MSPs that will help you use the power and reach of your RMM, regardless of vendor, to enumerate systems that are both potentially vulnerable and that have been potentially attacked. The tool can also attempt to protect against subsequent attacks by applying a known workaround.
Datto Partners: RMM Component
The tool is available at no charge to Datto RMM partners via the ComStore.
MSPs can use the tool on protected systems to:
- Scan all JAR files on the system for signs of insecure versions of Log4j
- Search TXT and LOG files on a system for indicators of a potential attack
- Automatically inoculate against future exploit attempts by setting the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to TRUE.
Should the component identify signs of attack, a report will be produced. A Datto RMM File/Folder Size monitor can be configured to look for this report, the presence of which is an indicator that suspicious activity was detected.
MSP Community: Scripts available on Github
Datto has made the Log4Shell Enumeration, Mitigation and Attack Detection Tool for Windows available on Github that can be used in conjunction with any RMM to help the broader community enumerate vulnerable instances, detect potential attacks, and aid in temporary inoculation.
We also investigated the creation of a linux script, but found that Florian Roth’s Fenrir tool is all that MSPs would need, and there was no value in us repackaging that for them.
- If the tool is unable to download the latest detections then it will default to a cached version. Systems will need access https://www.github.com to access the most up-to-date protection.
- There are a number of pattern-matching evasion techniques that bypass common detection techniques used by the packaged detection rules. As such these tools are augmentative to, and not a replacement for, thorough log review.
- Inoculations may be ineffective on certain systems depending on how the Log4j package is embedded.
- A positive result may not necessarily indicate the presence of exploitable vulnerability. Results should be treated as a prioritised list for your analysis.
If you have an attack detection that you believe to be a true positive, and you are able to confirm that a subsequent outbound connection to a Command and Control (C2) server was made, then we suggest you work with your SIEM, SOC, MDR, MSSP or other Incident Response firm to aid you in conducting an investigation into the potential presence of a threat actor.
Now is a time to remain vigilant and take an active stance on enumerating and patching systems against this emerging threat. We hope this tool provides you the necessary support in that endeavor.