Hello, welcome to the Monday, December 27, 2021 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich. And then I'm recording from Jacksonville, Florida. Let's start out with a quick roundup of log for shell or log for J-related news that sort of broke over the long weekend.

Luckily, there wasn't really all that much new about this vulnerability.

Mick Douglas wrote a little post about how this vulnerability could affect the internal

metadata service on cloud services.

Most notably, if you are using, for example, an AWS virtual machine in EC2, there is a

metadata service exposed on an internal IP address, 169-254, 169-254, and NetHacker could connect to that metadata service via the log for J-warnability

and potentially retrieve allification tokens for other cloud services by the same organization.

This particular exploitation path was, for example, made kind of famous

in the Capital One breach. So certainly these metadata service is something that you need to get a

handle on. Make sure you're configuring them right, meaning for the latest version of the particular

metadata service that you are using.

And yeah, if you don't need them, then turn off the HTTP interface, of course, for these services.

They can be accessed pretty much by any code running within that particular virtual machine.

So this is not something that's specific to log 4J.

Any code execution vulnerability on the virtual machine

could easily be escalated to be sort of an enterprise-wide problem

if you don't have credentials configured correctly

that are being offered by these metadata services.

And as far as exploited hymns go, crypto miners are still at the top of the list.

And Renato wrote up another crypto coin miner that got caught in his honeypots.

You can find more details in Renato's post, including

indicators of compromise. Of course, all the typical indicators of compromise for crypto miners

...