Table of Contents
ToggleOverview
Recently, a serious vulnerability was found in the popular Log4J library which allows an attacker to execute code on a server. The vulnerability, CVE-2021-44228, also know as Log4Shell does not affect Faddom, but does affect countless products and can be a serious security risk. To see details on the vulnerability, you can check the NIST website here: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
One of the advantages of having full network visibility with Faddom is that you can identify this type of attack quickly and easily. In this guide, I will show you how you can use Faddom’s capabilities to see if you are attacked in this way.
Setup
The first stage is to make sure that Faddom is collecting external traffic. In order to do this, go to Settings -> Discovery Scope. Here, make sure that for all the subnets where you have servers running, you set Collect External Traffic to enabled. Once this is set, Faddom will collect traffic that is outgoing to the internet from your servers.
Make sure to let Faddom run for a bit so that it can collect this traffic.
Identifying Attacks
Once Faddom is collecting external data, we can use the tools available in Faddom to see if there are any servers that have been attacked.
Since the vulnerability stems from having local servers access malicious LDAP servers over the internet, this is the kind of traffic we need to look for. The easiest way to do this is to go to the Map tab, and look under Software Components. There you should have an LDAP component already. If you do not, you can add a new software component using the following configuration:
Now, select the software component and you will have a list of all the LDAP servers that are being accessed on your network. Hopefully, all the LDAP servers listed are servers that are internal to your network, most likely your domain controllers. If you see an external server here, it is likely that you have been attacked using this vulnerability.
If you do see an unrecognized server here, you can click on search which will show you a map with all the servers that have accessed the unknown LDAP server so that you know exactly which servers in your environment have been affected.
Receiving Alerts On New Attacks
While the above method is great to see if you have already been attacked, it is even better to know if this happens in real time. Here is a simple method to do this using the existing tools in Faddom:
- Open the Search tab and click “Show advanced panel”
- In the Port field, enter: 389,636
- In the Excluded servers/s field, enter the LDAP servers in your network. This will most likely comprise of your domain controllers
- Click on Search
- You will hopefully have an empty map here. Click on Save Query and save this as an application map
- Go to Settings->Notifications to set up email alerts for this application
- If you do not yet have a Notification Channel set up, select the Notification Channels tab and create a new Email notification channel
- In the Notification Subscriptions tab, create a new Subscription
- Give it a name, select the Channel, and under Notification type, select Change detected
- Next, select Specific Application Maps, and select the Application we just created
- In the Target address field, enter the email to which you would like the alerts to be sent
If there are any new attacks on your servers, you should now receive email alerts from Faddom in near-real time.