Recently, a serious vulnerability was found in the popular Log4J library which allows an attacker to execute code on a server. The vulnerability, CVE-2021-44228, also know as Log4Shell does not affect VNT, but does affect countless products and can be a serious security risk. To see details on the vulnerability, you can check the NIST website here: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
One of the advantages of having full network visibility with VNT is that you can identify this type of attack quickly and easily. In this guide, I will show you how you can use VNT’s capabilities to see if you are attacked in this way.
The first stage is to make sure that VNT is collecting external traffic. In order to do this, go to Settings -> Discovery Scope. Here, make sure that for all the subnets where you have servers running, you set Collect External Traffic to enabled. Once this is set, VNT will collect traffic that is outgoing to the internet from your servers.
Make sure to let VNT run for a bit so that it can collect this traffic.
Once VNT is collecting external data, we can use the tools available in VNT to see if there are any servers that have been attacked.
Since the vulnerability stems from having local servers access malicious LDAP servers over the internet, this is the kind of traffic we need to look for. The easiest way to do this is to go to the Map tab, and look under Software Components. There you should have an LDAP component already. If you do not, you can add a new software component using the following configuration:
Now, select the software component and you will have a list of all the LDAP servers that are being accessed on your network. Hopefully, all the LDAP servers listed are servers that are internal to your network, most likely your domain controllers. If you see an external server here, it is likely that you have been attacked using this vulnerability.
If you do see an unrecognized server here, you can click on search which will show you a map with all the servers that have accessed the unknown LDAP server so that you know exactly which servers in your environment have been affected.
Receiving Alerts On New Attacks
While the above method is great to see if you have already been attacked, it is even better to know if this happens in real time. Here is a simple method to do this using the existing tools in VNT:
- Open the Search tab and click “Show advanced panel”
- In the Port field, enter: 389,636
- In the Excluded servers/s field, enter the LDAP servers in your network. This will most likely comprise of your domain controllers
- Click on Search
- You will hopefully have an empty map here. Click on Save Query and save this as an application map
- Go to Settings->Notifications to set up email alerts for this application
- If you do not yet have a Notification Channel set up, select the Notification Channels tab and create a new Email notification channel
- In the Notification Subscriptions tab, create a new Subscription
- Give it a name, select the Channel, and under Notification type, select Change detected
- Next, select Specific Application Maps, and select the Application we just created
- In the Target address field, enter the email to which you would like the alerts to be sent
If there are any new attacks on your servers, you should now receive email alerts from VNT in near-real time.