{"id":20247,"date":"2021-12-14T12:00:15","date_gmt":"2021-12-14T12:00:15","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=20247"},"modified":"2023-03-29T19:51:02","modified_gmt":"2023-03-29T19:51:02","slug":"log4shell-exploitation-grows","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/threats\/log4shell-exploitation-grows\/","title":{"rendered":"Log4Shell Exploitation Grows as Security Firms Scramble to Contain Log4j Threat"},"content":{"rendered":"

Cybercriminals are quickly ramping up efforts to exploit the critical flaw found in the widely used Log4j<\/a> open-source logging tool, targeting everything from cryptomining<\/a> to data theft to botnets that target Linux systems.<\/p>\n

The cybersecurity community is responding with tools for detecting exploitation of the vulnerability, a remote code execution (RCE) flaw dubbed Log4Shell and tracked as CVE-2021-44228<\/a>\u00a0(Apache Log4j 2.15.0 requires its own fix<\/a>). Efforts include a Log4j emergency patch<\/a> from the Apache Software Foundation (ASF), a \u201cvaccine<\/a>\u201d released by Cybereason, a mitigation<\/a> from NCC Group to stop Log4j from loading classes remotely over LDAP, a Log4j exploit detection tool<\/a> from CrowdSec, and more.<\/p>\n

In addition, the U.S. Cybersecurity Infrastructure and Security Agency (CISA) is continuing to put its weight behind efforts to protect enterprise systems. CISA Director Jen Easterly said in a statement<\/a> over the weekend that the agency has created a Joint Cyber Defense Collaboration senior leadership group to coordinate actions within the government \u2013 including the FBI and National Security Agency (NSA) \u2013 and private sector to manage the risk.<\/p>\n

Easterly urged federal and other government agencies as well as private companies to patch the flaw \u2013 which carries the highest severity rating \u2013 as quickly as possible.\u00a0\u201cThis vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use,\u201d she said.<\/p>\n

CISA has offered guidance<\/a> for dealing with Log4j vulnerabilities and added Log4Shell to its list of known exploited vulnerabilities<\/a>. CISA is also compiling a list of vulnerable products, but others have stepped up in the meantime, among them the Dutch National Cyber Security Center<\/a> and researcher Royce Williams<\/a>.<\/p>\n

There has been speculation that the vulnerability was behind a massive ransomware attack<\/a> that could knock Kronos Private Cloud services offline for weeks, although the company hasn’t said that the vulnerability was a factor in the attack.<\/p>\n

Read <\/em>the latest on the Apache Log4Shell vulnerability<\/em><\/a><\/p>\n

A Major Threat<\/strong><\/h2>\n

The Log4Shell flaw \u2013 which Impacts Log4j versions 2.0 through 2.14.1\u00a0and has a CVSS severity score of 10.0 \u2013 carries with it a significant threat given the broad enterprise use of Log4j and the countless number of servers and cloud-based services that could be exposed to the zero-day vulnerability<\/a>. Open-source projects like ElasticSearch and Elastic Logstash also use Log4j, and the vulnerability also could affect default configurations of such Apache frameworks as Apache Struts2, Apache Druid and Apache Flink.<\/p>\n

Adding to the dangerousness of the flaw is the ease with which it can be exploited. Bad actors need only send a string that includes the malicious code, which then gets parsed and logged by Log4j and loaded into a server. From there, hackers can gain control of the system that is running the software, giving them a platform for launching a variety of attacks.<\/p>\n

\u201cBecause of its large attack surface and the innate severity of remote code execution, security researchers are notably calling this a \u2018shellshock\u2019 vulnerability,\u201d John Hammond, senior security researcher at Huntress Labs, wrote in a blog post<\/a>. \u201cAll threat actors need to trigger an attack is one line of text. There\u2019s no obvious target for this vulnerability \u2013 hackers are taking a spray-and-pray approach to wreak havoc.\u201d<\/p>\n

Huntress created a tool<\/a> to help organizations test whether applications are vulnerable to Log4Shell.<\/p>\n

\"How
How the Log4j exploit works<\/figcaption><\/figure>\n

Also read: Top Vulnerability Management Tools<\/a><\/p>\n

Attacks Include Cryptomining, Data Theft<\/strong><\/h2>\n

According to a blog post<\/a> by Microsoft threat researchers, most of the attacks seen were related to mass scanning by bad actors searching for vulnerable servers as well as by security companies and researchers.<\/p>\n

\u201cAt the time of publication [Dec. 11], the vast majority of observed activity has been scanning, but exploitation and post-exploitation activities have also been observed,\u201d they wrote. \u201cBased on the nature of the vulnerability, once the attacker has full access and control of an application, they can perform a myriad of objectives. Microsoft has observed activities including installing coin miners, Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems.\u201d<\/p>\n

The Microsoft researchers also have seen efforts by cybercriminals to evade detection. When an attacker performs an HTTP request against a targeted system, it generates a log using Log4j that uses JNDI (Java Naming and Directory Interface) to send a request to an attacker-controlled site that launches the payload. Attackers are running obfuscation efforts around the requests to bypass string-matching detections.<\/p>\n

Botnets Strike<\/strong><\/h2>\n

Researchers with Netlab, a security unit of Chinese tech giant Qihoo 360, wrote<\/a> over the weekend that their Anglerfish and Apacket honeypots<\/a> detected two efforts to leverage Log4Shell to create Muhstik and Mirai<\/a> botnets to attack Linux devices. They also wrote that, given the broad impact of the Log4j vulnerability, they expect more bad actors to try to use it to create botnets.<\/p>\n

Sophos researchers wrote<\/a> that they have detected cryptomining efforts and \u201chundreds of thousands of attempts since December 9 to remotely execute code\u201d using the vulnerability. Other vendors, including Cisco and VMware<\/a>, also have seen Log4Shell being exploited in the wild.<\/p>\n

\"Log4j
Log4j attack traffic<\/figcaption><\/figure>\n

Researchers at Talus, Cisco\u2019s threat intelligence<\/a> business, wrote in a blog post that they detected a lead time between mass scans from bad actors and the callbacks from vulnerable systems.<\/p>\n

\u201cThis may indicate that the exploit is being triggered as it makes its way through an [a]ffected enterprise\u2019s infrastructure and its processed by internal systems \u2026 that may completely separate from the intended target system.\u201d<\/p>\n

They added that vulnerable inspection, event collection or logging systems on the communications path also could trigger the exploit.<\/p>\n

Also read: Best Patch Management Software<\/a><\/p>\n

A Vaccine for Log4Shell<\/strong><\/h2>\n

Cybersecurity firms are trying to stem the rapidly rising tide of attempted exploits of the Log4j vulnerability. Beyond the ASF patch, cybersecurity firm Cybereason on Dec. 10 created a vaccine designed to disable Log4Shell and made freely available on GitHub<\/a>.<\/p>\n

\u201cIn short, the fix uses the vulnerability itself to set the flag that turns it off,\u201d Yonatan Striem-Amit, co-founder and CTO of Cybereason, wrote in a blog post<\/a>. \u201cBecause the vulnerability is so easy to exploit and so ubiquitous \u2013 it\u2019s one of the very few ways to close it in certain scenarios.\u00a0You can permanently close the vulnerability by causing the server to save a configuration file, but that is a more difficult proposition. The simplest solution is to set up a server that will download and then run a class that changes the server’s configuration to not load things anymore.\u201d<\/p>\n

The vendor\u2019s fix \u201cwill disable the vulnerability and allow you to remain protected while you assess and update your servers,\u201d Striem-Amit wrote.<\/p>\n

Casey Ellis, founder and CTO of crowdsourcing security company Bugcrowd, told eSecurity Planet<\/em> that as a first message, companies should be cautious about running Cybereason\u2019s vaccine on someone else\u2019s infrastructure, saying doing so could violate anti-hacking laws.<\/p>\n

\u201cAside from that, I quite like the \u2018chaotic good\u2019 nature of this solution, especially given the chaos organizations are experiencing in finding all of the places that Log4j might exist within their environment,\u201d Ellis said. \u201cThe script basically takes the workaround first flagged by Marcus Hutchins<\/a>, which disables indexing and then uses the vulnerability itself to apply it. The fact that solutions like this are coming out so quickly is telling regarding the ubiquity of this vulnerability, the complexities of applying a proper patch and the sheer number of ways that it can be exploited.\u201d<\/p>\n

Vulnerability Surfaced in Late November<\/strong><\/h2>\n

According to the emerging timeline, the security team at Alibaba Cloud in late November first detected the vulnerability on servers running Minecraft and reported it to the ASF. Apache on Dec. 5 identified the vulnerability in a JIRA issue and the next day released the patch. On Dec. 9, weaponized proof-of-concept (POC) exploits began to appear, fueling a rapid increase of scanning and public exploitation the next day, according to GreyNoise researchers<\/a>.<\/p>\n

Between noon and 2 p.m. ET on Dec. 10, they saw a five-fold increase in the number of hits per sensor related to Log4Shell.<\/p>\n

However, a number of vendors, including Talus and Cloudflare, are reporting that the vulnerability may have been openly exploited more than a week before the first weaponized PoCs were pushed out to the public on Twitter Dec. 9, sparking the scramble of activity.<\/p>\n

The problem likely will only get worse, according to Andrii Bezverkhyi, founder and CEO of threat detection and intelligence company SOC Prime.<\/p>\n

\u201cThe problem with Log4j is that every major tech on our planet that has Java uses it and the exploit has been around since March,\u201d Bezverkhyi told eSecurity Planet<\/em>. \u201cThis is worse than Zerologon; it could get as bad as Wannacry<\/a>.\u201d<\/p>\n

Enterprise security teams need to work on mitigation, hunt<\/a> to understand if they were breached since March, and report the status to their boards of directors for tactical and strategic support, he said.<\/p>\n

Further reading: Best Risk Management Software<\/a><\/p>\n\n\n

\n \n\n \n\n
\n \n <\/path>\n <\/svg>\n <\/div>\n \n
\n
\n

\n Get the Free Cybersecurity Newsletter <\/h3>\n \n \n

\n Strengthen your organization's IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday <\/p>\n <\/div>\n\n

\n
\n \n Email Address\n <\/label>\n \n <\/div>\n\n
\n
\n \n \n By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time. <\/label>\n <\/div>\n <\/div>\n \n