Log4Shell Is Spawning Even Nastier Mutations!

The cyber-security ‘biggie’ of the year – the Apache Log4j logging library exploit – has spun off 60 bigger mutations in less than a day, researchers stated.

The internet has a fast-spreading, malignant element – otherwise known as the Apache Log4j logging library exploit – that has been rapidly mutating & attracting hordes of attackers since it was publicly disclosed last week.

Cryptocurrency

Most of the attacks focus on cryptocurrency mining done on victims’ dimes, as seen by Sophos, Microsoft & other security firms. However, attackers are actively trying to install far more dangerous malware on vulnerable systems as well.

According to Microsoft researchers, beyond coin-miners, they’ve also seen installations of Cobalt Strike, which attackers can use to steal passwords, move further into compromised networks with lateral movement & exfiltrate data.

Less than a Day

Also, it could get a lot worse. Cyber-security researchers at Check Point warned on Mon. that the evolution has already led to more than 60 bigger, nastier mutations, all created in less than a day.

“Since Fri. we witnessed what looks like an evolutionary repression, with new variations of the original exploit being introduced rapidly: over 60 in less than 24 hours,” they suggested.

Remote Code Execution

The flaw, which is ultra-easy to exploit, has been named Log4Shell. It is resident in the ubiquitous Java logging library Apache Log4j & could allow unauthenticated remote code execution (RCE) & complete server takeover.

It 1st turned up on sites that cater to users of the world’s favourite game, Minecraft, last Thur., and was being exploited in the wild within hours of public disclosure.

Slip Past Protections

On Mon., Check Point reported that Log4Shell’s new, nasty spin-off can now be exploited “either over HTTP or HTTPS (the encrypted version of browsing),” they explained.

The more ways to exploit the vulnerability, the more alternatives attackers have to slip past the new protections that have frantically been pumped out since Fri., Check Point stated.

“It means that one layer of protection is not enough, and only multi-layered security postures would provide a resilient protection,” they wrote.

Because of the enormous attack surface it poses, some security experts are calling Log4Shell the biggest cyber-security calamity of the year, putting it on par with the 2014 Shellshock family of security bugs that was exploited by botnets of compromised computers to perform distributed denial-of-service (DDoS) attacks & vulnerability scanning within hours of its initial disclosure.

Tactics

Besides variations that can slip past protections, researchers are also seeing new tactics.

Luke Richards, Threat Intelligence Lead at AI cyber-security firm Vectra, explained on Mon. that initial exploit attempts were basic call backs, with the initial exploit attempt coming from TOR nodes.

They mostly pointed back to “bingsearchlib[.]com,” with the exploit being passed into the User Agent or the Uniform Resource Identifier (URI) of the request.

Exploit Attempts

After the initial wave of exploit attempts, Vectra has tracked many changes in tactics by the threat players who are using the vulnerability. Notably, there has been a change in the commands being used, as the threat players have begun disguising their requests.

“This originally included stuffing the User Agent or URI with a base64 string, which when decoded by the vulnerable system caused the host to download a malicious dropper from attacker infrastructure,” Richards explained.

Examples

After this, the attackers started obscuring the Java Naming & Directory Interface (JDNI) string itself, by taking advantage of other translation features of the JDNI process.

He offered these examples:

${jndi:${lower:l}${lower:d}a${lower:p}://world80
${${env:ENV_NAME:-j}n${env:ENV_NAME:-d}i${env:ENV_NAME:-:}${env:ENV_NAME:-l}d${env:ENV_NAME:-a}p${env:ENV_NAME:-:}//
${jndi:dns://

…All of which achieve the same objective: “to download a malicious class file and drop it onto the target system, or to leak credentials of cloud-based systems,” Richards outlined.

Bug Has Been Targeted

Attackers have been looking at the Log4Shell vulnerability since at least Dec. 1, it appears, & as soon as CVE-2021-44228 was publicly disclosed late last week, attackers began to swarm around.

On Sun., Sophos researchers stated that they’d “already detected 100s of 1,000s of attempts since Dec. 9 to remotely execute code using this vulnerability,” noting that log searches by other organisations (including Cloudflare) suggest that the vulnerability may have been openly exploited for weeks.

“Earliest evidence we’ve found so far of #Log4J exploit is 2021-12-01 04:36:50 UTC,” Cloudflare CEO Matthew Prince tweeted on Sat. “That suggests it was in the wild at least 9 days before publicly disclosed. However, don’t see evidence of mass exploitation until after public disclosure.”

On Sun., Cisco Talos came along with a similar timeframe: It 1st saw attacker activity related to CVE-2021-44228 starting on Dec. 2. “It is recommended that organisations expand their hunt for scanning & exploit activity to this date,” it advised.

40% of Corporate Networks

Check Point explained on Mon. that it is thwarted more than 845,000 exploit attempts, with more than 46% of those attempts made by known, malicious groups. In fact, Check Point warned that it is seen more than 100 attempts to exploit the vulnerability per minute.

As of 9 a.m. ET on Mon., its researchers had seen exploits attempted on more than 40% of corporate networks globally.

Hyperbole is not an issue with this flaw. Security experts are rating it as one of the worst vulnerabilities of 2021, if not the most terrible. Dor Dali,

Worst Flaws

Director of Information Security at Vulcan Cyber, classes it in the top 3 worst flaws of the year:

“It wouldn’t be a stretch to say that every enterprise organisation uses Java, & Log4j is 1 of the most-popular logging frameworks for Java,” Dali noted. “Connecting the dots, the impact of this vulnerability has the reach & potential to be substantial if mitigation efforts aren’t taken right away.”

As has been repeatedly stressed since its initial public disclosure, the Log4j vulnerability “is relatively easy to exploit, & we’ve already seen verifiable reports that bad actors are actively running campaigns against some of the largest companies in the world,” Dali reiterated.

Java

“Hopefully, every organisation running Java has the ability to secure, configure & manage it. If Java is being used in production systems IT security teams must prioritise the risk & mitigation campaigns & follow remediation guidelines from the Apache Log4j project as soon as possible.”

This situation is rapidly evolving, so keep an eye out for additional news. Below are some of the related pieces we have seen, along with some of the new protections & detection tools.

Related News

• Linux botnets have already exploited the flaw. NetLab 360 reported on Sat. that 2 of its honeypots have been attacked by the Muhstik & Mirai botnets.
• Following detection of those attacks, the Netlab 360 team found other botnets on the hunt for the Log4Shell vulnerability, including the DDoS family Elknot, the mining family m8220, SitesLoader, xmrig.pe, xmring.ELF, attack tool 1, attack tool 2, plus 1 unknown & a PE family. Bleeping Computer also reports that it’s observed the threat players behind the Kinsing backdoor & crypto mining botnet “heavily abusing the Log4j vulnerability.”
• CISA has added Log4Shell to the Known Exploited Vulnerabilities Catalog.
• Quebec shut down 1,000s of sites after disclosure of the Log4Shell flaw. “”We need to scan all of our systems,” outlined Canadian Minister Responsible for Digital Transformation & Access to Information Eric Caire in a news conference. “We’re kind of looking for a needle in a haystack.”

New Protections, Detection Tools

• On Sat., Huntress Labs released a tool – available here – to help organisations test whether their applications are vulnerable to CVE-2021-44228.
• Cybereason released Logout4Shell, a “vaccine” for the Log4Shell Apache Log4j RCE, that uses the vulnerability itself to set the flag that turns it off.

Growing List of Affected Manufacturers, Components

As of Mon., the internet was still in meltdown drippy mode, with an ever-growing, crowd-sourced list hosted on GitHub that only scratches the surface of the millions of applications & manufacturers that use log4j for logging.

The list indicates whether they are affected by Log4Shell & provides links to evidence if they are.

List

Most are, including:

• Amazon
• Apache Druid
• Apache Solr
• Apache Struts2
• Apple
• Baidu
• CloudFlare
• DIDI
• ElasticSearch
• Google
• JD
• LinkedIn
• NetEase
• Speed camera LOL
• Steam
• Tesla
• Tencent
• Twitter
• VMWare
• VMWarevCenter
• Webex

Other Resources

• Immersive Labs has posted a hands-on lab of the incident.
• Lacework has published a blog post regarding how the news affects security best practices at the developer level.
• NetSPI has published a blog post that includes details on Log4Shell’s impact, guidance to determine whether your organisation is at risk, & mitigation recommendations.