Microsoft says it is only going to get worse: It is seen state-sponsored & cyber-criminal attackers probing systems for the Log4Shell flaw until the end of Dec.
The holidays bought little Log4Shell relief.
Threat players launched exploit attempts & testing during the last weeks of Dec, Microsoft explained on Mon., in the latest update to its landing page & guidance around the flaws in Apache’s Log4j logging library.
Existing Malware Kits
“We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits & tactics, from coin miners to hands-on-keyboard attacks,” according to Microsoft.
This comes after news that relentless Log4Shell attacks have come from nation-state players that are both testing & have already implemented the exploit: As of Dec. 15, more than 1.8mi attacks, against half of all corporate networks, using at least 70 distinct malware families, had already been launched to exploit the bugs.
What is Log4Shell?
Within hours of the initial flaw’s public disclosure on Dec. 10, attackers were scanning for vulnerable servers & unleashing quickly evolving attacks to drop coin-miners, Cobalt Strike, the Orcus remote access trojan (RAT), reverse bash shells for future attacks, Mirai & other botnets, & backdoors.
Vast & Severe
The new attack presented by Log4Shell is vast, severe & has much potential for widespread exploitation. The flaw, which is easy to exploit, is resident in the Java logging library Apache Log4j & could allow unauthenticated RCE & complete server takeover.
Within 3 days of the flaw’s disclosure, it was putting out mutations. Within 10 days, the notorious Conti ransomware gang had created a holistic Log4Shell attack chain. As of last week, Dec. 30, the advanced persistent threat (APT) Aquatic Panda was targeting universities with Log4Shell exploit tools in an attempt to steal industrial intelligence & military secrets.
Recently, Microsoft has observed attackers obscuring the HTTP requests made against targeted systems. Those requests generate a log using Log4j 2 that uses Java Naming & Directory Interface (JNDI) to perform a request to the attacker-controlled site.
The vulnerability then causes the exploited process to reach out to the site & execute the code.
Microsoft has observed many attacks in which the attacker-owned parameter is a DNS logging system, intended to log a request to the site to fingerprint the vulnerable systems.
The string that enables Log4Shell exploitation contains “jndi,” following by the protocol – such as “ldap,” “ldaps” “rmi,” “dns,” “iiop,” or “http” & then the attacker domain.
But to avoid detection, attackers are mixing up the request patterns: E.g., Microsoft has seen exploit code written that runs a lower or upper command within the exploitation string. Even more complex attempts are being made to try to bypass string-matching detections.
Minecraft Servers Being Exploited
Exploitation continues on non-Microsoft-hosted Minecraft servers, the company said: as in, the same type of servers where Log4j was 1st discovered.
Microsoft confirmed public reports of Khonsari ransomware being delivered as payload post-exploitation, as Bitdefender has detailed.
Microsoft Defender antivirus data has shown a small number of cases being launched from compromised Minecraft clients connected to modified Minecraft servers running a vulnerable version of Log4j 2 via the use of a 3rd-party Minecraft mods loader, the company stated.
“In these cases, an adversary sends a malicious in-game message to a vulnerable Minecraft server, which exploits CVE-2021-44228 to retrieve and execute an attacker-hosted payload on both the server & on connected vulnerable clients,” Microsoft explained.
“We observed exploitation leading to a malicious Java class file that is the Khonsari ransomware, which is then executed in the context of javaw.exe to ransom the device.”
While Minecraft is not commonly installed in enterprise networks, Microsoft has nonetheless also observed PowerShell-based reverse shells being dropped to Minecraft client systems via the same malicious message technique, enabling a player to fully take over a compromised system, which they then use to run Mimikatz to steal credentials.
“These techniques are typically associated with enterprise compromises with the intent of lateral movement,” Microsoft outlined, meaning that the goal in targeting of Minecraft users, who tend to be children, seems unclear. It is early yet in this campaign: There has not yet been detectible follow-on activity yet, “indicating that the attacker may be gathering access for later use.”
Microsoft asked Minecraft customers running their own servers to deploy the latest Minecraft server update & for players to exercise caution by only connecting to trusted Minecraft servers.
Microsoft’s Threat Intelligence Center (MSTIC) has also observed the CVE-2021-44228 defect being used by many tracked nation-state activity groups from China, Iran, N. Korea & Turkey.
The actors are experimenting during development, integrating the vulnerabilities to in-the-wild payload deployment, & sending out exploitations against targets.
An example: MSTIC has observed the ransomware-using, Iranian Phosphorus player – aka Charming Kitten, TA453, APT35, Ajax Security Team, News Beef or Newscaster, etc. – acquiring & making modifications of the Log4j exploit.
“We assess that Phosphorus has operationalised these modifications,” Microsoft observed.
MSTIC has also seen the China-linked Hafnium group using the vulnerability to attack virtualisation infrastructure in order to extend the group’s typical targeting. “In these attacks, Hafnium-associated systems were observed using a DNS service typically associated with testing activity to fingerprint systems,” researchers noted.
Microsoft’s “I’m-a-broken-record” advice: Update affected products & services & apply security patches ASAP.
“With nation-state actors testing & implementing the exploit & known ransomware-associated access brokers using it, we highly recommend applying security patches & updating affected products & services as soon as possible,” Microsoft commented.
Microsoft is also seeing additional Remote-Access Toolkits & reverse shells being dropped via exploitation of CVE-2021-44228, which is malware that players use for hands-on-keyboard attacks. Besides the Cobalt Strike beacons & PowerShell reverse shells seen in earlier reports, the company has also seen Meterpreter, Bladabindi & HabitsRAT.
“Follow-on activities from these shells have not been observed at this time, but these tools have the ability to steal passwords & move laterally,” Microsoft noted.
The activity is coming from small-scale, possibly more targeted attacks (possibly related to testing campaigns), the software giant stated. Also, researchers have observed the addition of CVE-2021-44428 to existing campaigns that were exploiting vulnerabilities to drop remote access tools.
Microsoft cautioned that the HabitsRAT campaign overlapped with infrastructure used in prior campaigns.
Other Log4Shell Developments
Microsoft has also seen:
Multiple ransomware access brokers using the vulnerability to gain initial access to target networks – access that they sell to ransomware-as-a-service (RaaS) affiliates.
“We have observed these groups attempting exploitation on both Linux & Windows systems, which may lead to an increase in human-operated ransomware impact on both of these operating system platforms,” Microsoft suggested.
Mass scanning by both attackers & security researchers. The vulnerability has rapidly been absorbed into existing botnets like Mirai, existing campaigns previously targeting vulnerable Elasticsearch systems to deploy cryptocurrency miners, & activity deploying the Tsunami backdoor to Linux systems. “Many of these campaigns are running concurrent scanning & exploitation activities for both Windows & Linux systems, using Base64 commands included in the JDNI:ldap:// request to launch commands on Linux & PowerShell on Windows,” the company explained.
No big increases in ransomware attacks. Ransomware has been delivered via modified Minecraft clients, but so far it has been only a small number of cases. This may change, given that access brokers associated with RaaS affiliates are folding the vulnerability into their initial-access toolkits.
However, Microsoft is also seeing older ransomware payloads in limited use by security researchers & a small number of attackers. “In some instances, they appear to be experimenting with deployments via scanning & modified Minecraft servers,” Microsoft suggested.
“As part of these experiments, some ransomware payloads seem to have been deployed to systems that were previously compromised and were originally dropping coin-miner payloads.”
Webtoos Malware. Webtoos, a malware with distributed denial-of-service (DDoS) capabilities & persistence mechanisms that could allow an attacker to wreak yet more havoc, is also being deployed via the Log4Shell vulnerability.
“Attackers’ use of this malware or intent is not known at this time, but the campaign and infrastructure have been in use and have been targeting both Linux and Windows systems prior to this vulnerability,” Microsoft said.
Microsoft’s post has extensive advice on attack vectors & observed activity, finding & remediating vulnerable apps & systems, detecting & responding to exploitation attempts & other related attacker activity, & indicators of compromise (IoCs).
Just the Start
It is all likely going to get worse, Microsoft warned. Just like Log4j is tucked away into ‘nooks & crannies’, so too are exploits going to get added to yet more attacker toolkits.
“The majority of attacks we have observed so far have been mainly mass scanning, coin-mining, establishing remote shells & red-team activity, but it’s highly likely that attackers will continue adding exploits for these vulnerabilities to their toolkits,” Microsoft outlined.
Where Log4J Is Hiding?
A large part of the Log4Shell nightmare is the fact that it is not always obvious which software is using a vulnerable version of the Log4j library.
While Microsoft has revealed several methods for detecting active exploit attempts using Log4j, identifying the vulnerable version before an attack would be “ideal,” according to Ray Kelly, a fellow at NTT Application Security.
“This will be a continuing battle for both consumers & vendors going forward into 2022 in what will need to be a 2-pronged approach,” Kelly explained.
“Security vendors have been quick on the response for consumers by adding log4j rules that enable DAST [dynamic application security scanning] scanners to detect if a website can be exploited with a malicious log4j web request against a company’s web server.
Simultaneously, vendors must ensure that they are not shipping software with the vulnerable version using tools such as SCA [service component architecture].”
What to Do?
Jake Williams, Co-Founder & CTO at Breach Quest, echoed Microsoft’s assertion that this vulnerability will have an extremely long ‘tail’ for exploitation, considering that many organisations do not even realise they are running vulnerable software.
“Unfortunately (nobody wants to hear this), there’s nothing left to say about remediating log4j that hasn’t already been said 100s of times,” Williams commented.
“Any organisation asking today what they need to do regarding log4j almost certainly has an incident on their hands. Every organisation with a security team knows what needs to be done to hunt down log4j, they just need the resources & political backing to actually get it done.
Being exploited through an internet-facing system running vulnerable log4j at this point is a leadership failure, not a technical one.”