{"id":427204,"date":"2021-12-13T11:15:16","date_gmt":"2021-12-13T09:15:16","guid":{"rendered":"https:\/\/mybroadband.co.za\/news\/?p=427204"},"modified":"2021-12-17T14:00:52","modified_gmt":"2021-12-17T12:00:52","slug":"critical-security-flaw-being-exploited-all-over-the-internet","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/security\/427204-critical-security-flaw-being-exploited-all-over-the-internet.html","title":{"rendered":"Critical security flaw being exploited all over the Internet"},"content":{"rendered":"<p>IT security company Sophos <strong><a href=\"https:\/\/news.sophos.com\/en-us\/2021\/12\/12\/log4shell-hell-anatomy-of-an-exploit-outbreak\/\" target=\"_blank\" rel=\"noopener\">has detected<\/a><\/strong> a sharp increase in attacks exploiting the zero-day exploit in <strong><a href=\"https:\/\/logging.apache.org\/log4j\/\" target=\"_blank\" rel=\"noopener\">Apache&#8217;s Log4j<\/a><\/strong>.<\/p>\n<p>Vulnerable organisations <strong><a href=\"https:\/\/github.com\/YfryTchsGD\/Log4jAttackSurface\" target=\"_blank\" rel=\"noopener\">include<\/a><\/strong> Apple, Tencent, Valve, Google, Minecraft, Amazon, and Tesla, to name a few.<\/p>\n<p>The exploit, dubbed Log4Shell and tracked as CVE-2021-44228, was <strong><a href=\"https:\/\/www.lunasec.io\/docs\/blog\/log4j-zero-day\/\" target=\"_blank\" rel=\"noopener\">initially detected by LunaSec<\/a><\/strong> on 9 December 2021. It allows an attacker to inject log messages or message parameters into server logs that load code from a remote server.<\/p>\n<p>The infected server will then run that code via calls to the Java Naming and Directory Interface (JNDI).<\/p>\n<p>Sophos also expects malicious actors to intensify and diversify their attack methods and possibly introduce malware in the near future.<\/p>\n<p>&#8220;Since Dec. 9, Sophos has detected hundreds of thousands of attempts to remotely execute code using the Log4Shell vulnerability,&#8221; said Sophos senior threat researcher Sean Gallagher.<\/p>\n<p>Sophos found that crypto mining botnets are some of the earliest to exploit the vulnerability. They tend to focus on Linux server platforms that are vulnerable to the exploit.<\/p>\n<p>&#8220;Initially, these were Proof-of-Concept (PoC) exploit tests by security researchers and potential attackers, among others, as well as many online scans for the vulnerability,&#8221; Gallagher said.<\/p>\n<p>&#8220;This was quickly followed by attempts to install coin miners, including the Kinsing miner botnet.&#8221;<\/p>\n<p>The IT security company&#8217;s investigations also revealed attempts to retrieve information from services such as account information for Amazon Web Services and other private data.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">looked at related network traffic, I am thinking that this is likely from a Find My iPhone related server (iOS sends it updated device name it appears).<\/p>\n<p>as of this moment, I am also suddenly no longer able to reproduce this.<\/p>\n<p>\u2014 Will Strafach (@chronic) <a href=\"https:\/\/twitter.com\/chronic\/status\/1469493331050713089?ref_src=twsrc%5Etfw\">December 11, 2021<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>&#8220;The most recent intelligence suggest attackers are trying to exploit the vulnerability to expose the keys used by Amazon Web Service accounts,&#8221; Gallagher said.<\/p>\n<p>&#8220;There are also signs of attackers trying to exploit the vulnerability to install remote access tools in victim networks, possibly Cobalt Strike, a key tool in many ransomware attacks.&#8221;<\/p>\n<p>According to Sophos, attempts to exploit network services begin by probing for different types, of which around 90% are focused on the Lightweight Directory Access Protocol (LDAP).<\/p>\n<p>One researcher <strong><a href=\"https:\/\/twitter.com\/chvancooten\/status\/1469340927923826691\" target=\"_blank\" rel=\"noopener\">demonstrated<\/a><\/strong> how the exploit could be used to attack a vulnerability in Apple&#8217;s servers and promptly informed the company of the issue.<\/p>\n<p>Based on follow-up reports, Apple patched the vulnerability within hours.<\/p>\n<p>Cloudflare CEO Matthew Prince <strong><a href=\"https:\/\/twitter.com\/eastdakota\/status\/1469800951351427073\" target=\"_blank\" rel=\"noopener\">said<\/a><\/strong> that they found evidence suggesting that the Log4j exploit was used in the wild as early as 1 December.<\/p>\n<p>&#8220;That suggests it was in the wild at least nine days before publicly disclosed. However, don&#8217;t see evidence of mass exploitation until after public disclosure,&#8221; Prince stated.<\/p>\n<p>According to a <strong><a href=\"https:\/\/arstechnica.com\/information-technology\/2021\/12\/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug\/\" target=\"_blank\" rel=\"noopener\">report<\/a><\/strong> from ArsTechnica, Log4Shell was first identified through sites catering to Minecraft players.<\/p>\n<p>The sites displayed messages warning that hackers could execute malicious code on servers or clients running Minecraft&#8217;s Java platform by manipulating log messages.<\/p>\n<p>Log4j forms part of many popular frameworks, including Apache Struts2, Apache Solr, Apache Druid, and Apache Flink.<\/p>\n<p>That means that significant numbers of third-party apps could also be vulnerable to exploits of the same high severity as those threatening Minecraft users.<\/p>\n<div id=\"attachment_427224\" style=\"width: 810px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-427224\" class=\"wp-image-427224 size-full\" src=\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2021\/12\/Log4J-exploit-800-x-533V.jpg\" alt=\"\" width=\"800\" height=\"533\" srcset=\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2021\/12\/Log4J-exploit-800-x-533V.jpg 800w, https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2021\/12\/Log4J-exploit-800-x-533V-600x400.jpg 600w, https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2021\/12\/Log4J-exploit-800-x-533V-640x426.jpg 640w, https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2021\/12\/Log4J-exploit-800-x-533V-768x512.jpg 768w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><p id=\"caption-attachment-427224\" class=\"wp-caption-text\">How the Log4J exploit works<\/p><\/div>\n<p>Gallagher outlined the severity of the Log4Shell vulnerability.<\/p>\n<p>&#8220;The Log4Shell vulnerability presents a different kind of challenge for defenders,&#8221; Gallagher said.<\/p>\n<p>&#8220;Many software vulnerabilities are limited to a specific product or platform, such as the ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange. Once defenders know what software is vulnerable, they can check for and patch it.&#8221;<\/p>\n<p>&#8220;However, Log4Shell is a library that is used by many products. It can therefore be present in the darkest corners of an organisation&#8217;s infrastructure, for example any software developed in-house. Finding all systems that are vulnerable because of Log4Shell should be a priority for IT security,&#8221; he added.<\/p>\n<p>According to ArsTechnica, Log4j will interpret a log message as a URL, go and fetch it, and even execute any executable payload it contains with the full privileges of the main program.<\/p>\n<p>Exploits are triggered inside text using the ${} syntax and allowing them to be included in browser user agents or other commonly-logged attributes.<\/p>\n<p>Gallagher further emphasised the need for Apache Log4j users to update and monitor their network activity.<\/p>\n<p>&#8220;Once an attacker has secured access to a network, then any infection can follow,&#8221; he said.<\/p>\n<p>&#8220;Therefore, alongside the software update already released by Apache in Log4j 2.15.0, IT security teams need to do a thorough review of activity on the network to spot and remove any traces of intruders, even if it just looks like nuisance commodity malware.&#8221;<\/p>\n<hr \/>\n<h3 class=\"my-4\">Now read: <a href=\"https:\/\/mybroadband.co.za\/news\/security\/427152-high-tech-r20-million-forensic-war-room-to-fight-corruption-in-joburg.html\" target=\"_blank\" rel=\"noopener\">High tech R20 million forensic war room to fight corruption in Joburg<\/a><\/h3>\n","protected":false},"excerpt":{"rendered":"<p>A zero-day exploit in Apache&#8217;s Log4j called &#8220;Log4Shell&#8221; has made companies such as Apple, Google and Tesla, and services like Steam vulnerable to attack.<\/p>\n","protected":false},"author":341076,"featured_media":427234,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[723,24470,75034,75036,75032,46035,605,167,35,75048,75038,75028,75030,75046,18064,75050,765],"class_list":["post-427204","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-amazon","tag-apache","tag-apache-druid","tag-apache-flink","tag-apache-solr","tag-apache-struts","tag-apple","tag-google","tag-headline","tag-java-naming-and-directory-interface-jndi","tag-kinsing","tag-log4j","tag-log4shell","tag-lunasec","tag-minecraft","tag-sean-gallagher","tag-sophos"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/427204"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/341076"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=427204"}],"version-history":[{"count":1,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/427204\/revisions"}],"predecessor-version":[{"id":427232,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/427204\/revisions\/427232"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/427234"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=427204"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=427204"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=427204"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}