On December 9 a serious vulnerability in Apache’s Log4J, a widely-used logging system used by web and server developers, was discovered. The flaw has been named Log4Shell.
The vulnerability allows attackers who can inject text into log messages or log message parameters into server logs that load code from a remote server. The target will then execute that code via calls to the Java Naming and Directory Interface (JNDI). JNDI interfaces with a number of network services, including the Lightweight Directory Access Protocol (LDAP), Domain Name Service (DNS), Java’s Remote Interface (RMI), and the Common Object Request Broker (CORBA).
Taking control
“Log4J is an open source Java logging library that is widely used in a range of software applications and services around the world. The vulnerability can allow threat actors to take control of any Java-based, internet-facing server and engage in remote code execution (RCE) attacks”, said Yonatan Striem-Amit, CTO and Co-Founder of Cybereason.
“Most login screens in the world typically audit failed login attempts, meaning that virtually every authenticated page using Log4J is vulnerable. Browser search bars are also often logged and expose systems to this flaw,” Striem-Amit said.
The biggest vulnerability in modern history
The Log4Shell vulnerability impacts a number of services and applications, including Minecraft, Steam and Apple iCloud. Exploiting this vulnerability is so straightforward that attackers are actively scanning for and attempting to exploit the flaw.
“The Apache Log4j Remote Code Execution Vulnerability is the single biggest, most critical vulnerability of the last decade. When all of the research is done, we may in fact learn that it is the single biggest vulnerability in the history of modern computing,” said Amit Yoran, CEO, Tenable.
“This kind of vulnerability is a reminder that organisations must develop mature cybersecurity programs to understand cyber risk in a dynamic world. While details are still emerging, we encourage organisations to update their security controls, assume they have been compromised and activate existing incident response plans. The number one priority now is to work with your in-house information security and engineering teams or partner with an organisation that conducts incident response to identify the impact to your organisation.”
New challenges
Sophos has already uncovered attempts to exploit LDAP, DNS and RMI, using a URL tagged to those services redirected to an external server. Alongside this are malicious cryptominer operations and there are other reports that several automated botnets have begun to make use of the Log4J exploit as well.
“The Log4Shell vulnerability presents a different kind of challenge for defenders. Many software vulnerabilities are limited to a specific product or platform, such as the ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange. Once defenders know what software is vulnerable, they can check for and patch it. However, Log4Shell is a library that is used by many products. It can therefore be present in thes darkest corners of an organization’s infrastructure, for example any software developed in-house. Finding all systems that are vulnerable because of Log4Shell should be a priority for IT security,” said Sean Gallagher, senior threat researcher at Sophos.
There is every reason to believe that other types of attacks will emerge as attackers are actively scanning for vulnerable systems. Sophos has observed that attempts to exploit network services start by attackers probing networks to gain information. Around 90 percent of the probes Sophos detected were focused on the LDAP. A smaller number of probes targeted Java’s RMI, and researchers noted that there seem to be a larger variety of unique RMI-related attempts. The company has detected hundreds of thousands of attempted exploits since December 9, and other organisations, including Cloudflare, believe that the exploit may have been in use weeks before it was detected.
“Initially, these were Proof-of-Concept (PoC) exploit tests by security researchers and potential attackers, among others, as well as many online scans for the vulnerability. This was quickly followed by attempts to install coin miners, including the Kinsing miner botnet. The most recent intelligence suggest attackers are trying to exploit the vulnerability to expose the keys used by Amazon Web Service accounts. There are also signs of attackers trying to exploit the vulnerability to install remote access tools in victim networks, possibly Cobalt Strike, a key tool in many ransomware attacks,” said Gallagher.
“The Apache Log4J zero-day vulnerability is probably the most critical vulnerability we have seen this year. Log4J2 is a ubiquitous library used by millions of Java applications for logging error messages. This vulnerability is trivial to exploit. Attacks are already happening, and we have seen PoC exploits dropped in the public domain like Twitter, GitHub, et cetera,” said Bharat Jogi, Senior Manager, Vulnerabilities and Signatures, Qualys.
Patch or mitigate
Speaking on the Log4J vulnerability, Paul Ducklin, principal research scientist at Sophos said, “There are steps that can be taken to help counter the attack, and all operators should update to the patched version of the software. “Technologies including IPS, WAF and intelligent network filtering are all helping to bring this global vulnerability under control. But the staggering number of different ways that the Log4Shell ‘trigger text’ can be encoded, the huge number of different places in your network traffic that these strings can appear, and the wide variety of servers and services that could be affected are collectively conspiring against all of us. The very best response is perfectly clear: patch or mitigate your own systems right now.”
More information on the Log4J exploit can be found here.
