The severe Log4j vulnerability (dubbed Log4Shell) has been exploited in the wild at least from the 1st of December. Researchers observe a rapid uptick in attacks exploiting this vulnerability, and it is only about to intensify.
Exploits for a severe zero-day vulnerability (CVE-2021-44228) in the Log4j Java-based logging library are shared online. As Check Point researchers pointed out, exploiting this vulnerability is simple and allows threat actors to control java-based web servers and launch remote code execution attacks.
Sophos principal researcher Sean Gallagher titled his latest post on the anatomy of the exploit outbreak “the Log4Shell Hell”. It definitely was a hell of a weekend for security researchers and organizations, racing to patch the bug and wrap their heads around the problem.
The vulnerability, it seems, has been in the wild for at least nine days before the public disclosure. Cloudflare's data suggests that massive exploitation started after the public disclosure. Many experts predict that the speed at which attackers harness and use the vulnerability will only intensify.
"The old saying 'Only when the tide goes out do you discover who's been swimming naked' really applies here. The internet will be dealing with this issue for a long time to come, given how widespread the exposure is. I also think we'll be seeing cybercriminals moving to monetize this fairly quickly over the next few days," Boaz Gelbord, Chief Security Officer at Akamai, web and internet security company, told CyberNews via email.
Uptick in exploitation
The vulnerability affects Java-based applications that use Log4j 2 versions 2.0 through 2.14.1. Log4j 2 is a Java-based logging library with over 400,000 downloads from its GitHub project and is widely used in business system development, included in various open-source libraries.
The Log4j library is embedded in almost every Internet service or application we are familiar with, including Twitter, Amazon, Microsoft, Minecraft, and more.
"The scope of impact has expanded to thousands of products and devices, including Apache products such as Struts 2, Solr, Druid, Flink, and Swift. Because this vulnerability is in a Java library, the cross-platform nature of Java means the vulnerability is exploitable on many platforms, including both Windows and Linux," Microsoft Security Response Team noted in a blog post.
The Apache Software Foundation has released a security update to patch the vulnerability in Log4j (dubbed Log4Shell or LogJam) last Friday. Organizations have been racing to fix the bug, which could have dire consequences worldwide.
The news about this severe vulnerability broke late last week, and since then, researchers worldwide have been observing an increase in the number of attempts to exploit it. According to Greynoise, a web monitoring service, around 730 malicious IPs are scanning the internet for ways to exploit the vulnerability at the time of publication (compared to 100 last Friday).
"The number of distinct IPs is roughly stable. The increase of malicious requests/IPs can be explained by the fact that IPs are trying different payloads. Attackers are creative, trying to put the payload everywhere, in their user-agent, URL, referrer, headers, etc." Dr. Antoine Vastel, Engineering Manager, Threat Research, for DataDome, told CyberNews via email on Monday. According to him, attackers encode/modify their payloads to bypass most simple detection techniques.
On Saturday, Jen Easterly, Cybersecurity and Infrastructure Security Agency (CISA) Director, said that this vulnerability is being exploited widely by a growing set of threat actors. CISA has created a webpage, Apache Log4j Vulnerability Guidance, and will actively maintain a community-sourced GitHub repository of publicly available information and vendor-supplied advisories regarding the Log4j vulnerability.
According to the cybersecurity company Sophos, researchers have already detected hundreds of thousands of exploitation attempts so far, and crypto mining botnets are among the earliest "attack" adopters. Botnets focus on Linux server platforms, which are particularly exposed to this vulnerability.
According to the Swiss CERT (Computer Emergency Response Team), the exploitation attempts observed by them so far were used to deploy mass-malware like Mirai, Kinsing, and Tsunami (aka Muhstik). The primary use of these botnets is to launch DDoS attacks (Mirai, Tsunami) or to mine cryptocurrencies (Kinsing).
Cloudflare CEO Matthew Prince tweeted that earlier evidence they've found so far of the Log4j exploit is 2021-12-01.
"Earliest evidence we've found so far of #Log4J exploit is 2021-12-01 04:36:50 UTC. That suggests it was in the wild at least 9 days before [being] publicly disclosed. However, don't see evidence of mass exploitation until after public disclosure," he said.
In fact, there is evidence that the Log4Shell attack vector has been known since 2016. During the Black Hat USA 2016, researchers Alvaro Muñoz and Oleksandr Mirosh listed three main vectors to gain remote code execution via JNDI (the Java Naming and Directory Interface) Injection. Their presentation has now resurfaced on the internet.
The successful exploitation of this vulnerability could have severe consequences, such as organizations being hit by ransomware attacks.
"Since Dec. 9, Sophos has detected hundreds of thousands of attempts to remotely execute code using the Log4Shell vulnerability. Initially, these were Proof-of-Concept (PoC) exploit tests by security researchers and potential attackers, among others, as well as many online scans for the vulnerability. This was quickly followed by attempts to install coin miners, including the Kinsing miner botnet. The most recent intelligence suggests attackers are trying to exploit the vulnerability to expose the keys used by Amazon Web Service accounts. There are also signs of attackers trying to exploit the vulnerability to install remote access tools in victim networks, possibly Cobalt Strike, a key tool in many ransomware attacks," Sophos principal researcher Sean Gallagher told CyberNews via email.
“Fukushima moment for cybersecurity”
Amit Yoran, CEO of cybersecurity company Tenable, believes that the Apache Log4j Remote Code Execution Vulnerability is the single biggest, most critical vulnerability of the last decade.
“The discovery of this vulnerability is nothing short of a Fukushima moment for the cybersecurity industry. Ten years ago, an earthquake and subsequent tidal wave triggered the meltdown of the Fukushima nuclear power plant that continues to plague the region today. Similarly, the early exploitation of Log4j, during which attackers will go after the low-hanging fruit exposed by the vulnerability, will evolve over time to take the form of more complex attacks on more sensitive systems that have less exposure to the internet,” he told CyberNews via email.
The discovery of this vulnerability is nothing short of a Fukushima moment for the cybersecurity industry.Amit Yoran, CEO of Tenable.
Paul Laudanski, Head of Threat Intelligence at Tessian, an enterprise email security company, noted bad actors are building an arsenal of tools that they can use across the globe for theft and service disruption, especially ahead of the holiday season.
“DDoS attacks in particular are a top concern, as exploitation could allow bad actors to download, install and then fully control an army of botnets. DDoS operators can then focus on attacks that bring down critical infrastructure – ranging from utilities to power grid – and especially retailers ahead of the holiday season, a time when people are notoriously distracted, tired, and more prone to making security mistakes. Couple that with an increase in moratoriums, when no code is released into production, so emergency patches would require a break of that moratorium,” he said.
Patching is not enough
Microsoft confirmed it observed activities such as installing Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems. Moreover, as security teams work to detect the exploitation of the vulnerability, attackers have added obfuscation to these requests to evade detections based on request patterns.
Moreover, since Friday, Check Point Research witnessed what looks like an evolutionary repression, with new variations of the original exploit being introduced rapidly - over 60 in less than 24 hours.
“For example, it can be exploited either over HTTP or HTTPS (the encrypted version of browsing). The number of combinations of how to exploit it give the attacker many alternatives to bypass newly introduced protections. It means that one layer of protection is not enough and only a multi-layered security posture would provide resilient protection,” company said.
Companies with servers confirmed to be vulnerable to Log4Shell attack include Apple, Amazon, Twitter, Steam, Baidu, NetEase, Tencent, Elastic and likely hundreds - if not thousands - more. According to Gallagher, finding all systems that are vulnerable because of Log4Shell should be a priority for IT security.
“The Log4Shell vulnerability presents a different kind of challenge for defenders. Many software vulnerabilities are limited to a specific product or platform, such as the ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange. Once defenders know what software is vulnerable, they can check for and patch it. However, Log4Shell is a library that is used by many products. It can therefore be present in the darkest corners of an organization’s infrastructure, for example any software developed in-house,” he said in a written commentary.
Sophos expects the speed at which attackers are harnessing and using the vulnerability to intensify and diversify over the coming days and weeks.
“Once an attacker has secured access to a network, then any infection can follow. Therefore, alongside the software update already released by Apache in Log4j 2.15.0, IT security teams need to do a thorough review of activity on the network to spot and remove any traces of intruders, even if it just looks like nuisance commodity malware,” Gallagher concluded.
Ariel Parnes, former Head of the Cyber Department for the Israeli Intelligence Service, and current Co-Founder and COO of Mitiga, expressed concern that there’s already a lot of content on the Internet with regards to what needs to be done to prevent environments from being hacked by the Log4j vulnerability. However, there is not enough content regarding what should be done to see if an organization was already hacked using this vulnerability, sometime in the past.
“Everyone is busy locking the doors, but the criminals might be already inside,” he told CyberNews via email.
Numerous organizations published advisories on the Log4Shell vulnerability and many experts repeat that the patch is not a permanent solution.
“New vulnerabilities will emerge and hackers will look for new exploitations. Organizations need to evaluate their overall application security strategy and look for ways to automate, using AI, to scale and expand their security operation and diligence,” Oded Gonda, VP of Technology and Innovation at Check Point, told CyberNews.
More from CyberNews
Subscribe to our newsletter