No surprise here: The holidays bought no Log4Shell relief.
Threat actors vigorously launched exploit attempts and testing during the last weeks of December, Microsoft said on Monday, in the latest update to its landing page and guidance around the flaws in Apache’s Log4j logging library.
“We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks,” according to Microsoft.
This comes on the heels of news that relentless Log4Shell attacks have come from nation-state actors that are both testing and have already implemented the exploit: As of Dec. 15, more than 1.8 million attacks, against half of all corporate networks, using at least 70 distinct malware families, had already been launched to exploit the bugs.
What is Log4Shell?
The remote code execution (RCE) vulnerabilities in Apache Log4j 2 – CVE-2021-44228, CVE-2021-45046, CVE-2021-44832 – are collectively referred to as Log4Shell. Within hours of the initial flaw’s public disclosure on Dec. 10, attackers were scanning for vulnerable servers and unleashing quickly evolving attacks to drop coin-miners, Cobalt Strike, the Orcus remote access trojan (RAT), reverse bash shells for future attacks, Mirai and other botnets, and backdoors.
The new attack vector presented by Log4Shell is vast, severe and has ample potential for widespread exploitation. The flaw, which is uber-easy to exploit, is resident in the ubiquitous Java logging library Apache Log4j and could allow unauthenticated RCE and complete server takeover.
Within three days of the flaw’s disclosure, it was spitting out mutations. Within 10 days, the notorious Conti ransomware gang had created a holistic Log4Shell attack chain. As of last week, Dec. 30, the advanced persistent threat (APT) Aquatic Panda was targeting universities with Log4Shell exploit tools in an attempt to steal industrial intelligence and military secrets.
Obfuscated HTTP Requests
Most recently, Microsoft has observed attackers obfuscating the HTTP requests made against targeted systems. Those requests generate a log using Log4j 2 that leverages Java Naming and Directory Interface (JNDI) to perform a request to the attacker-controlled site. The vulnerability then causes the exploited process to reach out to the site and execute the payload.
Microsoft has observed many attacks in which the attacker-owned parameter is a DNS logging system, intended to log a request to the site to fingerprint the vulnerable systems. The crafted string that enables Log4Shell exploitation contains “jndi,” following by the protocol – such as “ldap,” “ldaps” “rmi,” “dns,” “iiop,” or “http” – and then the attacker domain.
But to evade detection, attackers are mixing up the request patterns: For example, Microsoft has seen exploit code written that runs a lower or upper command within the exploitation string. Even more complicated obfuscation attempts are being made to try to bypass string-matching detections, such as that shown in the string sample below:
Minecraft Servers Still Being Exploited
Exploitation continues on non-Microsoft-hosted Minecraft servers, the company said: as in, the same type of servers where Log4j was first discovered.
Microsoft confirmed public reports of Khonsari ransomware being delivered as payload post-exploitation, as Bitdefender has detailed. Microsoft Defender antivirus data has shown a small number of cases being launched from compromised Minecraft clients connected to modified Minecraft servers running a vulnerable version of Log4j 2 via the use of a third-party Minecraft mods loader, the company said.
“In these cases, an adversary sends a malicious in-game message to a vulnerable Minecraft server, which exploits CVE-2021-44228 to retrieve and execute an attacker-hosted payload on both the server and on connected vulnerable clients,” Microsoft said. “We observed exploitation leading to a malicious Java class file that is the Khonsari ransomware, which is then executed in the context of javaw.exe to ransom the device.”
While Minecraft isn’t commonly installed in enterprise networks, Microsoft has nonetheless also observed PowerShell-based reverse shells being dropped to Minecraft client systems via the same malicious message technique, enabling an actor to fully take over a compromised system, which they then use to run Mimikatz to steal credentials.
“These techniques are typically associated with enterprise compromises with the intent of lateral movement,” Microsoft said, meaning that the goal in targeting of Minecraft users, who tend to be children, seems unclear. It’s early yet in this campaign: There hasn’t yet been detectible follow-on activity yet, “indicating that the attacker may be gathering access for later use.”
Microsoft urged Minecraft customers running their own servers to deploy the latest Minecraft server update and for players to exercise caution by only connecting to trusted Minecraft servers.
Microsoft’s Threat Intelligence Center (MSTIC) has also observed the CVE-2021-44228 flaw being used by multiple tracked nation-state activity groups originating from China, Iran, North Korea and Turkey.
The actors are experimenting during development, integrating the vulnerabilities to in-the-wild payload deployment, and sending exploitations against targets.
One example: MSTIC has observed the ransomware-wielding, Iranian Phosphorus actor – aka Charming Kitten, TA453, APT35, Ajax Security Team, NewsBeef or Newscaster, et al. – acquiring and making modifications of the Log4j exploit.
“We assess that Phosphorus has operationalized these modifications,” Microsoft observed.
MSTIC has also seen the China-linked Hafnium group using the vulnerability to attack virtualization infrastructure in order to extend the group’s typical targeting. “In these attacks, Hafnium-associated systems were observed using a DNS service typically associated with testing activity to fingerprint systems,” researchers noted.
Microsoft’s “I’m-a-broken-record” advice: Update affected products and services, and apply security patches ASAP.
“With nation-state actors testing and implementing the exploit and known ransomware-associated access brokers using it, we highly recommend applying security patches and updating affected products and services as soon as possible,” Microsoft said.
Microsoft is also seeing additional remote-access toolkits and reverse shells being dropped via exploitation of CVE-2021-44228, which is malware that actors use for hands-on-keyboard attacks. Besides the Cobalt Strike beacons and PowerShell reverse shells seen in earlier reports, the company has also seen Meterpreter, Bladabindi and HabitsRAT.
“Follow-on activities from these shells have not been observed at this time, but these tools have the ability to steal passwords and move laterally,” Microsoft noted.
The activity is coming from small-scale, possibly more targeted attacks (possibly related to testing campaigns), the software giant said. Also, researchers have observed the addition of CVE-2021-44428 to existing campaigns that were exploiting vulnerabilities to drop remote access tools. Microsoft said that the HabitsRAT campaign overlapped with infrastructure used in prior campaigns.
Other Log4Shell Developments
Microsoft has also seen:
Multiple ransomware access brokers using the vulnerability to gain initial access to target networks – access that they sell to ransomware-as-a-service (RaaS) affiliates. “We have observed these groups attempting exploitation on both Linux and Windows systems, which may lead to an increase in human-operated ransomware impact on both of these operating system platforms,” Microsoft said.
Mass scanning by both attackers and security researchers. The vulnerability has rapidly gotten sucked up into existing botnets like Mirai, existing campaigns previously targeting vulnerable Elasticsearch systems to deploy cryptocurrency miners, and activity deploying the Tsunami backdoor to Linux systems. “Many of these campaigns are running concurrent scanning and exploitation activities for both Windows and Linux systems, using Base64 commands included in the JDNI:ldap:// request to launch bash commands on Linux and PowerShell on Windows,” the company said.
No big spikes in ransomware attacks. True, ransomware has been delivered via modified Minecraft clients, but so far it’s been only a small number of cases. That could change, given that access brokers associated with RaaS affiliates are folding the vulnerability into their initial-access toolkits. But Microsoft is also seeing older ransomware payloads in limited use by security researchers and a small number of attackers. “In some instances, they appear to be experimenting with deployments via scanning and modified Minecraft servers,” Microsoft said. “As part of these experiments, some ransomware payloads seem to have been deployed to systems that were previously compromised and were originally dropping coin-miner payloads.”
Webtoos Malware. Webtoos, a malware with distributed denial-of-service (DDoS) capabilities and persistence mechanisms that could allow an attacker to wreak yet more havoc, is also being deployed via the Log4Shell vulnerability. “Attackers’ use of this malware or intent is not known at this time, but the campaign and infrastructure have been in use and have been targeting both Linux and Windows systems prior to this vulnerability,” Microsoft said.
Microsoft’s post has extensive advice on attack vectors and observed activity, finding and remediating vulnerable apps and systems, detecting and responding to exploitation attempts and other related attacker activity, and indicators of compromise (IoCs).
This Is Just the Start
As if all that weren’t enough, it’s all likely going to get worse, Microsoft said. Just like Log4j is tucked away into nooks and crannies, so too are exploits going to get added to yet more attacker toolkits: “The majority of attacks we have observed so far have been mainly mass scanning, coin-mining, establishing remote shells and red-team activity, but it’s highly likely that attackers will continue adding exploits for these vulnerabilities to their toolkits,” Microsoft said.
How Do You Even Know Where Log4J Is Lurking?
A massive part of the Log4Shell nightmare is the fact that it’s not always obvious which software is using a vulnerable version of the Log4j library.
While Microsoft has laid out several methods for detecting active exploit attempts using Log4j, identifying the vulnerable version before an attack would be “ideal,” according to Ray Kelly, a fellow at NTT Application Security.
“This will be a continuing battle for both consumers and vendors going forward into 2022 in what will need to be a two-pronged approach,” Kelly told Threatpost. “Security vendors have been quick on the response for consumers by adding log4j rules that enable DAST [dynamic application security scanning] scanners to detect if a website can be exploited with a malicious log4j web request against a company’s web server. At the same time, vendors must ensure that they are not shipping software with the vulnerable version using tools such as SCA [service component architecture].”
Asking What to Do? It’s a Little Late for That
Jake Williams, co-founder and CTO at BreachQuest, echoed Microsoft’s assertion that this vulnerability will have an extremely long tail for exploitation, considering that many organizations don’t even realize they’re running vulnerable software.
“Unfortunately (and nobody wants to hear this), there’s nothing left to say about remediating log4j that hasn’t already been said hundreds of times,” Williams told Threatpost. “Any organization asking today what they need to do regarding log4j almost certainly has an incident on their hands. Every organization with a security team knows what needs to be done to hunt down log4j, they just need the resources and political backing to actually get it done. Being exploited through an internet-facing system running vulnerable log4j at this point is a leadership failure, not a technical one.”
Password Reset: On-Demand Event: Fortify 2022 with a password-security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & stream this FREE session today – sponsored by Specops Software.