skip to Main Content

Log4Shell Observations: Threat Actors Weaponize Log4j, New CVEs, Relentless Scanning, Make an Already Bad Situation Worse

This blog provides a follow up to our blogs from 12/13 and 12/14 detailing early observations and quick steps organizations can take today (and for the future):  “How to Virtual Patch LOG4J in AWS, AZURE, GCP, and OCI”, “​​Log4Shell Observations: Why Protecting Workloads with Native, Layered Defense Is Essential”, “Log4Shell: Security Vendors Must Move Faster to Provide Updates”

Overview

It has been less than two weeks since the news of CVE-2021-44228 hit mainstream media, and it doesn’t look good for network defenders moving into the holidays. The vulnerable Java library Log4j is incorporated into the foundations of many software products and services. The embedded nature of libraries prevent security practitioners from quickly determining if their organization is impacted.

The breadth of the attack surface is still undetermined as organizations struggle to understand the depth of the problem. With reports of ransomware operators and nation state actors weaponizing the CVE, defense-in-depth is the best mitigation in preventing impact from zero days and targeted attacks.

Four new CVEs related to Log4j have been published. Two of the CVEs bypassed the original Log4j 2.15.0 mitigatory patch, with patch 2.17.0 being the latest. One of the CVEs is for Logback, a logging framework pitched as a successor to Log4j1. Logback was susceptible to a Log4Shell-style attack, given adequate privileges. The last new CVE is for the deprecated Log4j1 library, which allowed for RCE given adequate privileges. All Log4j1 users are encouraged to update to the latest Log4j2 patch. Below is an overview of all the new CVE’s affecting Log4j and Logback:

 

CVE Affected Versions Patch Description
CVE-2021-44228 2.0-beta9 to 2.14.1 Log4j 2.15.0
(Java 8)
RCE possible from an attacker controlled LDAP server or abused JNDI endpoint (Log4Shell)
CVE-2021-45046 2.0-beta9 to 2.15.0 (except 2.12.2) Log4j 2.16.0
(Java 8)
A non-default pattern layout with a context lookup gives control of the thread context mapper allowing for RCE.
CVE-2021-45105 2.0-beta9 to 2.16.0 Log4j 2.17.0
(Java 8)
A non-default pattern layout with a context lookup gives control of the thread context mapper creating a stack overflow resulting in DoS conditions.
CVE-2021-4104 1.x (deprecated) Log4j 2.17.0
(Java 8)
With write permissions, an attacker can send untrusted data causing JMSAppendr to perform RCE via JNDI requests.
CVE-2021-42550 <=1.2.7 Logback 1.2.9 An attacker with edit privileges can create a vulnerable configuration and execute code from an LDAP server.

CVE-2014-0160 or Heartbleed, impacted the OpenSSL library that was built into many products and services, like the Log4j2 CVEs. In 2020, popular Internet scanner Shodan reported that over 80k Internet devices were still vulnerable to Heartbleed, foreshadowing that Log4j2 may take years to fix. Where many individuals and security-focused organizations are aware of Log4j vulnerabilities, how many IT teams are not? How many don’t have the tools or talent needed to identify the vulnerable in the first place? Sharing information and educating others about this vulnerability will aid in curbing cybercrime and data breaches.

Active Threats

Ransomware operators have weaponized CVE-22021-44228, with reports of the CONTI, Konsari, and TellYouThePass groups currently leveraging it in their campaigns. Microsoft has reported that the HAFNIUM Advanced Persistent Threat (APT) group has exploited the vulnerability to gain access to enterprise networks.

Dridex malware has also incorporated the vulnerability into its phishing emails, using Meterpreter to deliver the malicious payload. This tactic hopes to exploit unpatched software using Log4j2 on the local network or host. Dridex malware has been used to deploy BitPaymer and Locky ransomware in the past.

Observations From the Field

Valtix security researchers noted the distinct number of IP addresses looking for and exploiting vulnerable hosts is slowly decreasing, while the number of probes is rising. The trend of malicious events and malicious IP addresses are moving to cross paths, signaling that we will see less bad actors and more repetitive scanning. This trend may indicate that reconnaissance performed by adversaries is complete and repetitive automated attacks launched by botnets are generating most of the events. It may also mean that adversaries are exploring new attack vectors and exploitation techniques.

MITRE ATT&CK Framework
Observed CVE-2021-44228 TTPs

Tactic Technique Technique ID
Reconnaissance Active Scanning: Vulnerability Scanning T1595.002
Initial Access Exploit Public-Facing Application  T1190

The attack surface is continually growing as the exploit gets integrated in various hacking tools and malware campaigns. Cryptomining malware is still prevalent across the threat landscape, with mining software like XMRIG being deployed on vulnerable endpoints.

The use of Virtual Private Server (VPS) Providers, The Onion Router TOR and paid-for Virtual Private Networks (VPN) are not explicit to CVE-2021-44228. Monitoring and blocking communications to unknown services aids in detecting and preventing compromise. With their notable usage in the exploitation of CVE-2021-44228, organizations can implement strict prevention policies to harden their environment while they continue to triage their exposure to Log4j.

Virtual Private Server (VPS) Providers
Abuse of VPS Provider’s infrastructure is a common tactic used by adversaries to perform reconnaissance against target environments; it obfuscates an adversary’s location, and may aid in circumventing geo-fence policies deployed by the target. Since 12/10/21, Valix Security Researchers have observed the usage of designated VPS infrastructure scanning for Log4j2 vulnerabilities. Verse other Internet infrastructure used in cyberattacks, like compromised IoT devices, the designated infrastructure indicates the ease of exploitation and speed at which threat actors want to exploit it.

MITRE ATT&CK Framework
Observed CVE-2021-44228 TTPs

Tactic Technique Technique ID
Resource Development Acquire Infrastructure: Virtual Private Server T1583.003


The Onion Router (TOR) & Privacy Services
TOR is a multi-hop proxy used to obfuscate a user’s location and provide encrypted, censor-proof communication. The top-level domain for TOR websites is “.onion”, and the TOR browser commonly utilizes port 9001 to make outbound communications. 

  • “bvprzqhoz7j2ltin[.]onion[.]ly”
  • “bvprzqhoz7j2ltin[.]onion[.]ws”

Privacy services, like a paid-for VPN, perform a similar function to TOR in that they obfuscate the user’s location from the target, and aid in circumventing security controls like geofencing. Please note, TOR provides anonymity, everyone can see what you’re doing but they don’t know who you are. A VPN service provides privacy, the VPN provider knows who you are, but they don’t know what you’re doing.

MITRE ATT&CK Framework
Observed CVE-2021-44228 TTPs

Software Type Platform ID
TOR Tool Windows, Linux, macOS S1083

Cryptomining
The first wave of threats leveraging CVE-2021-44228 were botnets deploying cryptominers. In our last blog, we noted that the success of cryptomining malware is derived from its infection rate and the total number of compromised hosts. Remote code execution vulnerabilities that impact a volume of hosts fiscally complement cryptominers. Kinsing cryptomining malware had previously leveraged CVE-2017-9841, an RCE exploiting the PHPUnit Framework, before using CVE-2021-44228.

But what is cryptoming? Cryptomining is the process of using a cryptocurrency’s algorithm to solve a math problem that validates user transactions. Larger cryptocurrency rewards are allocated to cryptominers who solve the most math problems. Because of the financial incentives to increase hashrate and lower electricity costs, Malware is used to spread cryptominers without the user’s knowledge. This unauthorized use of malware for mining is called cryptojacking.

The Monero cryptocurrency is commonly used in cryptojacking attacks because its algorithm performs well when mined with a CPU, versus other cryptocurrencies that require less common and expensive GPUs. Javascript embedded in a webpage can mine Monero using a visitor’s CPU resources, it can also be mined by installing an application on the host. XMRIG is reportedly being installed on vulnerable host post-exploitation of CVE-2021-044228. XMRIG is an open-source, cross-platform, Monero cryptocurrency mining software, available for download on GitHub.

MITRE ATT&CK Framework
Observed CVE-2021-44228 TTPs

Tactic Technique Technique ID
Impact Resource Hijacking T1496

Indicators of Compromise & Valtix Labs

Security researchers at Valtix collected publicly available indicators of compromise (IOCs) related to Log4j2 exploitation. Internal teams at Valtix vetted the IOCs, and enriched them to provide additional insight. The research team notes that a majority of the IOCs were related to Alpha Strike Labs GmbH:

 

Organization Alpha Strike Labs GmbH
Country Germany
ASN AS208843
Prefix “45.83.64.0/22”
Distinct IP Addresses 1,022


Alpha Strike’s website indicates that their activity is for research purposes only. It’s good to know who the bad actors are, and not waste time with the benign scanners:

After removing Alpha Strike from the IOC statistics, Valtix security researchers found that most Log4j reconnaissance activity is coming from the United States, with Digital Ocean being the top organization hosting the infrastructure.

The Valtix security research team has uploaded the enriched IOCs to our public GitHub account to promote the sharing of data within the security community: Valtix Research: Log4j IOCs

We’ve included data from our internal honeypots, a list of active TOR nodes, and the data we’ve collected via OSINT.

We know you asked for a new Nintendo Switch this year, but we got you a contextualized list of IOCs instead – you’ll understand when you’re older.

Summary

The first Log4j vulnerability has a CVSS (Common Vulnerability Scoring System) score of 10–but it feels like someone turned the volume up to 11 on this one:

  • Zero day exploited in the wild
  • Publicly- available POC
  • Easy to exploit RCE vulnerability
  • Built-in to products and services
  • Rapidly growing attack surface
  • Difficult to determine what’s vulnerable
  • Mitigation patches were quickly bypassed
  • Weaponized by threat actors
  • Enterprise remediation is slow

In a recent blog post by our CEO Douglas Murray, he noted that organizations need to get ahead of this vulnerability. Slow response times by vendors leave organizations open to a large attack surface they may not be aware of, patching is of the essence. As previously stated, sharing information and educating others about this vulnerability will aid in curbing cybercrime and data breaches.


We’re Here to Help

Because Log4j is turned up to 11, we recommend reviewing how our platform mitigates the exploitation of CVE-2021-44228. Our VP of Products, Jigar Shah, has a great demo showcasing our capabilities. We’ve made threat intelligence available on our public GitHub, and are offering our platform for Free for 90 days.

Latest Posts

Back To Top