Executive Summary OF LOG4SHELL EXPLOIT
In December 2021, a zero-day critical vulnerability was found in the Apache Log4j2 Java-based logging library. The vulnerability is now known as Log4Shell and is an unauthenticated remote code execution (RCE) flaw that allows for complete system takeover with Log4j2.0-beta9 up to 2.16.1. This means that the flaw could allow attackers to install cryptominers and steal data, as well as credentials. Almost every network security system runs on some kind of logging process and the Log4j2 logging library is extremely popular, given its vast reach. Millions of applications use Log4j2 for logging and if an attacker has the Log4j2 app, he can compromise it by logging a special string of characters.
Although conversation regarding Log4Shell has diminished, the vulnerability is still an issue for organizations and remains a permanent threat. Since the vulnerability was publicized, over 80% of Log4Shell’s exploitation attempts originated within the U.S. Because many systems are still using older versions of Log4j, the problems continue to escalate. Let’s take a look at Log4Shell and why we should continue to remain vigilant with patching devices.
In January 2022, Avertium’s Cyber Threat Intelligence team published a Threat Intelligence Report detailing the Log4Shell (CVE-2021-44228) exploit. Initially seen on sites hosting Minecraft servers, attackers discovered the vulnerability could be triggered by hosting chat messages. The first attacks were observed two weeks before they were publicly disclosed, and mass exploitation began a day after the vulnerability was made public. Those exploits originated from professional crypto-mining and DDoS botnets, like Muhstik and Mirai. Additionally, Microsoft observed Log4Shell being used to deploy webshells with Cobalt Strike beacons, which are backdoors.
Major enterprises like Amazon, Apple, and Tesla were all affected by Log4Shell, and cyber security professionals were in a hurry to come up with a solution to this massive problem. The situation quickly went from bad to worse when it was discovered that the first patch Apache issued for CVE-2021-44228 didn’t exactly fix the problem. Although rated lower in severity, the new exploit (CVE-2021-45046) gave attackers the capability to craft malicious input data using a JNDI Lookup pattern, resulting in a denial of service (DOS) attack. The vulnerability was patched, but it wasn’t long before a third vulnerability reared its head.
CVE-2021-45105 addressed Apache Log4j2 version 2.15.1, which allowed for crafted input that could manipulate Context Lookup functionality that leads to a stack-overflow and crash. Soon after Apache released the patch for CVE-2021-45105, a fourth vulnerability was found, CVE-2021-44832. This vulnerability affected Log4j2 version 2.16.0 which was vulnerable to an RCE attack when a configuration uses JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server.
After the news broke about how easy it was to exploit Log4j2, threat actors made swift moves. Log4Shell resulted in massive world-wide scanning with the payloads running from miners, Unix DDoS malware, and framework stagers pushed to compromised hosts. This kind of mass scanning was expected because as with any exploit, attackers with motives will exploit anything they can in order to receive what they want (money, credentials, sensitive data, etc.). However, since December, the issues surrounding Log4Shell still persist and there is no sign of them disappearing.
In our previous report, we mentioned that several threat actors were taking advantage of the Log4Shell exploit, with one of those threat actors being Conti. Conti was the first sophisticated ransomware group to actively exploit Log4Shell. Within two days of the Log4Shell news, the group figured out a way to use Log4Shell as a new attack vector. They decided on the following attack chain: Emotet -> Cobalt Strike -> Human Exploitation -> (no ADMIN$ share) -> Kerberoast -> vCenter ESXi with log4shell scan for vCenter.
Image 1: Conti Attack Vector Timeline
Source: AdvIntel
Chinese and Iranian state threat actors were exploiting Log4Shell as well. The Iranian threat actor, DEV-0270, and Chinese threat actor, APT10, were among the first to aggressively exploit Log4Shell. Mandiant observed reconnaissance activity linked to APT10 and DEV-0270 successfully attacked multiple U.S. companies via ransomware deployments
Now, there is another China based ransomware threat actor (DEV-0401) exploiting Log4Shell. Microsoft observed DEV-0401 targeting internet-facing servers running vulnerable instances of VMware’s, VMware Horizon. According to the U.K. government’s NHS Digital, DEV-0401 was observed trying to establish malicious web shells on Horizon servers. The threat actor was also observed using command and control servers to spoof domains associated with companies such as Trend Micro and Sophos.
In addition to Log4Shell, DEV-0401 has also deployed several ransomware families including: Night Sky, LockFile, Rook, and AtomSilo – while exploiting internet facing systems running Confluence (CVE-2021-26084). Researchers are not sure if DEV-0401 is a ransomware-as-a-service group or a contractor.
In March 2022, researchers at Qihoo 360’s Network Security Research Lab (360 Netlab) published a report about a botnet, which is still under development, that was attempting to use Linux systems to steal sensitive information, create reverse shells, install rootkits, and act as web traffic proxies. The malware behind the botnet was named B1txor20 and focuses its attacks on Linux ARM, X64 CPU architecture devices.
B1txor20 was initially spotted by Qihoo’s research lab in February 2022 and uses Log4Shell to infect new hosts - an appealing attack vector due to dozens of vendors using Apache’s Log4j logging library. The B1txor20 botnet stands out due to its use of DNS tunneling for communication channels with the C2 server. B1torx20 and the C2 communicate with the help of DNS protocol. The C2 sever is encrypted and once the botnet client has decrypted it, a DNS query is used to send its communications to the C2 domain. The communication includes stolen sensitive information and command execution results. This technique may be dated, but threat actors still use it to exploit the DNS protocol to tunnel malware and data via DNS queries.
Qihoo’s research lab stated that B1xtor20 has broad features, but all the features aren’t enabled. The researchers believe it’s a sign that the malware has a few bugs the developers are trying to improve. To decrypt the domain name and RC4 secret key, B1txor20 uses the following code snippet:
Image 2: B1txor20 Flow Chart
Source: Netlab 360
Qualys research lab recently analyzed Log4Shell and found that more than 150 million IT assets across the world had vulnerable application installations, with 80% of them being open-source applications. Of those application installations, 30% of Log4j instances were vulnerable to exploitation. Also, only 70% of the Apache Log4j applications had been patched. This means that developers are still downloading vulnerable versions of Log4j.
Log4j exploits are primarily being used for DDoS botnet attacks and over 80% of cryptomining, ransomware, and DDoS attempts have originated in the U.S. since December 2021. Threat actors like Khonsari and Conti have been successful with exploiting Log4Shell and will continue to exploit it if organizations are not patching their devices. In December 2021, CISA reported that 1,495 products were vulnerable to Log4Shell and Qualys discovered that of those products, 1,065 programs amongst 52 publishers were still in use – with over 80% of those being on Linux.
Other payloads dropped by Log4Shell include:
As you can see, current Log4shell exploits are primarily being used for DDoS botnet attacks. Barracuda researchers observed various payloads targeting vulnerable Log4j deployments with Mirai in the lead. Mirai focuses on publicly exposed network cameras, routers, and other devices and places them into a botnet of remotely controlled bots. As a result, attackers are able to control the botnet and perform DDoS attacks against their target. Take a look at Qualys’ Log4Shell vulnerability impact numbers from March 2022:
If the above information isn’t enough to concern you, then the Federal Trade Commission (FTC) may change your stance. After the Log4Shell incident took over cyber space, the FTC issued a warning to companies who didn’t remediate Log4j security issues. The warning stated that the FTC will use its full legal authority and pursue companies who fail to patch vulnerable devices.
“When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss, and other irreversible harms. The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act. It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action. According to the complaint in Equifax, a failure to patch a known vulnerability irreversibly exposed the personal information of 147 million consumers. Equifax agreed to pay $700 million to settle actions by the Federal Trade Commission, the Consumer Financial Protection Bureau, and all fifty states. The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.” – Federal Trade Commission
Because leaving devices unpatched and vulnerable to attackers can lead to data breaches, it’s no surprise that the FTC issued such a strong warning. In a Threat Intelligence Report published in February 2022, we talked about how difficult it can be for the IT staff at organizations to keep up with patching vulnerable software and systems. However, not patching will ultimately lead to escalation of attacks. The emergence of recent botnets such as B1txor20 and Mirai is a great example of how threat actors continue to escalate months old vulnerabilities.
Also, APT41 (Bronze Atlas) was seen exploiting Log4Shell. The threat actor is based in China and is known for carrying out cyber espionage. They’ve successfully targeted and breached six U.S. state networks, which have not been named. Because of Log4Shell, APT41 was able to breach two U.S. state government networks and other organizations within the insurance and telecommunications industries.
In December 2021, Microsoft speculated that Log4j exploits may exist for many years. With major companies like Apple, Google, CloudFlare, Steam, VMware, Amazon, and IBM using Log4j2 as their logging framework, Log4Shell is an appealing opportunity for threat actors. Although the number of successful attacks remains lower than expected, analysts are certain that Log4Shell will remain a permanent vulnerability if organizations don’t patch.
Open-source software like Apache’s Log4j logging library, is software that is used extensively behind the scenes on the internet but isn’t well-known to the average person. If given access, this kind of software can be like a treasure chest for attackers. However, open-source software has many benefits such as providing people with free accessibility and giving millions of people a useful tool that could foster pioneering technologies.
While the use of open-source software has become an increasing trend, there is a lot of room for improvement when it comes to the security. Cyber security professionals must acknowledge that open-source code comes with security risks, and many open-source components are outdated or have quality control issues. There are also inexperienced developers, and “too busy” developers who are at the helm of many open-source software projects. Despite the challenges, there are ways that you can improve the security of open-source software without jeopardizing the integrity.
All organizations scan for vulnerable applications that use Log4j2 and update them to the latest versions.
B1txor20
Log4Shell (most recent IoCs listed below – previous IoCs can be found IoCs here and here)
https://www.microsoft-updateserver[.cf/]gadfTs55sghsSSS
CVE-2018-13379
6a2c91abf2b805365c847709215375af
624278ed3019a42131a3a3f6e0e2aac8d8c8b438
7feb4d36a33f43d7a1bb254e425ccd458d3ea921
d28e07d2722f771bd31c9ff90b9c64d4a188435a
e76e9237c49e7598f2b3f94a2b52b01002f8e862
7f680efadef8c0b3a192b2814077b7b5d8543d20dd24b1d8939f3fec013059a3
https://webhook[.site/]
google.onedriver-srv[.ml]
www.microsoft-updateserver[.cf]
www.service-management[.tk]
24.39.220[.218]
24.96.94[.11]
37.26.183[.94]
37.71.147[.186]
37.99.163[.162]
37.99.163[.163]
37.99.163[.164]
37.99.163[.165]
37.99.163[.166]
41.142.240[.197]
50.192.49[.210]
50.196.104[.201]
50.243.3[.153]
50.243.3[.154]
50.243.3[.155]
50.243.3[.156]
50.243.3[.157]
50.255.126[.65]
65.183.166[.218]
65.183.166[.219]
65.183.166[.220]
65.183.166[.222]
69.54.25[.34]
70.62.153[.174]
70.89.246[.33]
70.89.246[.34]
70.89.246[.35]
70.89.246[.36]
70.89.246[.37]
70.91.93[.133]
72.68.69[.63]
78.134.89[.167]
79.11.46[.30]
80.118.6[.90]
80.15.113[.188]
80.153.75[.103]
80.155.38.[210]
80.155.38[.211]
80.155.38[.212]
80.155.38[.213]
80.155.3[8.214]
81.4.177[.114]
81.4.177[.115]
81.4.177[.116]
81.4.177[.117]
81.4.177[.118]
82.198.72.[201]
82.62.143.[41]
87.139.213[.76]
87.193.135[.123]
90.63.245[.175]
90.85.224[.121]
90.85.224[.122]
90.85.224[.123]
90.85.224[.124]
90.85.224[.125]
93.51.177[.66]
93.51.177[.67]
93.51.177.68]
93.51.177[.69]
93.51.17[7.70]
96.67.145.115]
96.80.68[.193]
96.80.68[.194]
96.80.68[.195]
96.80.68[.196]
96.80.68[.197]
97.87.91[.211]
97.87.91[.212]
97.87.91[.213]
97.87.91[.214]
97.87.91[.215]
97.87.91[.216]
97.87.91[.217
97.87.91[.218]
97.87.91[.219]
http://2.192.67[.0]
Conti (most recent IoCs – previous IoCs can be found here)
FTC warns companies to remediate Log4j security vulnerability | Federal Trade Commission
6 Tips for Managing Open Source Components Securely | Snyk
CISA Conti Ransomware Potential Targets - AlienVault - Open Threat Exchange
Microsoft: China-based ransomware actor exploiting Log4Shell (techtarget.com)
How To Use Open-Source Software Without Increasing Security Vulnerabilities (forbes.com)
China-backed APT41 compromised 'at least' six US state governments (yahoo.com)
30% of Apache Log4j Security Holes Remain Unpatched – The New Stack
Log4Shell Post-Mortem and What We Learned About Open-Source Security (avertium.com)
Log4shell exploits now used mostly for DDoS botnets, cryptominers (bleepingcomputer.com)
Qualys Study Reveals How Enterprises Responded to Log4Shell | Qualys Security Blog
New Linux botnet exploits Log4J, uses DNS tunneling for comms (bleepingcomputer.com)
New Threat: B1txor20, A Linux Backdoor Using DNS Tunnel (360.com)
New Linux botnet exploits Log4J, uses DNS tunneling for comms (bleepingcomputer.com)
Linux botnet spreads using Log4Shell flaw | IT PRO
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.
COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.