Zero-day vulnerability (aka Log4Shell) in Apache Log4j is being actively exploited

Threat Advisory
0
Avatar
Author

INTRODUCTION

Log4Shell vulnerability (CVE-2021-44228) impacts multiple versions of a
widely distributed Java software component, Apache Log4j 2. The vulnerability exists in the way the Java Naming and Directory Interface (JNDI) feature resolves variables and allows a remote attacker to execute arbitrary code on the target system.

Apache Log4j2 <2.15, JNDI enables attackers to call external java libraries
(jndi:ldap, jndi:rmi) which in turn allows the execution of remote commands in the environment.

A remote attacker can send a specially crafted request to the application and execute arbitrary code on the target system. Successful exploitation of this vulnerability may result in the complete compromise of a vulnerable system.

Threat actors have already begin actively exploiting this vulnerability in the
wild.

VULNERABLE PRODUCT

The vulnerability impacts all versions of Apache Log4j2 from 2.0-beta9
to 2.14.1

BUSINESS IMPACT

Successful exploitation of the vulnerability would allow a remote
unauthenticated attacker to execute arbitrary code, a complete takeover of
unpatched devices and deploy further malicious payload to execute
ransomware like disruptive attacks.

REMEDIATION

1. Ensure to patch log4j to 2.15.0 and above.
2. For systems that can’t be updated (or at least not updated immediately)
apply Logout4Shell vaccine to protect against exploits targeting the
Log4Shell flaw.
3. Use commands & YARA rules to search for exploitation attempts
against log4j RCE vulnerability CVE-2021-44228.
4. Test your apps for log4shell vulnerability.

MITIGATIONS

1. In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable
LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
2. For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class.
NOTE: Additionally, if the server has Java runtimes >= 8u121, then by default, the settings com.sun.jndi.rmi.object.trustURLCodebase and
com.sun.jndi.cosnaming.object.trustURLCodebase are set to “false”, mitigating this risk.
3. Put a WAF or Proxy in front of the vulnerable Java app and block access toconnections containing “jndi:ldap” and “jndi:dns” in the request or user-agent strings.

DETECTION

1. Search logs for the presence of jndi:ldap, jndi:ldaps: jndi:dns:jndirmi
Log4j RCE CVE-2021-44228 Exploitation Detection · GitHub
2. Logs can be scanned by using GitHub – Neo23x0/log4shell-detector:
Detector for Log4Shell exploitation attempts

HASH (SHA-256)

IP’s

109[.]237[.]96[.]12462[.]102[.]148[.]69185[.]220[.]100[.]244185[.]220[.]101[.]142193[.]189[.]100[.]203147[.]182[.]169[.]254
185[.]100[.]87[.]20272[.]223[.]168[.]73185[.]220[.]100[.]245185[.]220[.]101[.]143193[.]218[.]118[.]231147[.]182[.]219[.]9
213[.]164[.]204[.]14681[.]17[.]18[.]60185[.]220[.]100[.]246185[.]220[.]101[.]145194[.]48[.]199[.]78151[.]115[.]60[.]113
185[.]220[.]101[.]146104[.]244[.]72[.]115185[.]220[.]100[.]247185[.]220[.]101[.]147195[.]176[.]3[.]24159[.]65[.]58[.]66
171[.]25[.]193[.]20104[.]244[.]74[.]57185[.]220[.]100[.]248185[.]220[.]101[.]148195[.]254[.]135[.]76159[.]65[.]155[.]208
178[.]17[.]171[.]102104[.]244[.]74[.]211185[.]220[.]100[.]249185[.]220[.]101[.]149198[.]98[.]51[.]189164[.]90[.]199[.]216
45[.]155[.]205[.]233104[.]244[.]76[.]170185[.]220[.]100[.]252185[.]220[.]101[.]153199[.]195[.]250[.]77167[.]99[.]164[.]201
171[.]25[.]193[.]25107[.]189[.]1[.]160185[.]220[.]100[.]253185[.]220[.]101[.]156204[.]8[.]156[.]142167[.]99[.]172[.]58
171[.]25[.]193[.]77107[.]189[.]1[.]178185[.]220[.]100[.]254185[.]220[.]101[.]157205[.]185[.]117[.]149167[.]99[.]172[.]213
171[.]25[.]193[.]78107[.]189[.]12[.]135185[.]220[.]100[.]255185[.]220[.]101[.]158209[.]127[.]17[.]242185[.]220[.]100[.]241
185[.]220[.]100[.]242107[.]189[.]14[.]98185[.]220[.]101[.]33185[.]220[.]101[.]161209[.]141[.]41[.]103185[.]220[.]101[.]37
185[.]220[.]101[.]39122[.]161[.]50[.]23185[.]220[.]101[.]34185[.]220[.]101[.]16345[.]153[.]160[.]131185[.]220[.]101[.]41
18[.]27[.]197[.]252171[.]25[.]193[.]20185[.]220[.]101[.]35185[.]220[.]101[.]16845[.]153[.]160[.]138185[.]220[.]101[.]57
89[.]234[.]182[.]139171[.]25[.]193[.]25185[.]220[.]101[.]36185[.]220[.]101[.]16962[.]76[.]41[.]46185[.]220[.]101[.]134
104[.]244[.]79[.]6171[.]25[.]193[.]77185[.]220[.]101[.]42185[.]220[.]101[.]17268[.]183[.]44[.]143185[.]220[.]101[.]144
18[.]27[.]197[.]252171[.]25[.]193[.]78185[.]220[.]101[.]43185[.]220[.]101[.]17568[.]183[.]198[.]247185[.]220[.]101[.]154
23[.]129[.]64[.]131178[.]62[.]79[.]49185[.]220[.]101[.]45185[.]220[.]101[.]17788[.]80[.]20[.]86185[.]220[.]101[.]160
23[.]129[.]64[.]141181[.]214[.]39[.]2185[.]220[.]101[.]46185[.]220[.]101[.]179109[.]70[.]100[.]34185[.]220[.]101[.]171
23[.]129[.]64[.]146185[.]38[.]175[.]132185[.]220[.]101[.]49185[.]220[.]101[.]180109[.]237[.]96[.]124185[.]220[.]101[.]186
23[.]129[.]64[.]148185[.]83[.]214[.]69185[.]220[.]101[.]54185[.]220[.]101[.]181116[.]24[.]67[.]213185[.]220[.]102[.]249
45[.]12[.]134[.]108185[.]100[.]87[.]41185[.]220[.]101[.]55185[.]220[.]101[.]182134[.]122[.]34[.]28188[.]166[.]48[.]55
45[.]155[.]205[.]233185[.]100[.]87[.]202185[.]220[.]101[.]56185[.]220[.]101[.]185137[.]184[.]102[.]82188[.]166[.]92[.]228
46[.]166[.]139[.]111185[.]107[.]47[.]171185[.]220[.]101[.]61185[.]220[.]101[.]189137[.]184[.]106[.]119188[.]166[.]122[.]43
46[.]182[.]21[.]248185[.]129[.]61[.]1185[.]220[.]101[.]129185[.]220[.]101[.]191142[.]93[.]34[.]250193[.]189[.]100[.]195
51[.]15[.]43[.]205185[.]220[.]100[.]240185[.]220[.]101[.]138185[.]220[.]102[.]8143[.]198[.]32[.]72193[.]218[.]118[.]183
51[.]255[.]106[.]85185[.]220[.]100[.]242185[.]220[.]101[.]139185[.]220[.]102[.]242143[.]198[.]45[.]117195[.]19[.]192[.]26
54[.]173[.]99[.]121185[.]220[.]100[.]243185[.]220[.]101[.]141193[.]31[.]24[.]154147[.]182[.]167[.]165212[.]193[.]57[.]225

URL’s

http[:]//62.210.130.250/lh.shhttp[:]//18.228.7.109/.log/pty4;
http[:]//62.210.130.250[:]80/web/admin/x86_64http[:]//18.228.7.109/.log/pty5;
http[:]//62.210.130.250[:]80/web/admin/x86http[:]//210.141.105.67[:]80/wpcontent/themes/twentythirteen/m8
http[:]//62.210.130.250[:]80/web/admin/x86_ghttp[:]//159.89.182.117/wp-content/themes/twentyseventeen/ldm
http[:]//45.130.229.168[:]9999/Exploit.classhxxp[:]//45.137.155[.]55/ex[.]sh
http[:]//18.228.7.109/.log/loghxxp[:]//45.137.155[.]55/kinsing
http[:]//18.228.7.109/.log/pty1;hxxp[:]//80.71.158[.]12/libsystem.so
http[:]//18.228.7.109/.log/pty2;hxxp[:]//80.71.158[.]12/kinsing
http[:]//18.228.7.109/.log/pty3;hxxp[:]//80.71.158[.]12/Exploit69ogQNSQYz.class

DOMAINS

nazi[.]uy
log[.]exposedbotnets[.]ru

REFERENCES

New zero-day exploit for Log4j Java library is an enterprise nightmare
Zero Day in Ubiquitous Apache Log4j Tool Under Active Attack
Threat Advisory: Critical Apache Log4j vulnerability being exploited in the wild
Log4Shell Explained

Author

Leave a Reply

Your email address will not be published. Required fields are marked *

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

I agree to these terms.