Cybercriminals are actively looking for and exploiting the critical Log4Shell vulnerability ( CVE-2021-44228) in the Java-based Apache Log4j logging platform to install malware. The vulnerability allows attackers to remotely execute code on a vulnerable server simply by searching for or changing the browser user agent to a custom string.
Once the vulnerability was discovered, the attackers exploited the problem to execute shell scripts to download the crypto miner installation. The shell script removes competing malware from the vulnerable device and then downloads and installs the Kinsing malware to mine cryptocurrency.
According to Netlab 360 researchers, hackers are exploiting Log4Shell to install Mirai and Muhstik malware on vulnerable devices. The malware families install crypto miners and enable large-scale DDoS attacks. The attacks recorded by experts were directed at devices running Linux.
According to experts from the Microsoft Threat Intelligence Center, a vulnerability in Log4j was also used to install Cobalt Strike beacons. Hence the deployment of Cobalt Strike beacons indicates upcoming malicious campaigns.
However, the vulnerability is exploited not only to install malware. Attackers and security researchers use an exploit to scan the Web for vulnerable servers and obtain information about them. Affected servers can be forced to access URLs or perform DNS lookups for callback domains. This allows attackers to determine if the server is vulnerable and use it for future attacks, research, or attempts to get paid under the program for discovering vulnerabilities.
You can check our Log4j RCE Exploit, Advisory, and Resource post for information related to the firm advisory or other attack and mitigation techniques.Read:
- Worst Apache Log4j RCE Zero-day Dropped on the Internet
- Log4j RCE - Exploit - Advisory - Resource & Cheat Sheet
- Apache Log4j Vulnerability Details and Mitigation
Another Bad news for log4j users (Log4Shell)
Today, the leader of the knownsec 404 team (ZoomEye & SeeBug) 'Heige' tweeted about the ransomware attack via exploiting the log4j2 RCE vulnerability.
Update: 14.12.2021 (04:00 PM)
As we have already noted that hackers are now exploiting CVE-2021-44228 to deploy ransomware on vulnerable networks. On Monday, cybersecurity firm BitDefender revealed the technical advisory on the exploitation of the Log4Shell vulnerability. On the advisory, BitDefender noted that initially, they had observed the attack targeting the Linux server but the company has also seen attacks against systems running the Windows operating system with a novel ransomware family called Khonsari.
The attackers exploit the Log4Shell RCE vulnerability to download the additional .Net binary file from the remote server. Once the downloaded binary file is executed, the malicious file will list all the drives and encrypt the entire files with the extension ".khonsari" and displays a ransom note that urges the victims to make a Bitcoin payment in exchange for recovering access to the files., except the C:\ drive.
On the C:\ drive, Khonsari will encrypt only the following folders:
Additionally, attackers also tried to download Remote Access Trojan, another new payload name "Orcus" which further downloads shellcode from the attacker server and injects it into the memory of the conhost.exe process. Here, the shellcode decrypts and loads into memory another malicious payload, which appears to be the Orcus Remote Access Trojan (RAT) connecting to the test. verble[.]rocks command and control server.
The user is strongly encouraged to update to the latest version of Log4j in order to fix the vulnerability as soon as possible.
What we can DO Now?
In addition, researchers from cybersecurity firm Cybereason have developed a " vaccine " that can be used to remotely eliminate a critical Log4Shell vulnerability. Although Apache quickly released a patched version of Log4j 2.15.0 to address the vulnerability, the vulnerability is very easy to exploit for cyberattacks.
"Vaccine" disables settings in the remote vulnerable instance of Log4Shell. Essentially, the vaccine removes the vulnerability by exploiting the vulnerable server. A project called Logout4Shell contains a Java payload that disables the trustURLCodebase setting on the remote Log4j server.
Furthermore, today Apache Loh4j team has released another version by removing support for Lookups in messages in version log4j 2.16.0.
Log a message if either the lookup or nolookup option is specified on %m. Remove calls to StrSubstitutor.replace().