Share this page!

Greg Linares Profile picture
Twitter logo
11 Dec, 8 tweets, 3 min read
To add on to what @dildog is referencing with AWS vars and log4j

Here is a list of the AWS envs that I've seen attackers attempt to dump from the target machine

docs.aws.amazon.com/cli/latest/use…
For reference:
So when you see the "You just got RCE and you use it to info dump" people, please kindly remind them that RCE isn't always as fancy as they would love to think
Just want to add that I am now seeing #log4j payloads that will parse AWS credentials and then grab the AWS shared credentials file and upload it back to the attacker
Here are the AWS variables I am seeing being targeted in the wild by #log4j exploits at this time (even without rce):

AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN
AWS_SHARED_CREDENTIALS_FILE
AWS_WEB_IDENTITY_TOKEN_FILE
AWS_PROFILE
AWS_CONFIG_FILE
AWS_ACCESS_KEY_ID
After getting these values they are attempting to exfil the AWS_PROFILE, AWS_WEB_IDENTITY_TOKEN_FILE, & AWS_SHARED_CREDENTIALS_FILE via http requests, or cat and copy to webhost or line by line dumping into a var and reading it
Everyone:
I just watched attackers infiltrate a private s3 and AWS instance by exploiting log4j on a seemingly unrelated host

IF YOU HAVE AWS VARS STORED AND YOU HAVE LOG4J VULNERABILITIES PREPARE TO ASSUME THE AWS STORED VARS ARE COMPROMISED: TEAR DOWN, REVOKE, AND REISSUE
Please see this tweet by @steveloughran for updated AWS vars that attackers are implementing

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Greg Linares

Greg Linares Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Laughing_Mantis

Greg Linares Profile picture
13 Dec
#log4j theoretical worm depending on propegation speed might just blend in with the noise for a while.

Ideally right now reducing attack surface should be everyone's top priority

Unfortunately we are dealing with a bug with unprecedented vectors.
Everyone right now shouldn't even focus on worm capabilities because exploitation is so wide spread right now it doesn't even increase your risk level, attackers are doing nearly identical to what worm activity would be like.

Traffic congestion and network bottlenecking tho...
Historically if we look at worm activity it took roughly a week to 14 days for them to be widespread & developed

However those in the past didn't use logic flaws & required memory corruption exploits which are less reliable & complex payloads.

This is much lower skill ceiling
Read 5 tweets
Greg Linares Profile picture
12 Dec
#Log4J based on what I've seen, there is evidence that a worm will be developed for this in the next 24 to 48 hours.

Self propagating with the ability to stand up a self hosted server on compromised endpoints.

In addition to spraying traffic, dropping files, it will have c2c
Biggest hurdle appears to be implementing a JDK gadget to enable code execution on limited env.

That is currently being researched by several groups.
Honestly I'm kinda surprised it isn't finished yet, but I have seen at least 3 groups (Eastern euro, .ru and .cn) that are investigating options to do this.

Goals appear varied: financial gain via extortion as well as selling access to compromised hosts to RaaS groups
Read 7 tweets
Greg Linares Profile picture
12 Dec
#Log4J Data Exfiltration & Env Var List 🧵

I will use this thread to discuss env variables I have seen being used in the wild alongside log4j exploitation from both remote & in local subnets

This isn't a complete list but it will give you an idea what attackers are looking at
In addition to the AWS variables I have discussed earlier I am also seeing these:

For Hadoop I am seeing threat actors attempt to query the following env vars

HADOOP_HOME
HADOOP_CLIENT_OPTS
HADOOP_SHELL_EXECNAME
HADOOP_USER_PARAMS
HADOOP_SECURE_CLASSNAME
HADOOP_SECURE_USER
For postgress I am seeing several attempts:

PGPASSWORD
PGDATABASE
PGPASSFILE
PGHOST
PGSSLKEY
Read 6 tweets
Greg Linares Profile picture
11 Dec
PSA: attackers aren't just using #log4j attacks on internet facing devices.

Groups I'm monitoring are going back to compromised networks and using it on subnets and on internal devices *very* successfully

Insider threat is also an viable avenue of exploitation
Update: here's what vectors internal threat actors are using to gain access via #log4j exploits:

Email/inbox monitoring services
Network inspectors
Internal web servers
SSL inspectors
Couchdb(?) Logging services
Asset management services
XML parsing services
Email: sending log4j in subjects to null addresses or internal

Network: spamming STUN, ARP, UDP, and MDNS traffic with log4j in packets

SSL: setting up malicious SSL servers and waiting for connections

Dropping log4j in xml files that are being referenced or ingested
Read 4 tweets
Greg Linares Profile picture
11 Dec
Can confirm this phase just started
Ransomware groups have started posting successful exploits on a number forums and chats

While they are doing recon they are literally tossing up cryptominers so they maximizing profits.
Many of them are also not deploying RCE as a vector.

Many of them are grabbing server variables in order to maximize effectiveness and efficiency against targets.

Customized exploitation and info stealing are abound.
Read 8 tweets
Greg Linares Profile picture
22 Sep 20
Ever want to test systems & see if your password is ever stored/sent in plaintext?

Make it: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

I am on the phone with a vendor right now because my test account is in an inoperable state.

🧐
Vendors gonna hate me tonight.
When I goto jail from the fallout of this just make sure they don't use my high school photos.

Thanks fam <3
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @Laughing_Mantis has new unrolls!

Check out other threads from @Laughing_Mantis!

Read all threads by @Laughing_Mantis

:(