Apache Log4j – Technical Analysis of Critical Remote Code Execution Vulnerability Tracked as CVE-2021-44228

Apache Log4j – Technical Analysis of Critical Remote Code Execution Vulnerability Tracked as CVE-2021-44228

EXECUTIVE SUMMARY

 

A critical Remote Code Execution Vulnerability tracked as CVE-2021-44228 in Apache Log4j has been found to be exploited in the wild.

Upon analysis of the associated Indicators of Compromise (IOCs), we observed indicators predominantly linked to Russian Threat Actor dubbed Fancy Bear. In addition, some of the indicators were also found associated with several families such as Kinsing, Coinminer, Mirai, Tsunami, Mushtik.

Additionally, and based on campaigns that CYFIRMA is tracking, North Korean threat actor Lazarus Group have been observed in the past, to be associated with some of the indicators.

The primary motive behind abusing the vulnerability appears to be:

  • Gain access of the vulnerable server
  • Install malware
  • Exfiltrate data

CYFIRMA recommends using reported IOC details for measures against this campaign and threat hunting within your environment.

CYFIRMA Risk Rating for this Research is High.

NOTE: The vulnerability has been reported as situational awareness intelligence. CYFIRMA would like to highlight the potential risk and indicators observed which may be leveraged by nation-state threat actors in exploiting the vulnerability to gain a foothold and exfiltrate sensitive information from the target organizations.

 

VULNERABILITY AT A GLANCE

Remote Code Execution Vulnerability in Apache Log4j

CVE-2021-44228

CVSS Score: 10.0

Exploit Details: This vulnerability is being exploited in the wild and could be leveraged by threat actors to gain access into the network of the organizations. Exploit Details: Link1, Link2, Link3

Description:

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From Log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property “log4j2.formatMsgNoLookups” to “true” or it can be mitigated in prior releases (<2.10) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).

Geography-wise illustration (log4j):

Source: Surface Web

 

Top 10 values for ports (log4j)

Source: Surface Web

 

Impact

Successful exploitation of the vulnerability could allow an attacker to compromise the affected system and gain access to the system and take full control.

Insights

The vulnerability is caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features.

The CWE is CWE-20 (Improper Input Validation), CWE-400 (Uncontrolled Resource Consumption), CWE-502 (Deserialization of Untrusted Data) and the vulnerability has an impact on confidentiality, integrity, and availability.

Affected Version

Please refer to the following link for the affected versions:

Link

Mitigation

Please refer to the following link for the mitigation:

Link

Security Indicators

  1. Is there already an exploit tool to attack this vulnerability? Yes
  2. Has this vulnerability already been used in an attack? Unknown
  3. Are hackers discussing about this vulnerability in the Deep/Dark Web? Yes
  4. What is the attack complexity level? Low

INDICATORS OF COMPROMISE ANALYSIS

Please write to [email protected] for access to IOCs file for attribution to threat actors, campaigns, and malware used. Use the IOCs to exercise controls on your security systems.

 

VULNERABILITY INTELLIGENCE HYPOTHESIS

Based on the target infrastructure observed for this vulnerability, the CYFIRMA Research team identified threat actors who could leverage them to exploit the vulnerability:

  • Russian threat actors: Fancy Bear, and many more.
  • North Korean threat actors: Lazarus Group

By exploiting the vulnerable servers, the suspected threat actors could gain access to the vulnerable server, install malware, and exfiltrate data.

This hypothesis is based on the assessment that the threat actors seem to be using Kinsing, Coinminer, Mirai, Tsunami, Mushtik malware; as observed during the analysis of IOCs.

Based on the MITRE Attack framework, the following are the tactics and techniques observed which could be leveraged by the attackers:

Sr. No Tactics Techniques
1 TA0002: Execution T1059.004: Command and Scripting Interpreter: Unix Shell
2 TA0005: Defense Evasion T1222.002: File and Directory Permissions Modification

 

Following illustrates the infection chain of the log4j JNDI attack:

Source: Surface Web

In addition, the following provides more details on the attacks:

Current Exploitation Endeavors

Ongoing Attack Endeavors

 

Current Protection Against Attack Endeavors

 

Potential Impact

 

ATTRIBUTION WITH CYFIRMA TRACKED CAMPAIGN

CYFIRMA researchers observed some of the indicators were associated with multiple campaigns as given below:

S. No Campaign Name

Associated Threat Actor

1 Beamer-21 Lazarus Group
2 Eliminate#30 Fancy Bear
3 Sandpaper Lazarus Group
4 Oliver Path Fancy Bear
5 20 Yard Fancy Bear
6 UNC020 Fancy Bear

 

INSIGHTS

Whenever such a new threat emerges, organizations and cyber defenders often need to translate vague descriptions and untested research artifacts into actionable intelligence for their particular risk models, which might in turn introduce more anomalies in the landscape.

Organizations are increasingly susceptible to vulnerabilities hosted by complex supply chains that offer potential attackers’ footholds into the organization’s infrastructure /network /applications /database.

Critical learning for organizations from such an incident is the importance of adequate Access Rights Management where access to information systems is identified, tracked, controlled, and managed. Such controls must apply to all information systems throughout the enterprise (hosted, cloud-based, or third-party systems) and extend to all individuals according to their role.

-> If you are using Log4j v2.10 or above, and cannot upgrade, then set the property:

  • formatMsgNoLookups=true

In addition, an environment variable can be set for these same affected versions:

  • LOG4J_FORMAT_MSG_NO_LOOKUPS=true

Or remove the JndiLookup class from the classpath. For example, you can run a command like:

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class  to remove the class from the log4j-core

 

-> Build and undertake safeguarding measures by monitoring/blocking the IOCs and strengthening defences based on the intelligence provided.

-> Integrate CTI feeds with existing SIEM solutions to allow faster detection and alerting of malicious activities. Enrich threat intelligence by combining local monitoring, internal and external feeds.

-> Apply the Yara rule mentioned in your network to search for evidence of spear phishing being sent to your organization.

-> Configure the provided Sigma rules in your network defence mechanisms to alert attempts of credential theft and to monitor and restrict traffic across the network.

-> Deploy an advanced Endpoint Detection and Response (EDR) engine as part of the organization’s layered security strategy.

-> Patch/upgrade all applications/software regularly with the latest versions when available on priority.

-> Configure network defense systems such as intrusion detection systems (IDS), intrusion prevention systems (IPS) for real-time alerts.

  • Deploy an advanced Endpoint Detection and Response (EDR) engine as part of the organization’s layered security strategy.
  • The use of CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is effective against automated bots.
  • Restrict the logins to a specific range of IP Addresses.
  • Implement Multi-Factor Authentication (MFA) to reduce the risk of potential data breaches.
  • Consider moving to a non-standard port for services instead of using the default port.

YARA Rules

The mentioned YARA rules assist in monitoring and identifying new alerts.

Rule 1:

ule EXPL_Log4j_CVE_2021_44228_Dec21_Soft {

meta:

description = “Detects indicators in server logs that indicate an exploitation attempt of CVE-2021-44228”

score = 60

strings:

$x1 = “${jndi:ldap:/”

$x2 = “${jndi:rmi:/”

$x3 = “${jndi:ldaps:/”

$x4 = “${jndi:dns:/”

condition:

1 of them

}

 

Rule 2:

rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard {

meta:

description = “Detects indicators in server logs that indicate the exploitation of CVE-2021-44228”

score = 80

strings:

$x1 = /\$\{jndi:(ldap|ldaps|rmi|dns):\/[\/]?[a-z-\.0-9]{3,42}:[0-9]{2,5}\/[a-zA-Z\.]{1,32}\}/

$fp1r = /(ldap|rmi|ldaps|dns):\/[\/]?(127\.0\.0\.1|192\.168\.|172\.[1-3][0-9]\.|10\.)/

condition:

$x1 and not 1 of ($fp*)

}

 

Rule 3:

rule crime_h2miner_kinsing

{

meta:

description = “Rule to find Kinsing malware”

strings:

$s1 = “-iL $INPUT –rate $RATE -p$PORT -oL $OUTPUT”

$s2 = “libpcap”

$s3 = “main.backconnect”

$s4 = “main.masscan”

$s5 = “main.checkHealth”

$s6 = “main.redisBrute”

$s7 = “ActiveC2CUrl”

$s8 = “main.RC4”

$s9 = “main.runTask”

condition:

(uint32(0) == 0x464C457F) and filesize > 1MB and all of them

}

 

Rule 4:

rule EXPL_Log4j_CallBackDomain_IOCs_Dec21_1 {

meta:

description = “Detects IOCs found in Log4Shell incidents that indicate exploitation attempts of CVE-2021-44228”

strings:

$xr1  = /\b(ldap|rmi):\/\/([a-z0-9\.]{1,16}\.bingsearchlib\.com|[a-z0-9\.]{1,40}\.interact\.sh|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}):[0-9]{2,5}\/([aZ]|ua|Exploit|callback|[0-9]{10}|http443useragent|http80useragent)\b/

condition:

1 of them

}

Rule 5:

rule EXPL_JNDI_Exploit_Patterns_Dec21_1 {

meta:

description = “Detects JNDI Exploit Kit patterns in files”

strings:

$ = “/Basic/Command/Base64/”

$ = “/Basic/ReverseShell/”

$ = “/Basic/TomcatMemshell”

$ = “/Basic/JettyMemshell”

$ = “/Basic/WeblogicMemshell”

$ = “/Basic/JBossMemshell”

$ = “/Basic/WebsphereMemshell”

$ = “/Basic/SpringMemshell”

$ = “/Deserialization/URLDNS/”

$ = “/Deserialization/CommonsCollections1/Dnslog/”

 

$ = “/Deserialization/CommonsCollections2/Command/Base64/”

$ = “/Deserialization/CommonsBeanutils1/ReverseShell/”

$ = “/Deserialization/Jre8u20/TomcatMemshell”

$ = “/TomcatBypass/Dnslog/”

$ = “/TomcatBypass/Command/”

$ = “/TomcatBypass/ReverseShell/”

$ = “/TomcatBypass/TomcatMemshell”

$ = “/TomcatBypass/SpringMemshell”

$ = “/GroovyBypass/Command/”

$ = “/WebsphereBypass/Upload/”

condition:

1 of them

}

 

Rule 6:

rule EXPL_Log4j_CVE_2021_44228_JAVA_Exception_Dec21_1 {

meta:

description = “Detects exceptions found in server logs that indicate an exploitation attempt of CVE-2021-44228”

strings:

$xa1 = “header with value of BadAttributeValueException: ”

$sa1 = “.log4j.core.net.JndiManager.lookup(JndiManager”

$sa2 = “Error looking up JNDI resource”

condition:

$xa1 or all of ($sa*)

}

 

Rule 7:

rule EXPL_Log4j_CVE_2021_44228_Dec21_Soft {

meta:

description = “Detects indicators in server logs that indicate an exploitation attempt of CVE-2021-44228”

strings:

$ = “${jndi:ldap:/”

$ = “${jndi:rmi:/”

$ = “${jndi:ldaps:/”

$ = “${jndi:dns:/”

$ = “${jndi:iiop:/”

$ = “${jndi:http:/”

$ = “${jndi:nis:/”

$ = “${jndi:nds:/”

$ = “${jndi:corba:/”

condition:

1 of them

}

 

Rule 8:

rule EXPL_Log4j_CVE_2021_44228_Dec21_OBFUSC {

meta:

description = “Detects obfuscated indicators in server logs that indicate an exploitation attempt of CVE-2021-44228”

strings:

$x1 = “$%7Bjndi:”

$x2 = “%2524%257Bjndi”

$x3 = “%2F%252524%25257Bjndi%3A”

$x4 = “${jndi:${lower:”

$x5 = “${::-j}${”

$x6 = “${${env:BARFOO:-j}”

$x7 = “${::-l}${::-d}${::-a}${::-p}”

$x8 = “${base64:JHtqbmRp”

condition:

1 of them

}

 

Rule 9:

rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard {

meta:

description = “Detects indicators in server logs that indicate the exploitation of CVE-2021-44228”

strings:

$x1 = /\$\{jndi:(ldap|ldaps|rmi|dns|iiop|http|nis|nds|corba):\/[\/]?[a-z-\.0-9]{3,120}:[0-9]{2,5}\/[a-zA-Z\.]{1,32}\}/

$fp1r = /(ldap|rmi|ldaps|dns):\/[\/]?(127\.0\.0\.1|192\.168\.|172\.[1-3][0-9]\.|10\.)/

condition:

$x1 and not 1 of ($fp*)

}

 

Rule 10:

rule SUSP_Base64_Encoded_Exploit_Indicators_Dec21 {

meta:

description = “Detects base64 encoded strings found in payloads of exploits against log4j CVE-2021-44228”

strings:

/* curl -s  */

$sa1 = “Y3VybCAtcy”

$sa2 = “N1cmwgLXMg”

$sa3 = “jdXJsIC1zI”

/* |wget -q -O-  */

$sb1 = “fHdnZXQgLXEgLU8tI”

$sb2 = “x3Z2V0IC1xIC1PLS”

$sb3 = “8d2dldCAtcSAtTy0g”

condition:

1 of ($sa*) and 1 of ($sb*)

}

 

Rule 11:

rule SUSP_JDNIExploit_Indicators_Dec21 {

meta:

description = “Detects indicators of JDNI usage in log files and other payloads”

strings:

$xr1 = /(ldap|ldaps|rmi|dns|iiop|http|nis|nds|corba):\/\/[a-zA-Z0-9\.]{7,80}:[0-9]{2,5}\/(Basic\/Command\/Base64|Basic\/ReverseShell|Basic\/TomcatMemshell|Basic\/JBossMemshell|Basic\/WebsphereMemshell|Basic\/SpringMemshell|Basic\/Command|Deserialization\/CommonsCollectionsK|Deserialization\/CommonsBeanutils|Deserialization\/Jre8u20\/TomcatMemshell|Deserialization\/CVE_2020_2555\/WeblogicMemshell|TomcatBypass|GroovyBypass|WebsphereBypass)\//

condition:

filesize < 100MB and $xr1

}

 

Rule 12:

rule SUSP_EXPL_OBFUSC_Dec21_1{

meta:

description = “Detects obfuscation methods used to evade detection in log4j exploitation attempt of CVE-2021-44228”

strings:

/* ${lower:X} – single character match */

$ = { 24 7B 6C 6F 77 65 72 3A ?? 7D }

/* ${upper:X} – single character match */

$ = { 24 7B 75 70 70 65 72 3A ?? 7D }

/* URL encoded lower – obfuscation in URL */

$ = “$%7blower:”

$ = “$%7bupper:”

$ = “%24%7bjndi:”

$ = “$%7Blower:”

$ = “$%7Bupper:”

$ = “%24%7Bjndi:”

condition:

1 of them

}

 

Source: Surface Web

 

Sigma Rules

It is an open-source  YAML-based signature format which assists SOC to explain log events in a flexible and standardized format, helps to create queries in a common language which could possibly be incorporated in SIEM and EDR solutions.

Rule 1:

title: Always Install Elevated Windows Installer

id: cd951fdc-4b2f-47f5-ba99-a33bf61e3770

description: This rule looks for Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege

status: experimental

tags:

– attack.privilege_escalation

– attack.t1548.002

logsource:

product: windows

category: process_creation

detection:

integrity_level:

IntegrityLevel: ‘System’

user:

User|startswith:

– ‘NT AUTHORITY\SYSTEM’

– ‘AUTORITE NT\Sys’ # French language settings

 

 

image_1:

Image|contains|all:

– ‘\Windows\Installer\’

– ‘msi’

Image|endswith:

– ‘tmp’

image_2:

Image|endswith:

– ‘\msiexec.exe’

condition: (image_1 and user) or (image_2 and user and integrity_level)

fields:

– IntegrityLevel

– User

– Image

falsepositives:

– System administrator Usage

– Penetration test

level: medium

 

Rule 2:

title: Non Interactive PowerShell

id: f4bbd493-b796-416e-bbf2-121235348529

description: Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.

status: experimental

tags:

– attack.execution

– attack.t1086          # an old one

– attack.t1059.001

logsource:

category: process_creation

product: windows

detection:

selection:

Image|endswith: ‘\powershell.exe’

filter:

ParentImage|endswith:

– ‘\explorer.exe’

– ‘\CompatTelRunner.exe’

condition: selection and not filter

falsepositives:

– Legitimate programs executing PowerShell scripts

level: low

 

Rule 3:

title: Net.exe Execution

id: 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac

status: experimental

tags:

– attack.discovery

– attack.t1049

– attack.t1018

– attack.t1135

– attack.t1201

– attack.t1069.001

– attack.t1069.002

– attack.t1087.001

– attack.t1087.002

– attack.lateral_movement

– attack.t1021.002

– attack.t1077      # an old one

– attack.s0039

logsource:

category: process_creation

product: windows

detection:

selection:

Image|endswith:

– ‘\net.exe’

– ‘\net1.exe’

cmdline:

CommandLine|contains:

– ‘ group’

– ‘ localgroup’

– ‘ user’

– ‘ view’

– ‘ share’

– ‘ accounts’

– ‘ stop ‘

condition: selection and cmdline

fields:

– ComputerName

– User

– CommandLine

– ParentCommandLine

falsepositives:

– Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine.

level: low

 

Rule 4:

title: Stop Windows Service

id: eb87818d-db5d-49cc-a987-d5da331fbd90

description: Detects a windows service to be stopped

status: experimental

tags:

– attack.impact

– attack.t1489

logsource:

category: process_creation

product: windows

detection:

selection:

Image|endswith:

– ‘\sc.exe’

– ‘\net.exe’

– ‘\net1.exe’

CommandLine|contains: ‘stop’

condition: selection

fields:

– ComputerName

– User

– CommandLine

falsepositives:

– Administrator shutting down the service due to upgrade or removal purposes

level: low

Source: Surface Web