{"id":2758,"date":"2021-12-21T07:02:53","date_gmt":"2021-12-21T15:02:53","guid":{"rendered":"https:\/\/www.cloudinsidr.com\/content\/?p=2758"},"modified":"2021-12-24T02:53:45","modified_gmt":"2021-12-24T10:53:45","slug":"log4j-rce-in-vivo","status":"publish","type":"post","link":"https:\/\/www.cloudinsidr.com\/content\/log4j-rce-in-vivo\/","title":{"rendered":"Log4j RCE and mitigation techniques"},"content":{"rendered":"

For quite some time it seemed as if cyber vulnerabilities in the Java ecosystem would be losing ground. Instead, it was the calm before the storm: a vulnerability in the Log4j<\/a> library threatens web servers and other applications in a variety of ways.<\/p>\n

<\/p>\n

Log4j RCE made its first appearance on December 1st, 2021. That’s how far you need to backdate your analysis, if not more.<\/p>\n

Matthew Prince, the Co-founder & CEO of Cloudflare (NYSE: NET), declared on Twitter<\/a>:<\/p>\n

‘Earliest evidence we\u2019ve found so far of #Log4J exploit is 2021-12-01 04:36:50 UTC. That suggests it was in the wild at least 9 days before publicly disclosed. (…)’. <\/em><\/p>\n

Also, look for signs of malware mining crypto on your systems.<\/p>\n

Log4j RCE out in the wild<\/h3>\n

It’s very hard to avoid using the Log4j library. It is ubiquitous. Talos Intelligence Group<\/a>, a security arm of Cisco, said that it observed a lead time between attackers’ active penetration attempts and callbacks from affected systems, which may indicate lateral movement.\u00a0<\/span><\/p>\n

Log4j is used in software running on a wide variety of systems, not just traditional web servers. Vulnerable systems include SIEMs and log collectors.<\/p>\n

Attackers may use a plethora of protocols, including LDAP(S), RMI, DNS, NIS, IIOP, CORBA, NDS and HTTP, and a variety of obfuscation techniques.<\/p>\n

So far, botnets such as Mirai are having great success taking advantage of this vulnerability. Mirai is a malware that targets smart devices which run on ARC processors, turning them into a network of remotely controlled bots or ‘zombies’. Those networks of bots (a.k.a. ‘botnets’), can be misused to launch DDoS attacks.<\/p>\n

Log4j RCE (also known in the NIST database as CVE-2021-44228<\/a>) scored a maximum of 10.0 points on the CVSS severity scale.<\/p>\n

How dire the situation is show lists of vulnerable products at VMware<\/a> and Cisco<\/a>. (Don’t look. It’s nauseating.)<\/p>\n

There is a perfect storm brewing that will occupy the Java community in the months ahead, maybe even much longer. It is not enough to merely identify affected packages. They need to be patched URGENTLY.<\/p>\n

Here is what happens<\/h3>\n

Here is a quick overview of the attack on the main vector:<\/span><\/p>\n

    \n
  1. \n

    an attacker injects JNDI lookup (JNDI is Java Naming and Directory Interface, a Java API for a directory service that allows Java software clients to discover and look up resources<\/b>) into something that’s going to be logged.<\/p>\n<\/li>\n

  2. \n

    Log4J logs the string, which causes it to query a malicious LDAP server under the attacker’s control<\/p>\n<\/li>\n

  3. \n

    the LDAP server returns malicious code<\/p>\n<\/li>\n

  4. \n

    bad things happen<\/p>\n<\/li>\n<\/ol>\n

    Workarounds for Log4j RCE<\/h3>\n

    What can you do to dodge this rolling calamity? For the time being, your options include:<\/p>\n