Everything About the Catastrophic Zero-Day Log4j Exploit

Zero-day (0Day) vulnerabilities certainly are incredible finds, depending on who discovers it first. Simply put, when bugs are first discovered by threat actors, the consequences can be devastating. This is precisely the case. Think of this as a DEFCON Level 1 Emergency cybersecurity alert for all parties affected by this vulnerability.

Apache Log4j is an open-source Java-based framework that serves as a function of the Apache Logging Services and is commonly used in enterprise environments as an event viewer logger to record events.

The vulnerability has been named Log4Shell and LogJam and is being tracked by the designation CVE-2021-44228. Specifically, it affects systems running versions Log4j 2.0-beta9 to 2.14.1.

When exploited, it allows threat actors to leverage unpatched and default configured Apache Log4j servers by allowing the attacker to launch arbitrary code in the form of Remote Code Execution (RCE), which is loaded from a remote server when message lookup substitution is enabled.

This allows them to take control over log messages and log message parameters. By sending a specially crafted string containing malicious code, the code becomes logged by Log4j. From this point, the threat actor can execute the arbitrary code in order to perform the system takeover.

The scope of the vulnerability is unimaginable. Juan Andreas Guerrero-Saade, a chief threat researcher with the cybersecurity firm SentinelOne, described it as "one of those nightmare vulnerabilities that there’s pretty much no way to prepare for."

Escalating Events Follow Disclosure

The vulnerability was discovered and reported to Apache late last month by Chen Zhaojun, a Cloud security engineer at Alibaba, a Chinese multinational technology company.

Additionally, it was discovered that the vulnerability encompasses a vast number of software applications reliant upon the aforementioned framework, which are also exposed to the vulnerability. What’s more, is that the vulnerability had been exploited a week before its initial disclosure.

Software applications such as Atlassian, Amazon Web Services, Azure DataLake store, CarbonBlack, Cisco products, Cloudflare, cPanel, Jenkins plugins, Minecraft, Netflix, VMWare, and many others, have reportedly been affected by the exploit.

Also, Apache frameworks running default configurations such as Struts2, Apache Solr, Apache Druid, Apache Flink are to name a few that are susceptible to the new RCE exploit.

The escalation commenced immediately after the initial proof-of-concept exploit was published on the GitHub repository on Thursday, Dec. 9. Knowledge of the exploit was effectively released into the wild by an unidentified Chinese security researcher under the alias p0rz9.

The researcher revealed that the CVE-2021-44228 can only successfully be exploited if the log4j2.formatMSGNoLookups option is configured to false. As a consequence, the exploit fell into the hands of cybercriminals who immediately launched into massive scans searching for systems vulnerable to the security flaw.

Even scanning programs appeared on Github to allow anyone to scan for hosts impacted with the Log4j vulnerability.

However, that same day, Apache released a patch, but it has not been effective enough to mitigate the scope of the increased number of cyberattacks following the disclosure on Github.

“GreyNoise is detecting a sharply increasing number of hosts opportunistically exploiting Apache Log4j CVE-2021-44228. Exploitation occurring from ~100 distinct hosts, almost all of which are Tor exit nodes,”

tweeted GreyNoise, a Washington D.C. cybersecurity company, on Dec. 10.

The most common abuse taking place on the vulnerable servers are threat actors using the systems to install cryptocurrency mining software, Cobalt Strike beacons, as well as transforming the affected hosts into a botnet.

“Some include crypto mining malware, DDos (Mirai-like) malware, and other remote code execution attempts relating to scanning and activity enumerating vulnerable hosts,”

said Troy Mursch, a chief research officer at Bad Packets security firm.

He also explained that, due to the simplicity of exploiting the bug, he expects this vulnerability to be an interest to threat actors for quite a while.

Crowdstrike and Mandiant - both US cybersecurity firms - identified sophisticated hacking organizations exploiting the bug and taking over vulnerable systems. In an email to Reuters, Mandiant described the attackers as “Chinese government actors.”

The issue has been so harrowing that the United States Government issued a warning to the private sector, warning them about the Log4j vulnerability.

The Apache Software foundation rated the vulnerability a 10 on a scale from one to 10. According to experts, the exploitability of the bug is considered extremely easy, which means any two-bit hacker will be able to gain full access to unpatched systems running this software without a password.

Mitigation Solutions Are Rolling Out

Vulnerable parties are not without solutions to this major security threat. One solution is simply to upgrade to the latest version of Log4j. Additionally, there are automated patches and mitigations provided by Apache that can make the process less cumbersome.

Also, security vendor Cybereason has created a “vaccine” that fixes the bug autonomously. The interesting part, it makes use of the vulnerability itself by sending a message that shuts down the attack vector. Cybereason explained:

"In short, the fix uses the vulnerability itself to set the flag that turns it off. Because the vulnerability is so easy to exploit and so ubiquitous - it's one of the very few ways to close it in certain scenarios,"
"You can permanently close the vulnerability by causing the server to save a configuration file, but that is a more difficult proposition. The simplest solution is to set up a server that will download and then run a class that changes the server's configuration to not load things anymore."

According to open-source security vendor LunaSec, companies should refrain from relying on Web Application Firewall (WAF) rules to prevent exploitation, explaining that it is not adequate mitigation against the exploit. However, not everyone holds to this caution. LunaSec released a command-line tool that can automatically scan and detect vulnerable Log4j packages.

Cybersecurity companies everywhere are racing to equip customers with the ability to find and patch this gaping security hole. But the sheer scope of the damage that has been done due to the public disclosure cannot yet be ascertained. Only time will tell.

An article by

Jesse McGraw

Edited by

Ana Alexandre

Like this content? Subscribe to our newsletter to get weekly cybersecurity insights and top news - straight to your mailbox!

119 views0 comments