CISA, FBI and NSA Publish Joint Advisory and Scanner for Log4j Vulnerabilities

 

Description

Cybersecurity agencies from Australia, Canada, New Zealand, the U.K., and the U.S. on Wednesday released a joint advisory in response to widespread exploitation of multiple vulnerabilities in Apache’s Log4j software library by nefarious adversaries.

“These vulnerabilities, especially Log4Shell, are severe,” the intelligence agencies said in the new guidance. “Sophisticated cyber threat actors are actively scanning networks to potentially exploit Log4Shell, CVE-2021-45046, and CVE-2021-45105 in vulnerable systems. These vulnerabilities are likely to be exploited over an extended period.”

An attacker can exploit Log4Shell (CVE-2021-44228) by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. CVE-2021-45046, on the other hand, allows for remote code execution in certain non-default configurations, while CVE-2021-45105 could be leveraged by a remote attacker to cause a denial-of-service (DoS) condition.

Since the vulnerabilities became public knowledge this month, unpatched servers have come under siege from ransomware groups to nation-state hackers, who have used the attack vector as a conduit to gain access to networks to deploy Cobalt Strike beacons, cryptominers, and botnet malware.

The U.S. Federal Bureau of Investigation’s (FBI) assessment of the attacks has also raised the possibility that threat actors are incorporating the flaws into “existing cyber criminal schemes that are looking to adopt increasingly sophisticated obfuscation techniques.” In light of the severity of the vulnerabilities and likely increased exploitation, organizations are being urged to identify, mitigate, and update affected assets as soon as possible.

To that end, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also released a scanner utility to identify systems vulnerable to the Log4Shell vulnerability, mirroring a similar tool released by the CERT Coordination Center (CERT/CC).

However, Israeli cybersecurity firm Rezilion, in an assessment published this week, found that commercial scanning tools were ill-equipped to detect all formats of the Log4j library in an environment due to the fact that the instances are often deeply nested in other code, revealing the “blindspots” in such utilities and the limitations of static scanning.

“The biggest challenge lies in detecting Log4Shell within packaged software in production environments: Java files (such as Log4j) can be nested a few layers deep into other files — which means that a shallow search for the file won’t find it,” Yotam Perkal, vulnerability research lead at Rezilion, said. “Furthermore, they may be packaged in many different formats which creates a real challenge in digging them inside other Java packages.”

The public disclosure of Log4Shell has also led a number of technology suppliers to deploy patches for software that contain the flaw. The latest companies to issue updates are NVIDIA and HPE, joining a long list of vendors that have published security advisories detailing the products that are affected by the vulnerability.

The latest step taken by the governments arrives as the Apache Software Foundation (ASF) on Monday released updates for Apache HTTP Server to address two flaws — CVE-2021-44790 (CVSS score: 9.8) and CVE-2021-44224 (CVSS score: 8.2) — the former of which could be weaponized by a remote attacker to execute arbitrary code and take control of an affected system.

Read More

Test for Log4Shell With InsightAppSec Using New Functionality

 

Description

We can all agree at this point that the Log4Shell vulnerability (CVE-2021-44228) can rightfully be categorized as a celebrity vulnerability. Security teams have been working around the clock investigating whether they have instances of Log4j in their environment. You are likely very familiar with everything regarding Log4Shell, but if you are looking for more information, you can check out our Everyperson’s Guide to Log4Shell (CVE-2021-44228). In this blog, we will share how Rapid7 customers can test for Log4Shell with InsightAppSec.

Testing for Log4Shell with InsightAppSec

With InsightAppSec, our dynamic application security testing (DAST) solution, customers can assess the risk of their applications. InsightAppSec allows you to configure various attacks of your applications to identify response behaviors that make your applications more vulnerable to attacks. These attacks are run during scans that you can customize based on your needs. In this case, we’ve introduced a new default attack template for Out of Band Injection specific to Log4Shell attacks.

What’s this mean? Customers can now run an Out of Band Attack Injection from our default template, which includes an attack type for Log4Shell. The new default Out of Band attack template in InsightAppSec will perform sophisticated web application attacks that do not rely on traditional HTTP request-response interactions. Our Log4Shell vulnerability detection will simulate an attacker on your website. InsightAppSec will validate the exploitability of the application and the associated risk.

How to run a Log4Shell attack in InsightAppSec

You can scan for this new Out of Band attack using either a new attack template we have created or by creating your own custom attack template and selecting this new attack module. We have added some highlights below, but you can find a detailed guide via our help docs.

Attack templates

Out of Band Injection attack template

Out of band Log4Shell attack module

Run a scan

Scan Config

Depending on the choice of either using the new Out of Band Injection attack template or creating your own custom attack module, you now need to choose this template on your scan config and run a scan against your selected app(s).

Scan results

Now you run your scan, you can review your scan results to see if your app(s) have any findings that could be exposed as per the details in CVE-2021-44228.

What’s next?

Though official mitigation steps are changing as new information arises, we recommend that applications upgrade Log4j to at least version 2.3.1 for Java 6, 2.12.3 for Java 7, or 2.17.0 for Java 8 and later, but preferably the latest version available to fix any new issues as they are discovered. If upgrading Log4j is not an option, the Apache Software Foundation advises that in any release other than 2.16.0, you can remove the JndiLookup class from the log4j-core class path, but we recommend only using this method when upgrading is not possible. If you’re looking to validate any fixes have been implemented, feel free to run a validation scan with InsightAppSec to verify the fixes have been made.

If you’re looking for additional information on how Rapid7 can help support you during this time, check out our Log4j resource hub.

Read More

PYSA Emerges as Top Ransomware Actor in November

 

Description

PYSA, which is also known by Mespinoza, has overtaken Conti as the top ransomware threat group for the month of November. It joined Lockbit, which has dominated the space since August.

According to NCC Group’s November insights on the ransomware sector, PYSA increased its market share with a 50 percent rise in the number of targeted organizations, which includes a 400 percent spike in attacks against government-sector systems.

Double-Extortion and Beyond

PYSA regularly uses double-extortion against its targets, both exfiltrating and encrypting the data, then threatening to publish the data publicly if the victim doesn’t pay the ransom.

Last March, the FBI sent out a special alert about PYSA’s focus on the education sector, warning schools to be on alert for phishing lures and brute-force Remote Desktop Protocol attacks as initial-access techniques.

“In previous incidents, cyber-actors exfiltrated employment records that contained personally identifiable information (PII), payroll tax information and other data that could be used to extort victims to pay a ransom,” the FBI warned.

Everest Switches Up Tactics to Sell Initial Access

Russian-language ransomware group Everest is taking its extortion tactics to another level, threatening to sell off access to targeted systems if their demands aren’t met, NCC Group added.

“In November, the group offered paid access to the IT infrastructure of their victims, as well as threatening to release stolen data if the victim refused to pay a ransom,” NCC Group reported. “This included data related to the Argentine government, Peru’s Ministry of Economy and Finance, and the Brazilian Police.”

In some instances, Everest would skip demanding ransom altogether and go straight to selling access, NCC Group reported. The analysts are watching to see if this sparks a new trend among other groups.

“While selling ransomware-as-a-service has seen a surge in popularity over the last year, this is a rare instance of a group forgoing a request for a ransom and offering access to IT infrastructure – but we may see copycat attacks in 2022 and beyond,” the report said.

North America and Europe are the regions with the most attacks, NCC Group added.

Conti on the Comeback

Meanwhile, the prevalence of Russian-language group Conti decreased by 9.1 percent. But that’s likely to get made up in December with the announcement that the threat group was the first professional ransomware attacker to come up with a full weaponized attack chain against the Log4Shell vulnerability.

Conti’s advantage, according to an AdvIntel report from last week, is its size: The group “plays a special role in today’s threat landscape, primarily due to its scale.”

Read More

Critical Apache HTTPD Server Bugs Could Lead to RCE, DoS

 

Description

Don’t duck at the latest mention of Apache: Two critical bugs in its HTTP web server – HTTPD – need to be patched pronto, lest they lead to attackers triggering denial of service (DoS) or bypassing your security policies.

Apache, the open-source software foundation behind the Log4J logging library that’s been making for so many Log4Shell headlines, on Monday put out an update to fix the two bugs in HTTPD, which is a web server that’s right up there with Log4j in its ubiquity.

Both vulnerabilities are found in Apache HTTP Server 2.4.51 and earlier.

The first issue (CVE-2021-44790) is with the function “r:parsebody” of the component “mod_lua Multipart Parser.” As the VulDB vulnerability database describes it, “manipulation with an unknown input leads to a memory-corruption vulnerability” that “is going to have an impact on confidentiality, integrity and availability.”

VulDB also noted that the issue is reportedly easy to exploit: It is possible to launch the attack remotely. The exploitation doesn’t require any form of authentication.”

Although technical details are known, there’s no available exploit – at least, not yet. As of Monday, the vulnerability’s structure had suggested that an exploit would fetch between $5,000 and $25,000, VulDB estimated.

In a Tuesday writeup of the two CVEs, Sophos principal security researcher Paul Ducklin said that the two bugs could leave servers at risk of some serious hurt.

“These bugs might not be exposed in your configuration, because they are part of optional run-time modules that you might not actually be using,” Ducklin noted. “But if you are using these modules, whether you realize it or not, you could be at risk of server crashes, data leakage or even remote code execution.”

On Monday, Apache published these details for the two CVEs in its changelog:

• CVE-2021-44790: Possible buffer overflow when parsing a carefully crafted request in the mod_lua multipart parser of Apache HTTP Server 2.4.51 and earlier. Apache said that its HTTPD team hasn’t seen an exploit, but “it might be possible to craft one.”
• CVE-2021-44224: Possible NULL dereference or Server Side Request Forgery (SSRF) in forward proxy configurations, likewise in Apache HTTP Server 2.4.51 and earlier.

On Tuesday, CERT-FR sent out an alert about the issue.

CERTFR-2021-AVI-972 : Multiples vulnérabilités dans Apache httpd (21 décembre 2021)https://t.co/SB0gpBJcd4

— CERT-FR (@CERT_FR) December 21, 2021

HTTPD: It’s Here, It’s There, It’s Every-Bleeping-Where

Ducklin noted that Apache’s brawny server has “more than 3,000 files totaling close to a million [lines] of source code,” making it not only “a large and capable server,” but one with “myriad combinations of modules and options, making it both powerful and dangerous at the [same] time.”

These bugs shouldn’t get lost amidst the Log4J brouhaha, Ducklin said, given that “you almost certainly have Apache HTTPD in your network somewhere. Just like Log4j, HTTPD has a habit of getting itself quietly included into software projects, for example as part of an internal service that works so well that it rarely draws attention to itself, or as a component built unobtrusively into a product or service you sell that isn’t predominantly thought of as ‘containing a web server.’”

Sean Nikkel, senior cyber-threat intel analyst at Digital Shadows, noted that a quick peek at the Shodan search engine reveals that there more than 3 million public devices running some version of HTTPD as of this writing, meaning there’s a chance that HTTPD is running on some internal or otherwise non-public instances.

That could mean that this vulnerability “may also be just as far-reaching as log4j,” Nikkel said.

The silver lining: “Apache dissuades people from using the mod_lua functionality in several circumstances due to the amount of control it potentially has,” he told Threatpost on Wednesday. In fact, Apache has this cautionary note on its mod_lua site:

This module holds a great deal of power over httpd, which is both a strength and a potential security risk. It is not recommended that you use this module on a server that is shared with users you do not trust, as it can be abused to change the internal workings of httpd.

However, Nikkel said, that doesn’t rule out the human factor: “There’s always the chance a server was misconfigured,” he noted.

Kudos to Patchy Apache

Used to be, the name “Apache” was presumed to be a pun for building “patchy” software, given how the open-source software was built on existing code and a bunch of software patches (but that’s not really how it got its name, according to the project’s official documentation).

Still, kudos to Apache for being extremely patchy of late, security experts said.

“It should be noted that Apache has done an exceptional job addressing the vulnerabilities that have been discovered in their products this year,” Hank Schless, senior manager of security solutions at Lookout, commented to Threatpost via email. “They’re pushing updates as soon as possible, and making it widely known that patches are available for teams. It’s important to keep in mind that software vulnerabilities are inevitable – especially these days when applications are so complex and users expect constant updates from the developers.”

OK, gratitude aside, could we just catch up with all these issues, already? That’s what Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, wants to know. “The integrated IT security industry is not very good at effectively mitigating known vulnerabilities, and Apache vulnerabilities are no exception,” he told Threatpost via email. “Our cyber-debt specific to Apache software was substantial prior to Log4Shell or these new HTTPD web server vulns.”

He pointed to CVE-2020-1938, the so-called “Ghostcat” security bug in the popular Apache Tomcat web server that cropped up in 2020, as an example. The bug led to a working exploit leaking on GitHub that made it a snap to exploit.

That same bug, in the Apache JServ Protocol (AJP), “has been getting a lot of interest on Remedy Cloud almost a full two years after it was disclosed,” Bar-Dayan said.

If Apache were the only software the industry had to worry about securing when vulnerabilities are found, that would be manageable, he said. But no: According to NIST, 2021 will be another record year for new vulnerability disclosures, Bar-Dayan continued.

“We need to do much better as cybersecurity pros to identify the vulnerabilities that matter to our businesses and organizations, by assessing and prioritizing associated risk,” he said. “Then we need to take control and orchestrate the mitigation effort while measuring our ability to drive cyber-hygiene and attain acceptable levels of risk.”

This Is a Priority Patch

Schless urged IT teams to address the CVEs immediately, prioritizing anything that’s publicly accessible or web-facing. “These assets are the ones that attackers will scan for in order to find vulnerable systems and exploit the vulnerability,” he said.

After that, security teams should then move on to assessing and addressing internal servers and applications to which only employees have access, he added.

“The scope of impact is likely more limited than what we’ve seen recently, but that shouldn’t change the urgency with which the CVEs are patched,” Schless recommended. “If attackers aren’t yet in a vulnerable environment, they will be scanning the internet for vulnerable software using HTTPD. However, if the attacker has already made their initial entry and is performing reconnaissance on the environment, they will likely try to locate vulnerable internal assets. This highlights the importance of understanding how every user in your infrastructure accesses and interacts with your apps and the data stored in them.”

Nikkel noted that support teams that might be stressing over yet another patch might wring some solace out of the fact that there are “some conditions and mitigations to this, so it may not apply to all installations.”

Still, given that “these are typical web services deployed facing the internet,” the “patch ASAP” rule yet again applies, he said.

_Image courtesy of Tom Thai. Licensing details. _

Read More

China suspends deal with Alibaba for not sharing Log4j 0-day first with the government

 

Description

China’s internet regulator, the Ministry of Industry and Information Technology (MIIT), has temporarily suspended a partnership with Alibaba Cloud, the cloud computing subsidiary of e-commerce giant Alibaba Group, for six months on account of the fact that it failed to promptly inform the government about a critical security vulnerability affecting the broadly used Log4j logging library.

The development was disclosed by Reuters and South China Morning Post, citing a report from 21st Century Business Herald, a Chinese business-news daily newspaper.

“Alibaba Cloud did not immediately report vulnerabilities in the popular, open-source logging framework Apache Log4j2 to China’s telecommunications regulator,” Reuters said. “In response, MIIT suspended a cooperative partnership with the cloud unit regarding cybersecurity threats and information-sharing platforms.”

Tracked as CVE-2021-44228 (CVSS score: 10.0) and codenamed Log4Shell or LogJam, the catastrophic security shortcoming allows malicious actors to remotely execute arbitrary code by getting a specially crafted string logged by the software.

Log4Shell came to light after Chen Zhaojun of Alibaba cloud security team sent an email alerting the Apache Software Foundation (ASF) on November 24 about the flaw, adding that it “has a major impact.” But just as the fix was being put in place, details of the vulnerability were shared on a Chinese blogging platform by an unidentified actor on December 8, sending the Apache team scrambling to release a patch on December 10.

Post the bug’s public disclosure, Log4Shell has been subjected to widespread exploitation by threat actors to take control of susceptible servers, thanks to the near-ubiquitous use of the library, which can be found in a variety of consumer and enterprise services, websites, and applications — as well as in operational technology products — that rely on it to log security and performance information.

In the ensuing days, further investigation into Log4j by the cybersecurity community has since uncovered three more weaknesses in the Java-based tool, prompting the project maintainers to ship a series of security updates to contain real-world attacks exploiting the flaws.

Israeli security firm Check Point noted that it has blocked over 4.3 million exploitation attempts so far, with 46% of those intrusions made by known malicious groups. “This vulnerability may cause the device to be remotely controlled, which will cause serious hazards such as theft of sensitive information and device service interruption,” the MIIT had previously said in a public statement published on December 17, adding it was only made aware of the flaw on December 9, 15 days after the initial disclosure.

The pushback from MIIT arrives months after the Chinese government issued new stricter vulnerability disclosure regulations that mandate software and networking vendors affected with critical flaws, alongside entities or individuals engaged in network product security vulnerability discovery, to report them first-hand to the government authorities mandatorily within two days.

In September, the government also followed it up by launching “cyberspace security and vulnerability professional databases” for the reporting of security vulnerabilities in networks, mobile apps, industrial control systems, smart cars, IoT devices, and other internet products that could be targeted by threat actors.

Update: After China’s internet security regulator dropped Alibaba Cloud from its cyber threat intelligence partnership for six months, the cloud computing company on Thursday said it would work towards improving its risk management and compliance, according to a new report from the South China Morning Post. Alibaba Cloud also said it did not fully comprehend the severity of the flaw and that it did not share the details with the government in a timely fashion.

Read More

Mitigating Log4Shell and Other Log4j-Related Vulnerabilities

 

Description

CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom have released a joint Cybersecurity Advisory in response to multiple vulnerabilities in Apache’s Log4j software library. Malicious cyber actors are actively scanning networks to potentially exploit CVE-2021-44228 (known as “Log4Shell”), CVE-2021-45046, and CVE-2021-45105 in vulnerable systems. According to public reporting, Log4Shell and CVE-2021-45046 are being actively exploited.

This advisory expands on CISA’s previously published guidance, drafted in collaboration with industry members of CISA’s Joint Cyber Defense Collaborative (JCDC), by detailing recommended steps that vendors and organizations with information technology, operational technology/industrial control systems, and cloud assets should take to respond to these vulnerabilities.

CISA, FBI, NSA, the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the Computer Emergency Response Team New Zealand (CERT NZ), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) assess that exploitation of these vulnerabilities, especially Log4Shell, is likely to increase and continue over an extended period. CISA and its partners strongly urge all organizations to review AA21-356A: Mitigating Log4Shell and Other Log4j-Related Vulnerabilities for detailed mitigations.

This product is provided subject to this Notification and this Privacy & Use policy.

Read More

Java Code Repository Riddled with Hidden Log4j Bugs; Here's Where to Look

 

Description

There’s an enormous amount of software vulnerable to the Log4j bug through Java software supply chains — and administrators and security pros likely don’t even know where to look for it.

About 17,000 Java packages in the Maven Central repository, the most significant collection of Java packages available to developers, are vulnerable to Log4j — and it will likely take “years” for it to be fixed across the ecosystem, according to Google security.

Following the CVE update that just Log4j-core was affected, eliminating vulnerable instances of the Log4j-api, Google Security determined that as of Dec. 19, more than 17,000 packages in Maven Central were vulnerable, about 4 percent of the entire repository. Of those, just 25 percent of the packages had updated versions available, Google added.

For comparison, the Google researchers explained in a Tuesday blog post that the average bug affects between 2 percent and less than .01 percent of such packages.

Sonatype, the organization which maintains Maven Central, has a dashboard that’s updated several times a day with the latest on Log4j and reported that since Dec. 10, more than 40 percent of the packages being downloaded were still vulnerable, totaling nearly 5 million downloads.

And those are new downloads that leave apps and projects open to Log4j attacks.

Start At the Deepest Point in Supply Chain and Work Up

Log4j is lurking in “dependencies” on flawed code, both direct and indirect, up and down the supply chain, Google explained.

“The majority of affected artifacts come from indirect dependencies (that is, the dependencies of one’s own dependencies), meaning Log4j is not explicitly defined as a dependency of the artifact, but gets pulled in as a transitive dependency,” the Google team said.

Making these unpatched Log4j versions even sneakier to track down is “how far down the software supply chain it’s typically deployed,” the analysts added.

“For greater than 80 percent of the packages, the vulnerability is more than one level deep, with a majority affected five levels down (and some as many as nine levels down),” the report warned. “These packages will require fixes throughout all parts of the tree, starting from the deepest dependencies first.”

Why Java Is Trickier Than Other Ecosystems

Adding another degree of difficulty to ferreting out the Log4j bugs is Java’s “soft” version requirements, according to Google.

“Propagating a fix often requires explicit action by the maintainers to update the dependency requirements to a patched version,” the Google researchers said. “This practice is in contrast to other ecosystems, such as npm, where it’s common for developers to specify open ranges for dependency requirements.”

In the face of these unique challenges, Google reported open-source maintainers and security teams have already made incredible efforts to patch systems. But there’s still a ton of work left to do before Log4j is in the industry’s rear view for good.

To help out, Google has pulled together a list of the 500 most-used and impacted Java code packages.

“We looked at all publicly disclosed critical advisories affecting Maven packages to get a sense of how quickly other vulnerabilities have been fully addressed,” the team said. “Less than half (48 percent) of the artifacts affected by a vulnerability have been fixed, so we might be in for a long wait, likely years.”

Read More

Two Active Directory Bugs Lead to Easy Windows Domain Takeover

 

Description

A proof-of-concept tool has been published that leverages two Windows Active Directory bugs fixed last month that, when chained, can allow easy Windows domain takeover.

In a Monday alert, Microsoft urged organizations to immediately patch the pair of bugs, tracked as CVE-2021-42287 and CVE-2021-42278, both of which were fixed in its November 2021 Patch Tuesday release.

Both vulnerabilities are described as a “Windows Active Directory domain service privilege-escalation” bugs and are of high severity, with a CVSS criticality score of 7.5 out of 10.

“As always, we strongly advise deploying the latest patches on the domain controllers as soon as possible,” Microsoft advised.

Bugs Give Attackers ‘Straight Path’ to Admin Privileges

The vulnerabilities allow attackers to easily jack up privileges to that of domain admin in unpatched Windows Active Directory domain services after impersonating a regular domain user, according to Microsoft’s advisory.

Domain administrators in Windows are users that can modify the configuration of Active Directory servers and can modify any content stored there. Domain admins can create new users, delete users and change their permissions; and can control authorization and authentication to Windows services.

“​When combining these two vulnerabilities, an attacker can create a straightforward path to a domain admin user in an Active Directory environment that hasn’t applied these new updates,” according to the security alert. “This escalation attack allows attackers to easily elevate their privilege to that of a Domain Admin once they compromise a regular user in the domain.”

On Dec. 11, a proof-of-concept (PoC) tool to exploit the bugs was publicly released on Twitter and GitHub, just a few weeks after Patch Tuesday November 2021. Multiple security researchers confirmed that it works and that the exploit is easy.

Exploiting CVE-2021-42278 and CVE-2021-42287. From Standard AD User to a Domain Admin! (default configuration)https://t.co/feX2OBe5BJ pic.twitter.com/3tbYtOgEMW

— Hsm (@safe_buffer) December 11, 2021

How to Tell if Systems Have Been Compromised

Microsoft defines the exploit as SAM Name impersonation. Same Account Name (SAM) refers to the sAMAccountName attribute: a logon name used to support clients and servers from previous versions of Windows, such as Windows NT 4.0, Windows 95, Windows 98 and LAN Manager.

Microsoft’s research team published detailed guidance on detecting signs of exploitation and identifying compromised servers with a Defender for Identity advanced hunting query that sniffs out abnormal device name changes: changes that “should happen rarely to begin with,” it said. Defender for Identity is a cloud-based security tool that uses on-premises Active Directory signals to identify, detect and investigate advanced threats, compromised identities and malicious insider actions.

The query compares those name changes with a list of domain controllers in your environment, researchers said. “To investigate if these vulnerabilities might have been exploited in your environment before the hotfixes were deployed, we highly recommend you follow the step-by-step guide,” Microsoft recommended, providing these instructions:

1. The sAMAccountName change is based on event 4662. Please make sure to enable it on the domain controller to catch such activities. Learn more of how to do it here.
2. Open Microsoft 365 Defender and navigate to Advanced Hunting.
3. Copy the following query (which is also available in the Microsoft 365 Defender GitHub Advanced Hunting query):
   IdentityDirectoryEvents | where Timestamp > ago(1d) | where ActionType == “SAM Account Name changed” | extend FROMSAM = parse_json(AdditionalFields)[‘FROM SAM Account Name’] | extend TOSAM = parse_json(AdditionalFields)[‘TO SAM Account Name’] | where (FROMSAM has “$” and TOSAM !has “$”) or TOSAM in (“DC1”, “DC2”, “DC3”, “DC4”) // DC Names in the org | project Timestamp, Application, ActionType, TargetDeviceName, FROMSAM, TOSAM, ReportId, AdditionalFields
4. Replace the marked area with the naming convention of your domain controllers
5. Run the query and analyze the results which contains the affected devices. You can use Windows Event 4741 to find the creator of these machines, if they were newly created
6. We recommend investigating these compromised computers and determine that they haven’t been weaponized.
7. Make sure to update the devices with the following KBs: KB5008102, KB5008380, KB5008602.

“Our research team continues its effort in creating more ways to detect these vulnerabilities, either with queries or out-of-the-box detections,” Microsoft said.

Don’t Let the Log4j Noise Drown This One Out

The Log4j Apache logging library misery is sucking all the oxygen out of the room right now, but security experts said that organizations have to find time for dealing with these bugs. Securing Active Directory is crucial, given its pivotal role in account authorization and authentication and the horrific compromise that can result if vulnerabilities like these are exploited.

“Active Directory is typically the keys to the kingdom,” Tyler Shields, CMO at JupiterOne and a former Forrester Research analyst, told Threatpost via email on Tuesday. “Targeting the system that holds account authorization and authentication information can result in massive compromise of an enterprise. It’s one of the most commonly deployed account management systems on the planet and must be kept secure and up to date.”

John Bambenek, principal threat hunter at Netenrich, said that if an attacker gets domain admin privileges, they can “quite literally do almost anything they want to any machine in an organization with impunity.”

Ransomware operators, for example, would find these vulnerabilities interesting if they want to “ransom an entire organization at once,” Bambenek said. Using the PoC to install ransomware on every Windows machine in an organization “would be trivial,” he added.

AD is not only ubiquitous – it’s also constantly under siege by adversaries, noted Tim Wade, technical director, CTO team at AI-based cybersecurity firm Vectra. It’s “the preferred method of progress through an enterprise once an initial foothold has been achieved,” he told Threatpost via email.

A case in point: AD played a part in the SolarWinds attacks, when adversaries hit Active Directory Servers with the FoggyWeb backdoor. AD is, unfortunately, a nightmare to secure, as has been outlined by SpecterOps researchers who’ve tried to get the security community to think about the AD problem in terms of “misconfiguration debt”: as in, incremental misconfigurations that build up over time, such that attackers are virtually guaranteed to find an attack path to their objective on any network.

Don’t let these bugs add to that misconfiguration debt, experts said.

“These two bugs … [are] absolutely worth attention, given the direct line of sight between their presence and full domain compromise” Wade stressed. ” When it rains in information security, it seems to pour – but this isn’t something that network defenders should lose any time patching out of their environment.”

122121 12:54 UPDATE: Added input from Tyler Shields, John Bambenek and Tim Wade.

122121 14:23 UPDATE: Corrected misspelling of John Bambenek’s name.

Read More

Conti Ransomware Gang Has Full Log4Shell Attack Chain

 

Description

The Conti ransomware gang, which last week became the first professional crimeware outfit to adopt and weaponize the Log4Shell vulnerability, has now built up a holistic attack chain.

The sophisticated Russia-based Conti group – which Palo Alto Networks has called “one of the most ruthless” of dozens of ransomware groups currently known to be active – was in the right place at the right time with the right tools when Log4Shell hit the scene 10 days ago, security firm Advanced Intelligence (AdvIntel) said in a report shared with Threatpost on Thursday.

As of today, Monday, Dec. 20, the attack chain has taken the following form, AdvIntel’s Yelisey Boguslavskiy told Threatpost: Emotet -> Cobalt Strike -> Human Exploitation -> (no ADMIN$ share) -> Kerberoast -> vCenter ESXi with log4shell scan for vCenter.

Attack Chain

Stepping through that attack chain:

1. Emotet is a botnet that resurfaced last month on the back of TrickBot, now with the ability to directly install …
2. Cobalt Strike, the legitimate, commercially available tool used by network penetration testers on infected devices and pervasively adopted by cybercriminals. It gives threat actors direct access to targets and, according to Boguslavskiy, precedes…
3. Human Exploitation, which describes the stage of an attack in which threat actors personally investigate the network, looking for critical data, analyzing the network structure, defining the most important network shares, and looking at ways to elevate privileges, among other things. That poking around is followed by …
4. Missing ADMIN$ share.Administrative shares are hidden network shares created by Microsoft’s Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system. As Microsoft puts it, “Missing administrative shares typically indicate that the computer in question has been compromised by malicious software.” Next up comes …
5. Kerberoast.Kerberoasting, a common, pervasive attack that exploits a combination of weak encryption and poor service account password hygiene, is a post-exploitation attack that extracts service account credential hashes from Active Directory for offline cracking. With regards to the final link in the attack chain, the Conti gang last week zeroed in on …
6. VMWare vCenter servers. As of Wednesday, Dec. 15, Conti was looking for vulnerable VMWare networks for initial access and lateral movement. The VMWare servers are on a dismayingly long list of affected components and vendors whose products have been found to be vulnerable to Log4Shell.

Within two days of the public disclosure of the vulnerability in Apache’s Log4j logging library on Dec. 10 – a bug that came under attack within hours – Conti group members were discussing how to exploit it as an initial attack vector, according to AdvIntel.

Apache patched the bug on Dec. 11, but its patch, Log4J2, was found to be incomplete in certain non-default configurations and paved the way for denial-of-service (DoS) attacks in certain scenarios.

As if two bugs aren’t enough, yet another, similar but distinct bug was discovered last week in the Log4J logging library. Apache issued a patch on Friday.

Conti Winds Up Its Exploit Machine

According to the Thursday AdvIntel writeup, from Vitali Kremez and Yelisey Boguslavskiy, multiple Conti group members on Dec. 12 began to chat about exploiting the Log4Shell vulnerability as an initial attack vector. That led to scanning for vulnerable systems that AdvIntel first tracked the next day, on Dec. 13.

“This is the first time this vulnerability entered the radar of a major ransomware group,” according to the writeup. The emphasis is on “major,” given that the first ransomware group to target Log4Shell was a ransomware newcomer named Khonsari. As Microsoft has reported, Khonsari was locking up Minecraft players via unofficial servers. First spotted by Bitdefender in Log4Shell attacks, the ransomware’s demand note lacked a way to contact the operators to pay a ransom. That means that Khonsari is more of a wiper, meant to troll Minecraft users by taking down their servers, rather than ransomware.

Khonsari ransomware was just one malware that’s been thrown at vulnerable servers over the course of the Log4j saga. Within hours of public disclosure of the flaw, attackers were scanning for vulnerable servers and unleashing quickly evolving attacks to drop coin-miners, Cobalt Strike, the Orcus remote access trojan (RAT). reverse bash shells for future attacks, Mirai and other botnets, and backdoors.

A Perfect Storm

Log4Shell has become a focal point for threat actors, including suspected nation state actors who’ve been observed investigating Log4j2, AdvIntel researchers noted. The compressed timeline of the public disclosure followed fast by threat actor interest and exploits exemplifies the accelerated trajectory of threats witnessed since the ProxLogon family of bugs in Exchange Server in March and the subsequent attacks, they said: “if one day a major CVE is spotted by APTs, the next week it is weaponized by ransomware,” according to their writeup.

But out of all the threat actors, Conti “plays a special role in today’s threat landscape, primarily due to its scale,” they explained. It’s a highly sophisticated organization, comprising several teams. AdvIntel estimates that, based on scrutiny of Conti’s logs, the Russian-speaking gang made over $150 million over the past six months.

But still they continue to expand, with Conti continually looking for new attack surfaces and methods.

AdvIntel listed a number of Conti’s innovations since August, including:

• Secret backdoors: Conti’s Atera Agent allows the gang to gain persistence on infected protected environments: especially those equipped with more aggressive machine learning endpoint detention and response anti-virus productions. “The IT management solution enables monitoring, management and automation of hundreds of SMB IT networks from a single console,” AdvIntel described in an August report.
• New backup removal solutions that expanded Conti’s ability to blow up backups.
• An entire operation to revive Emotet, which resurfaced in November.

The writeup shared a timeline of Conti’s search for new attack vectors, shown below.

Timeline of Conti’s search for new attack vectors. Source: AdvIntel.

Keeping Your Head Above the Logjam’s Water

AdvIntel shared these suggested recommendations and mitigations for Log4Shell:

• The Dutch National Cyber Security Center shared a list of the affected software and recommendations linked to each one of them on GitHub.
• Here are VMWare’s workaround instructions to address CVE-2021-44228 in vCenter Server and vCenter Cloud Gateway (87081).

When Will It All End?

Lou Steinberg, former chief technology officer at TD Ameritrade, said it ain’t over til it’s over, “And it’s not over.”

“We don’t know if we patched systems after they were compromised from Log4J, so it may be a while before we know how bad things are,” he said in an article shared with Threatpost on Monday. “This will happen again. Modern software and systems are built from components which aren’t always trustworthy. Worse, bad actors know this and look to subvert the components to create a way into otherwise trusted software.”

122121 10:25 Added more attack chain details provided by AdvIntel.

122121 13:00 Removed brute-force from the attack chain, given that, as AdvIntel explained, the brute-forcing of encrypted hashes carried out in these attacks is a different kind of brute-forcing than the typical definition of trying numerous credentials.

Read More

Third Log4J Bug Can Trigger DoS; Apache Issues Patch

 

Description

No, you’re not seeing triple: On Friday, Apache released yet another patch – version 2.17 – for yet another flaw in the ubiquitous log4j logging library, this time for a DoS bug.

Trouble comes in threes, and this is the third one for log4j. The latest bug isn’t a variant of the Log4Shell remote-code execution (RCE) bug that’s plagued IT teams since Dec. 10, coming under active attack worldwide within hours of its public disclosure, spawning even nastier mutations and leading to the potential for denial-of-service (DoS) in Apache’s initial patch.

It does have similarities, though: The new bug affects the same component as the Log4Shell bug. Both the Log4Shell, tracked as CVE-2021-44228 (criticality rating of CVSS 10.0) and the new bug, tracked as CVE-2021-45105 (CVSS score: 7.5) abuse attacker-controlled lookups in logged data.

The difference: The lookups in the new bug, CVE-2021-45105, are Context Map lookups instead of the Java Naming and Directory Interface (JNDI) lookups to an LDAP server that allow attackers to execute any code that’s returned in the Log4Shell vulnerability.

ContextMapLookup allows applications to store data in the Log4j ThreadContext Map and then retrieve the values in the Log4j configuration: For example, an app would store the current user’s login id in the ThreadContext Map with the key “loginId”.

The weakness has to do with improper input validation and uncontrolled recursion that can lead to DoS.

As explained by Guy Lederfein of the Trend Micro Research Team, “the Apache Log4j API supports variable substitution in lookups. However, a crafted variable can cause the application to crash due to uncontrolled recursive substitutions. An attacker with control over lookup commands (e.g., via the Thread Context Map) can craft a malicious lookup variable, which results in a Denial-of-Service (DoS) attack.”

The new vulnerability affects all versions of the tool from 2.0-beta9 to 2.16, which Apache shipped last week to remediate the second flaw in the trio. That second bug was the RCE flaw CVE-2021-45046, which, in turn, stemmed from Apache’s incomplete fix for CVE-2021-44228, aka the Log4Shell vulnerability.

Lederfein continued: “When a nested variable is substituted by the StrSubstitutor class, it recursively calls the substitute() class. However, when the nested variable references the variable being replaced, the recursion is called with the same string. This leads to an infinite recursion and a DoS condition on the server. As an example, if the Pattern Layout contains a Context Lookup of ${ctx.apiversion}, and its assigned value is ${${ctx.apiversion}}, the variable will be recursively substituted with itself.”

The vulnerability has been tested and confirmed on Log4j versions up to and including 2.16, he said.

Apache has listed mitigating factors, but ZDI recommends upgrading to the latest version to ensure that the bug is completely addressed.

The latest bug and Apache’s new round of fixes are just the latest news in the ongoing, ever-shifting log4j situation. As exploits flood in, new vulnerabilities emerge and patches turn out to need patching, huge tech players such as SAP have been hurrying to hunt down the logging library and to release product patches.

CISA Mandates Immediate Patching

On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive mandating federal civilian departments and agencies to immediately patch their internet-facing systems for the Log4j vulnerabilities by Thursday, Dec. 23.

The risk presented by the library’s vulnerabilities is sky-high, as multiple threat actors have jumped on the opportunities to exploit vulnerable systems. As Check Point Research (CPR) highlighted last week, real-life attacks have included a crypto-mining group that launched attacks in five countries.

Last week, Microsoft reported that nation-state groups Phosphorus (Iran) and Hafnium (China), as well as unnamed APTs from North Korea and Turkey, are actively exploiting Log4Shell in targeted attacks. Hafnium is known for targeting Exchange servers with the ProxyLogon zero-days back in March, while Phosphorus – aka Charming Kitten, APT35, Ajax Security Team, NewsBeef and Newscaster – made headlines for targeting global summits and conferences in 2020.

CPR said that Charming Kitten had gone after seven Israeli targets as of Wednesday.

Conti Ransomware Gang Is Among the Attackers

The Conti ransomware gang is in on it too: AdvIntel researchers said last week that they’re seen Conti operators going after VMware vCenter.

“The current exploitation led to multiple use cases through which the Conti group tested the possibilities of utilizing the Log4j 2 exploit,” the researchers said last week. “The criminals pursued targeting specific vulnerable Log4j 2 VMware vCenter [servers] for lateral movement directly from the compromised network resulting in vCenter access affecting U.S. and European victim networks from the pre-existent Cobalt Strike sessions.”

Last week, a ransomware attack that some suspect may be attributable to the Conti gang forced a family-run chain of restaurants, hotels and breweries, McMenamins, to shut down some operations.

The bugs are also being leveraged by botnets, remote access trojans (RATs), initial access brokers, and a new ransomware strain called Khonsari. As of Monday, CPR said that it’s seen more than 4.3 million attempted exploits, more than 46 percent of which were made by “known malicious groups.”

Yet More Sleepless Nights

Trend Micro’s Lederfein noted that the log4j component has had quite a run in the vulnerability spotlight, having received “quite a bit of attention” since the Log4Shell vulnerability was revealed 10 days ago. Expect more of the same, he predicted, as “it would not be a surprise to see further bugs disclosed – with or without a patch.”

Tom Garrubba, CISO with Shared Assessments, concurred: “This vulnerability has been keeping a lot of security professionals up at night,” he told Threatpost. This Javageddon has even percolated up to the C-suite, he said, with the vulnerability “keeping a lot of security professionals up at night.”

“Executives and board members are also gaining interest as to how this will affect them as well,” he said via email. “Log4j is used all throughout the Internet and [affects] multiple applications and systems with deep roots.”

“The best path you can take right now it’s a stay alert of all patches that are coming out to address this vulnerability and put them into place immediately,” Garrubba advised. “Sadly, it appears this is going to affect organization’s continuously into the future as they identify more items that are affected by this vulnerability.”

Read More

CVE-2021-45105

 

Description

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.

Read More

New Local Attack Vector Expands the Attack Surface of Log4j Vulnerability

 

Description

Cybersecurity researchers have discovered an entirely new attack vector that enables adversaries to exploit the Log4Shell vulnerability on servers locally by using a JavaScript WebSocket connection.

“This newly-discovered attack vector means that anyone with a vulnerable Log4j version on their machine or local private network can browse a website and potentially trigger the vulnerability,” Matthew Warner, CTO of Blumira, said. “At this point, there is no proof of active exploitation. This vector significantly expands the attack surface and can impact services even running as localhost which were not exposed to any network.”

WebSockets allow for two-way communications between a web browser (or other client application) and a server, unlike HTTP, which is unidirectional where the client sends the request and the server sends the response.

While the issue can be resolved by updating all local development and internet-facing environments to Log4j 2.16.0, Apache on Friday rolled out version 2.17.0, which remediates a denial-of-service (DoS) vulnerability tracked as CVE-2021-45105 (CVSS score: 7.5), making it the third Log 4j2 flaw to come to light after CVE-2021-45046 and CVE-2021-44228.

The complete list of flaws discovered to date in the logging framework after the original Log4Shell remote code execution bug was disclosed is as follows —

• CVE-2021-44228 (CVSS score: 10.0) - A remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.14.1 (Fixed in version 2.15.0)
• CVE-2021-45046 (CVSS score: 9.0) - An information leak and remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.15.0, excluding 2.12.2 (Fixed in version 2.16.0)
• CVE-2021-45105 (CVSS score: 7.5) - A denial-of-service vulnerability affecting Log4j versions from 2.0-beta9 to 2.16.0 (Fixed in version 2.17.0)
• CVE-2021-4104 (CVSS score: 8.1) - An untrusted deserialization flaw affecting Log4j version 1.2 (No fix available; Upgrade to version 2.17.0)

“We shouldn’t be surprised that additional vulnerabilities were discovered in Log4j given the additional specific focus on the library,” Jake Williams, CTO and co-founder of incident response firm BreachQuest, said. “Similar to Log4j, this summer the original PrintNightmare vulnerability disclosure led to the discovery of multiple additional distinct vulnerabilities. The discovery of additional vulnerabilities in Log4j shouldn’t cause concern about the security of log4j itself. If anything, Log4j is more secure because of the additional attention paid by researchers.”

The latest development comes as a number of threat actors have piled on the Log4j flaws to mount a variety of attacks, including ransomware infections involving the Russia-based Conti group and a new ransomware strain named Khonsari. What’s more, the Log4j remote code execution flaw has also opened the door to a third ransomware family known as TellYouThePass that’s being used in attacks against Windows and Linux devices, according to researchers from Sangfor and Curated Intel.

Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway

The easily exploited, ubiquitous vulnerability, aside from spawning as many as 60 variations, has presented a perfect window of opportunity for adversaries, with Romanian cybersecurity firm Bitdefender noting that more than 50% of the attacks are leveraging the Tor anonymity service to mask their true origins.

“In other words, threat actors exploiting Log4j are routing their attacks through machines that are closer to their intended targets and just because we don’t see countries commonly associated with cybersecurity threats at the top of the list does not mean that attacks did not originate there,” Martin Zugec, technical solutions director at Bitdefender, said.

According to telemetry data collected between December 11 and December 15, Germany and the U.S. alone accounted for 60% of all the exploitation attempts. The most common attack targets during the observation period were the U.S., Canada, the U.K., Romania, Germany, Australia, France, the Netherlands, Brazil, and Italy.

Google: Over 35,000 Java Packages Affected by the Log4j Flaw

The development also coincides with an analysis from Google’s Open Source Insights Team, which found that roughly 35,863 Java packages — accounting for over 8% of the Maven Central repository — use vulnerable versions of the Apache Log4j library. Of the affected artifacts, only around 7,000 packages have a direct dependency on Log4j.

“User’s lack of visibility into their dependencies and transitive dependencies has made patching difficult; it has also made it difficult to determine the full blast radius of this vulnerability,” Google’s James Wetter and Nicky Ringland said. But on the positive side of things, 2,620 of the impacted packages have already been fixed less than a week after disclosure.

“There will likely be some time before we understand the full fallout of the log4j vulnerability, but only because it’s embedded in so much software,” Williams said. “This has nothing to do with threat actor malware. It has to do with the difficulty in finding the myriad places the library is embedded. The vulnerability itself will provide initial access for threat actors who will later perform privilege escalation and lateral movement – that’s where the real risk is.”

Read More

Apache Issues 3rd Patch to Fix New High-Severity Log4j Vulnerability

 

Description

The issues with Log4j continued to stack up as the Apache Software Foundation (ASF) on Friday rolled out yet another patch — version 2.17.0 — for the widely used logging library that could be exploited by malicious actors to stage a denial-of-service (DoS) attack.

Tracked as CVE-2021-45105 (CVSS score: 7.5), the new vulnerability affects all versions of the tool from 2.0-beta9 to 2.16.0, which the open-source nonprofit shipped earlier this week to remediate a second flaw that could result in remote code execution (CVE-2021-45046), which, in turn, stemmed from an “incomplete” fix for CVE-2021-44228, otherwise called the Log4Shell vulnerability.

“Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups,” the ASF explained in a revised advisory. “When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process.”

Hideki Okamoto of Akamai Technologies and an anonymous vulnerability researcher have been credited with reporting the flaw. Log4j versions 1.x, however, are not affected by CVE-2021-45105.

It’s worth pointing out that the severity score of CVE-2021-45046, originally classified as a DoS bug, has since been revised from 3.7 to 9.0, to reflect the fact that an attacker could abuse the vulnerability to send a specially crafted string that leads to “information leak and remote code execution in some environments and local code execution in all environments,” corroborating a previous report from security researchers at Praetorian.

The project maintainers also noted that Log4j versions 1.x have reached end of life and are no longer supported, and that security flaws uncovered in the utility after August 2015 will not be fixed, urging users to upgrade to Log4j 2 to get the latest fixes.

The fixes are the latest in what’s a highly dynamic situation as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive mandating federal civilian departments and agencies to immediately patch their internet-facing systems for the Apache Log4j vulnerabilities by December 23, 2021, citing that the weaknesses pose an “unacceptable risk.”

The development also comes as the Log4j flaws have emerged as a lucrative attack vector and a focal point for exploitation by multiple threat actors, including nation-backed hackers from the likes of China, Iran, North Korea, and Turkey as well as the Conti ransomware gang, to carry out an array of follow-on malicious activities. This marks the first time the vulnerability has come under the radar of a sophisticated crimeware cartel.

“The current exploitation led to multiple use cases through which the Conti group tested the possibilities of utilizing the Log4j 2 exploit,” AdvIntel researchers said. “the criminals pursued targeting specific vulnerable Log4j 2 VMware vCenter [servers] for lateral movement directly from the compromised network resulting in vCenter access affecting U.S. and European victim networks from the pre-existent Cobalt Strike sessions.”

Among the others to leverage the bug are cryptocurrency miners, botnets, remote access trojans, initial access brokers, and a new ransomware strain called Khonsari. Israeli security firm Check Point said it recorded over 3.7 million exploitation attempts to date, with 46% of those intrusions made by known malicious groups.

Read More

Metasploit Wrap-Up

 

Description

Log4Shell - Log4j HTTP Scanner

Versions of Apache Log4j impacted by CVE-2021-44228 which allow JNDI features used in configuration, log messages, and parameters, do not protect against attacker controlled LDAP and other JNDI related endpoints.

This module will scan an HTTP endpoint for the Log4Shell vulnerability by injecting a format message that will trigger an LDAP connection to Metasploit. This module is a generic scanner and is only capable of identifying instances that are vulnerable via one of the pre-determined HTTP request injection points.

This module has been successfully tested with:

• Apache Solr
• Apache Struts2
• Spring Boot

Example usage:

msf6 > use auxiliary/scanner/http/log4shell_scanner 
msf6 auxiliary(scanner/http/log4shell_scanner) > set RHOSTS 192.168.159.128
RHOSTS => 192.168.159.128
msf6 auxiliary(scanner/http/log4shell_scanner) > set SRVHOST 192.168.159.128
SRVHOST => 192.168.159.128
msf6 auxiliary(scanner/http/log4shell_scanner) > set RPORT 8080
RPORT => 8080
msf6 auxiliary(scanner/http/log4shell_scanner) > set TARGETURI /struts2-showcase/
TARGETURI => /struts2-showcase/
msf6 auxiliary(scanner/http/log4shell_scanner) > run
[*] Started service listener on 192.168.159.128:389 
[+] Log4Shell found via /struts2-showcase/%24%7bjndi%3aldap%3a%24%7b%3a%3a-/%7d/192.168.159.128%3a389/r7yol50kgg7be/%24%7bsys%3ajava.vendor%7d_%24%7bsys%3ajava.version%7d%7d/ (java: BellSoft_11.0.13)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/log4shell_scanner) >

For more details, please see the official Rapid7 Log4Shell CVE-2021-44228 analysis.

New module content (2)

• Log4Shell HTTP Scanner by Spencer McIntyre, which exploits CVE-2021-44228 - This module performs a generic scan of a given target for the Log4Shell vulnerability by injecting it into a series of Header fields as well as the URI path.
• WordPress WPS Hide Login Login Page Revealer by h00die and thalakus, which exploits CVE-2021-24917 - A new PR for CVE-2021-24917 was added, which is an information disclosure bug in WPS Hide Login WordPress plugin before 1.9.1. This vulnerability allows unauthenticated users to get the secret login page by setting a random referer string and making a request to /wp-admin/options.php. Additionally, several WordPress modules were updated to more descriptively report which plugin they found as being vulnerable on a given target.

Enhancements and features

• #15842 from adfoster-r7 - Several libraries within the lib folder have now been updated to declare Meterpreter compatibility requirements, which will allow users to more easily determine when they are using a library that the current session does not support.
• #15936 from cmaruti - The wordlists for Tomcat Manager have been updated with new default usernames and passwords that can be used by various scanner and exploit modules when trying to find and exploit Tomcat Manager installations with default usernames and/or passwords.
• #15944 from sjanusz-r7 - Adds long form option names to the sessions command, for example sessions --upgrade 1
• #15965 from adfoster-r7 - Adds a TCP URI scheme for setting RHOSTS, which allows one to specify the username, password, and the port if it’s specified as a string such as tcp://user:a b c@example.com which would translate into the username user, password a b c, and host example.com on the default port used by the module in question.

Bugs fixed

• #15779 from k0pak4 - The code of lib/msf/core/auxiliary/report.rb has been improved to fix an error whereby the report_vuln() would crash if vuln was nil prior to calling framework.db.report_vuln_attempt(). This has been fixed by checking the value of vuln and raising a ValidationError if it’s set to nil.
• #15945 from zeroSteiner - This change fixes the Meterpreter > ls command, in the case where one of the files or folders within the listed folder was inaccessible.
• #15952 from sjanusz-r7 - This PR adds a fix for the creds -d command which crashed on some NTLM hashes.
• #15957 from sjanusz-r7 - A bug existed whereby a value was not correctly checked to ensure it was not nil prior to being used when saving credentials with Kiwi. This has been addressed by adding improved error checking and handling.
• #15963 from adfoster-r7 - A bug has been fixed that prevented users using Go 1.17 from being able to run Go modules within Metasploit. Additionally the boot process has been altered so that messages about modules not loading are now logged to disk so as to not confuse users about errors in modules that they don’t plan to use.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.19…6.1.20
• Full diff 6.1.19…6.1.20

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Read More

Brand-New Log4Shell Attack Vector Threatens Local Hosts

 

Description

Defenders will once again be busy beavers this weekend: There’s an alternative attack vector for the ubiquitous Log4j vulnerability, which relies on a basic Javascript WebSocket connection to trigger remote code-execution (RCE) on servers locally, via drive-by compromise.

In other words, an exploit can affect services running as localhost in internal systems that are not exposed to any network.

That’s according to researchers at Blumira, who noted that the discovery eviscerates the notion that Log4Shell attacks are limited to exposed vulnerable web servers.

“This newly discovered attack vector means that anyone with a vulnerable Log4j version can be exploited through the path of a listening server on their machine, or local network through browsing to a website, and triggering the vulnerability,” researchers said in a Friday note to Threatpost.

---

Check out all of our Log4Shell coverage:

• Relentless Log4j Attacks Include State Actors, Possible Worm
• What the Log4Shell Bug Means for SMBs: Experts Weigh In
• How to Buy Precious Patching Time as Log4j Exploits Fly (Podcast)
• Apache’s Fix for Log4Shell Can Lead to DoS Attacks
• Where the Latest Log4Shell Attacks Are Coming From
• Log4Shell Is Spawning Even Nastier Mutations
• SAP Kicks Log4Shell Vulnerability Out of 20 Apps
• Zero Day in Ubiquitous Apache Log4j Tool Under Active Attack

---

This means there are several new malicious use cases for an exploit, beyond the now-well-documented ability to open a shell with a single line of code to drop malware on internet-facing web servers.

“[New use cases include everything] from malvertisting to creating watering holes for drive-by attacks,” said Matthew Warner, CTO and co-founder of Blumira, in a technical post.

Using WebSockets for Malicious Gain

WebSockets enables communication between a web browser and web applications, like chats and alerting on websites. They generally allow the browser to quickly send data back and forth to these types of apps, but they’re also used for host-fingerprinting and port-scanning.

Warner explained in his posting that WebSockets is also fraught with security risk.

“WebSockets are not restricted by same-origin policies like a normal cross-domain HTTP request,” he explained. “They expect the server itself to validate the origin of the request. While they are useful, they also introduce a fair amount of risk as they do not include many security controls to limit their utilization.”

In the Log4j case, an attacker would make malicious requests via WebSockets to a potentially vulnerable localhost or local network server. The targets don’t have to be exposed to the internet.

“WebSockets have previously been used for port-scanning internal systems, but this represents one of the first remote code execution exploits being relayed by WebSockets,” said Jake Williams, co-founder and CTO at BreachQuest, via email. “This shouldn’t change anyone’s position on vulnerability management though. Organizations should be pushing to patch quickly and mitigate by preventing outbound connections from potentially vulnerable services where patching is not an option.”

Local Attack Scenario for Log4Shell

Warner offered a detailed breakdown of his proof-of-concept (PoC) for the attack in the posting; below is a truncated explanation.

Step 1:From a watering-hole server with the affected Log4j2 vulnerability installed, an attacker would trigger a file path URL from the browser with a WebSocket connection. Blumira used a basic Javascript WebSocket connection in the PoC, but Warner noted that “this does not necessarily need to be localhost; WebSockets allow for connection to any IP and easily could iterate private IP space.”

Step 2: As the page loads, it will initiate a local WebSocket connection, connect to the vulnerable listening server, and connect out over an identified type of connection based on a Java Naming and Directory Interface (JNDI) connection string – a technique that’s similar to WebSockets’ localhost port-scanning used for fingerprinting hosts.

Step 3: Once the victim’s host connects to an open port to a local service or a service accessible to the host itself, an attacker can then drop an exploit string in path or parameters. “When this happens, the vulnerable host calls out to the exploit server, loads the attacker’s class, and executes it with java.exe as the parent process,” according to Warner.

Detection and Remediation

The bad news is that this also a stealthy approach, according to the analysis: “WebSocket connections within the host can be difficult to gain deep visibility into, which increases the complexity of detection for this attack.” That’s because WebSocket connections silently initiate when a webpage loads, with no direct control by the client itself. However, Warner noted that there are ways to get around this.

To detect a possible attack, Warner recommended looking for instances of “.*/java.exe” being used as the parent process for “cmd.exe/powershell.exe.”

“This is potentially very noisy,” Warner said.

And finally, organizations should also make sure they’re set up to detect the presence of Cobalt Strike, TrickBot and related common attacker tools.

To identify where Log4j is used within local environments, there are publicly available scanning scripts, researchers noted, to identify the libraries used locally. Here are two:

• Windows PoSh – https://github.com/N-able/ScriptsAndAutomationPolicies/blob/master/Vulnerability%20-%20CVE-2021-44228%20(Log4j)/get-log4jrcevulnerability.ps1
• Cross platform – https://github.com/hillu/local-log4j-vuln-scanner/releases

To mitigate the risk completely, organizations should update all local development efforts, internal applications and internet-facing environments to Log4j 2.16 ASAP, including any custom applications.

In the meantime, users can implement egress filtering, which can restrict the callback required for the actual exploit to land, and can use tools like NoScript Java-blocker on untrusted external sites to avoid Javascript triggering WebSocket connections.

“This news does mean that relying on web application firewalls, or other network defenses, is no longer an effective mitigation,” John Bambenek, principal threat hunter at Netenrich, said via email. “Patching remains the single most important step an organization can take.”

Read More