informa
5 min read
article

Attackers Exploit Log4j Flaws in Hands-on-Keyboard Attacks to Drop Reverse Shells

Microsoft says vulnerabilities present a "real and present" danger, citing high volume of scanning and attack activity targeting the widely used Apache logging framework.

Microsoft this week warned organizations about the high potential for threat actors to expand the use of the recently discovered remote code execution (RCE) vulnerabilities in the Apache Log4j logging framework to carry out a variety of attacks.

The company said its security researchers had observed a large amount of scanning activity and exploitation attempts targeting the flaws in the last weeks of December.

Many attack groups — including nation-state actors and ransomware groups—have added exploits for the vulnerabilities to their attack kits and are using them to establish reverse shells, drop remote access toolkits, and carry out hands-on-keyboard attacks on vulnerable systems. Backdoors and reverse shells that Microsoft has observed being deployed via the Log4j flaws include Bladabindi, HabitsRAT, Meterpreter, Cobalt Strike, and PowerShell.

"At this juncture, customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments," Microsoft's security group said Monday in an update to a blog entry the company first posted on Dec. 11. "Organizations may not realize their environments may already be compromised."

Apache Log4j is a widely used open source logging component that is present in almost every environment where a Java app is used. This includes Internet-facing servers, backend systems and network components, third-party applications, services that use those applications, in cloud environments, and in industrial controls systems and SCADA systems.

On Dec. 9, the Apache Software Foundation disclosed a critical RCE (CVE-2021-44228) vulnerability in the component that gave attackers a relatively trivial way to gain complete control of vulnerable systems. The disclosure prompted widespread concern and urgent warnings from security experts about the need for organizations to quickly update their Log4j version because of widespread scanning activity and exploit attempts. Less than a week after the first flaw was disclosed, the Apache Foundation disclosed a second flaw in Log4j (CVE-2021-45046) and then a few days later, a third one (CVE-2021-45105).

The widespread prevalence of the flaw — and the ease with which it can be exploited — has attracted the interest of a broad range of threat actors. In the weeks since the first flaw was disclosed, numerous vendors have reported observing ransomware operators; cryptocurrency miners; nation-state actors from countries including Iran, Turkey, and China; and others attempting to exploit the flaws. 

The advanced persistent threat (APT) actors that have been observed exploiting the flaws include the China-based Hafnium group that was responsible for carrying out zero-day attacks against the so-called ProxyLogon set of Exchange Server flaws last year. Other APT actors exploiting Log4j flaws include Phosphorous, an Iranian ransomware operator, and Aquatic Panda, a China-based actor that CrowdStrike thwarted in the middle of a targeted attack on a large academic organization a few days after the first flaw was disclosed.

In that attack, CrowdStrike's researchers observed, the threat actor attempted to execute Linux commands on the victim organization’s Windows host, says Param Singh, vice president of CrowdStrike's Falcon OverWatch threat-hunting service. When the attempts to execute Linux commands failed, the threat actor quickly shifted to using Windows native services or so-called living-off-the land binaries (LOLBins).

This behavior stood out to the OverWatch threat hunters, Singh says. "The quick maneuver and the change of tactics the threat actor used from Linux commands to leveraging Windows LOLBins is indicative of interactive hands-on-keyboard activity rather than an opportunistic scripted attack."

Widespread Scanning Activity Continues
According to Microsoft, scanning activity accounts for most of the attack traffic that it has observed so far. A lot of the activity appears to be from security researchers and red teams hunting for flaws on their networks. But among those scanning for the flaws are threat actors, including the operators of botnets like Mirai, those targeting vulnerable Elasticsearch systems to deploy cryptocurrency miners, and attackers looking to deploy the Tsunami backdoor on Linux systems.

In many of these campaigns, attackers are running concurrent scans for both vulnerable Windows systems and Linux systems. Attackers are using Base 64 commands included in JDNI:ldap:// to launch bash commands on Linux systems and PowerShell on Windows, Microsoft said.

Microsoft and numerous other security experts have urged organizations to deploy scanning tools and scripts to identify Log4j vulnerabilities in their environment. But because of the way Java-packing works, the vulnerability can be buried several layers deep within applications and not easily visible to scanners, security experts have said.

Rezilion, for instance, recently tested multiple open source and commercial scanning tools to see how effective they would be in detecting Java files where Log4j was nested and packed in various formats. Scanning tools that it tested included those from Google, Palantir, Aqua Security, Mergebase, and JFrog. The exercise showed that while some scanners were better than others, not one of them was able to detect Log4j in all the formats.

Since Rezilion's tests, JFrog and Mergebase have updated their tools, says Yotam Perkal, vulnerability research lead at Rezilion. 

"Mergebase added PAR format support, and JFrog added PAR and ZIP support, as well as improved their support for shaded JARs," he notes. "While it's hard to give a precise estimate, nesting/embedding is a common practice among developers and we see nested jars in most production environments, so the likelihood of undetected instances is high."