INTRODUCTION
Log4Shell vulnerability (CVE-2021-44228) impacts multiple versions of a
widely distributed Java software component, Apache Log4j 2. The vulnerability exists in the way the Java Naming and Directory Interface (JNDI) feature resolves variables and allows a remote attacker to execute arbitrary code on the target system.
Apache Log4j2 <2.15, JNDI enables attackers to call external java libraries
(jndi:ldap, jndi:rmi) which in turn allows the execution of remote commands in the environment.
A remote attacker can send a specially crafted request to the application and execute arbitrary code on the target system. Successful exploitation of this vulnerability may result in the complete compromise of a vulnerable system.
Threat actors have already begin actively exploiting this vulnerability in the
wild.
VULNERABLE PRODUCT
The vulnerability impacts all versions of Apache Log4j2 from 2.0-beta9
to 2.14.1
BUSINESS IMPACT
Successful exploitation of the vulnerability would allow a remote
unauthenticated attacker to execute arbitrary code, a complete takeover of
unpatched devices and deploy further malicious payload to execute
ransomware like disruptive attacks.
REMEDIATION
1. Ensure to patch log4j to 2.15.0 and above.
2. For systems that can’t be updated (or at least not updated immediately)
apply Logout4Shell vaccine to protect against exploits targeting the
Log4Shell flaw.
3. Use commands & YARA rules to search for exploitation attempts
against log4j RCE vulnerability CVE-2021-44228.
4. Test your apps for log4shell vulnerability.
MITIGATIONS
1. In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable
LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
2. For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class.
NOTE: Additionally, if the server has Java runtimes >= 8u121, then by default, the settings com.sun.jndi.rmi.object.trustURLCodebase and
com.sun.jndi.cosnaming.object.trustURLCodebase are set to “false”, mitigating this risk.
3. Put a WAF or Proxy in front of the vulnerable Java app and block access toconnections containing “jndi:ldap” and “jndi:dns” in the request or user-agent strings.
DETECTION
1. Search logs for the presence of jndi:ldap, jndi:ldaps: jndi:dns:jndirmi
– Log4j RCE CVE-2021-44228 Exploitation Detection · GitHub
2. Logs can be scanned by using GitHub – Neo23x0/log4shell-detector:
Detector for Log4Shell exploitation attempts
HASH (SHA-256)
IP’s
| 109[.]237[.]96[.]124 | 62[.]102[.]148[.]69 | 185[.]220[.]100[.]244 | 185[.]220[.]101[.]142 | 193[.]189[.]100[.]203 | 147[.]182[.]169[.]254 |
| 185[.]100[.]87[.]202 | 72[.]223[.]168[.]73 | 185[.]220[.]100[.]245 | 185[.]220[.]101[.]143 | 193[.]218[.]118[.]231 | 147[.]182[.]219[.]9 |
| 213[.]164[.]204[.]146 | 81[.]17[.]18[.]60 | 185[.]220[.]100[.]246 | 185[.]220[.]101[.]145 | 194[.]48[.]199[.]78 | 151[.]115[.]60[.]113 |
| 185[.]220[.]101[.]146 | 104[.]244[.]72[.]115 | 185[.]220[.]100[.]247 | 185[.]220[.]101[.]147 | 195[.]176[.]3[.]24 | 159[.]65[.]58[.]66 |
| 171[.]25[.]193[.]20 | 104[.]244[.]74[.]57 | 185[.]220[.]100[.]248 | 185[.]220[.]101[.]148 | 195[.]254[.]135[.]76 | 159[.]65[.]155[.]208 |
| 178[.]17[.]171[.]102 | 104[.]244[.]74[.]211 | 185[.]220[.]100[.]249 | 185[.]220[.]101[.]149 | 198[.]98[.]51[.]189 | 164[.]90[.]199[.]216 |
| 45[.]155[.]205[.]233 | 104[.]244[.]76[.]170 | 185[.]220[.]100[.]252 | 185[.]220[.]101[.]153 | 199[.]195[.]250[.]77 | 167[.]99[.]164[.]201 |
| 171[.]25[.]193[.]25 | 107[.]189[.]1[.]160 | 185[.]220[.]100[.]253 | 185[.]220[.]101[.]156 | 204[.]8[.]156[.]142 | 167[.]99[.]172[.]58 |
| 171[.]25[.]193[.]77 | 107[.]189[.]1[.]178 | 185[.]220[.]100[.]254 | 185[.]220[.]101[.]157 | 205[.]185[.]117[.]149 | 167[.]99[.]172[.]213 |
| 171[.]25[.]193[.]78 | 107[.]189[.]12[.]135 | 185[.]220[.]100[.]255 | 185[.]220[.]101[.]158 | 209[.]127[.]17[.]242 | 185[.]220[.]100[.]241 |
| 185[.]220[.]100[.]242 | 107[.]189[.]14[.]98 | 185[.]220[.]101[.]33 | 185[.]220[.]101[.]161 | 209[.]141[.]41[.]103 | 185[.]220[.]101[.]37 |
| 185[.]220[.]101[.]39 | 122[.]161[.]50[.]23 | 185[.]220[.]101[.]34 | 185[.]220[.]101[.]163 | 45[.]153[.]160[.]131 | 185[.]220[.]101[.]41 |
| 18[.]27[.]197[.]252 | 171[.]25[.]193[.]20 | 185[.]220[.]101[.]35 | 185[.]220[.]101[.]168 | 45[.]153[.]160[.]138 | 185[.]220[.]101[.]57 |
| 89[.]234[.]182[.]139 | 171[.]25[.]193[.]25 | 185[.]220[.]101[.]36 | 185[.]220[.]101[.]169 | 62[.]76[.]41[.]46 | 185[.]220[.]101[.]134 |
| 104[.]244[.]79[.]6 | 171[.]25[.]193[.]77 | 185[.]220[.]101[.]42 | 185[.]220[.]101[.]172 | 68[.]183[.]44[.]143 | 185[.]220[.]101[.]144 |
| 18[.]27[.]197[.]252 | 171[.]25[.]193[.]78 | 185[.]220[.]101[.]43 | 185[.]220[.]101[.]175 | 68[.]183[.]198[.]247 | 185[.]220[.]101[.]154 |
| 23[.]129[.]64[.]131 | 178[.]62[.]79[.]49 | 185[.]220[.]101[.]45 | 185[.]220[.]101[.]177 | 88[.]80[.]20[.]86 | 185[.]220[.]101[.]160 |
| 23[.]129[.]64[.]141 | 181[.]214[.]39[.]2 | 185[.]220[.]101[.]46 | 185[.]220[.]101[.]179 | 109[.]70[.]100[.]34 | 185[.]220[.]101[.]171 |
| 23[.]129[.]64[.]146 | 185[.]38[.]175[.]132 | 185[.]220[.]101[.]49 | 185[.]220[.]101[.]180 | 109[.]237[.]96[.]124 | 185[.]220[.]101[.]186 |
| 23[.]129[.]64[.]148 | 185[.]83[.]214[.]69 | 185[.]220[.]101[.]54 | 185[.]220[.]101[.]181 | 116[.]24[.]67[.]213 | 185[.]220[.]102[.]249 |
| 45[.]12[.]134[.]108 | 185[.]100[.]87[.]41 | 185[.]220[.]101[.]55 | 185[.]220[.]101[.]182 | 134[.]122[.]34[.]28 | 188[.]166[.]48[.]55 |
| 45[.]155[.]205[.]233 | 185[.]100[.]87[.]202 | 185[.]220[.]101[.]56 | 185[.]220[.]101[.]185 | 137[.]184[.]102[.]82 | 188[.]166[.]92[.]228 |
| 46[.]166[.]139[.]111 | 185[.]107[.]47[.]171 | 185[.]220[.]101[.]61 | 185[.]220[.]101[.]189 | 137[.]184[.]106[.]119 | 188[.]166[.]122[.]43 |
| 46[.]182[.]21[.]248 | 185[.]129[.]61[.]1 | 185[.]220[.]101[.]129 | 185[.]220[.]101[.]191 | 142[.]93[.]34[.]250 | 193[.]189[.]100[.]195 |
| 51[.]15[.]43[.]205 | 185[.]220[.]100[.]240 | 185[.]220[.]101[.]138 | 185[.]220[.]102[.]8 | 143[.]198[.]32[.]72 | 193[.]218[.]118[.]183 |
| 51[.]255[.]106[.]85 | 185[.]220[.]100[.]242 | 185[.]220[.]101[.]139 | 185[.]220[.]102[.]242 | 143[.]198[.]45[.]117 | 195[.]19[.]192[.]26 |
| 54[.]173[.]99[.]121 | 185[.]220[.]100[.]243 | 185[.]220[.]101[.]141 | 193[.]31[.]24[.]154 | 147[.]182[.]167[.]165 | 212[.]193[.]57[.]225 |
URL’s
| http[:]//62.210.130.250/lh.sh | http[:]//18.228.7.109/.log/pty4; |
| http[:]//62.210.130.250[:]80/web/admin/x86_64 | http[:]//18.228.7.109/.log/pty5; |
| http[:]//62.210.130.250[:]80/web/admin/x86 | http[:]//210.141.105.67[:]80/wpcontent/themes/twentythirteen/m8 |
| http[:]//62.210.130.250[:]80/web/admin/x86_g | http[:]//159.89.182.117/wp-content/themes/twentyseventeen/ldm |
| http[:]//45.130.229.168[:]9999/Exploit.class | hxxp[:]//45.137.155[.]55/ex[.]sh |
| http[:]//18.228.7.109/.log/log | hxxp[:]//45.137.155[.]55/kinsing |
| http[:]//18.228.7.109/.log/pty1; | hxxp[:]//80.71.158[.]12/libsystem.so |
| http[:]//18.228.7.109/.log/pty2; | hxxp[:]//80.71.158[.]12/kinsing |
| http[:]//18.228.7.109/.log/pty3; | hxxp[:]//80.71.158[.]12/Exploit69ogQNSQYz.class |
DOMAINS
nazi[.]uy
log[.]exposedbotnets[.]ru
REFERENCES
• New zero-day exploit for Log4j Java library is an enterprise nightmare
• Zero Day in Ubiquitous Apache Log4j Tool Under Active Attack
• Threat Advisory: Critical Apache Log4j vulnerability being exploited in the wild
• Log4Shell Explained
Nandeesha Basavaraj is a key member of the MDR Threat Intelligence team at Network Intelligence. He has experience in both SOC and Threat Intelligence. He is passionate about investigating cyber threats, threat actors’ motives, targets, attack behaviours and does threat hunting in his spare time. Apart from the work field, he enjoys playing cricket and badminton.