Search This Blog

Showing posts with label Log4Shell. Show all posts

Rapid7 Researchers are Closely Monitoring Critical Bug in Apache Commons Text

 

A remote code execution vulnerability in the Apache Commons Text library has sparked comparisons with the ‘Log4Shell’ flaw that surfaced in the widely used open-source component Log4j last year.

Tracked as CVE-2022-42889, the Commons Text bug centers on an unsafe execution of the library’s variable interpolation functionality. The hacker can exploit the bug to trigger code execution when processing malicious input in the library’s default configuration. 

The Rapid7 researchers who discovered and reported the Commons Text flaw in March have downplayed its comparative effect. 

The susceptible StringSubstitutor interpolator is comparatively less utilized than the vulnerable string substitution in Log4j and the nature of such an interpolator means that getting crafted input to the vulnerable object is less likely than merely communicating with such a well-designed string as in Log4Shell. 

“The vulnerability has been compared to Log4Shell since it is an open-source library-level vulnerability that is likely to impact a wide variety of software applications that use the relevant object. However, initial analysis indicates that this is a bad comparison.” reads the technical published by Rapid7 researchers. “The nature of the vulnerability means that, unlike Log4Shell, it will be rare that an application uses the vulnerable component of Commons Text to process untrusted, potentially malicious input.” 

Apache’s security team also confirmed that the scope of the flaw is not as serious as Log4Shell, explaining that the string interpolation is a documented feature. 

“The vulnerability is indeed very similar. The Apache Commons Text code appears to be based on the Log4j code, as both of them enable interpolation of multiple Lookup sources. Log4j enabled JNDI lookups [while] Apache Commons Text and Apache Commons Configuration allow script lookups – both could lead to RCE. The impact is, therefore, very high," the researchers explained. 

Preventive measures 

The Apache Commons Text versions are 1.5 through 1.9, and all JDK versions, and has been fixed in version 1.10. However, it is still recommended that users should upgrade Apache Commons Text to 1.10.0, which disables the problematic interpolators by default. 

The users should install these patches as soon they become available, and prioritize anywhere the vendor indicates that their implementation may be remotely exploitable.

Cheerscrypt Spyware Attributed to Chinese APT Entity

The Emperor Dragonfly Chinese hacker group, notorious for frequently switching between several ransomware families to avoid detection, has been connected to the Cheerscrypt virus. 

The attacks were linked by the cybersecurity company Sygnia to a threat actor also dubbed Bronze Starlight and DEV-0401. The hacking gang seems to be a ransomware operation, but past research suggests that the Chinese government is interested in many of its victims.

Cheerscrypt is the most recent addition to a long range of ransomware families that the gang has previously used, including LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0 in a little over a year.

Recently, Sygnia researched a Cheerscrypt ransomware operation that utilized Night Sky ransomware TTPs. The attackers then dropped a Cobalt Strike beacon linked to a C2 address formerly tied to Night Sky operations. 

The code for the Babuk ransomware, which was exposed online in June 2021, was used to develop the Cheerscrypt ransomware family, which Trend Micro first analyzed in May 2022. Cheerscrypt is one of several ransomware families used by the APT organization. The DEV-0401 group, unlike other ransomware gangs, oversees every stage of the assault chain directly, from the first access to the data theft. It does not rely on a system of affiliates.

A significant Log4Shell vulnerability in Apache Log4j was utilized by hackers in January 2022 assaults to acquire initial access to VMware Horizon servers. They subsequently dropped a PowerShell payload that was used to send an encrypted Cobalt Strike beacon. Apart from the beacon, the hackers also sent three Go-based tools: a keylogger that sent keystrokes to Alibaba Cloud, a customized version of the internet proxy tool iox, and the tunneling program NPS.

Trend Micro initially identified Cheerscrypt in May 2022, highlighting its capacity to target VMware ESXi servers as a component of a tried-and-true strategy known as double extortion to force its victims into paying the ransom or risk having their data exposed.

The hackers break into networks, take information, and encrypt devices just like other ransomware groups that target businesses. The victim is then coerced into paying a ransom through double-extortion methods using the data. The stolen data is posted on a data leak website when a ransom is not paid.

A PowerShell payload that can deliver an encrypted Cobalt Strike beacon has been dropped on VMware Horizon servers by infection chains that have exploited the major Log4Shell vulnerability in the Apache Log4j library.

Cheerscrypt and Emperor Dragonfly share initial access vectors, and lateral movement strategies, including the use of DLL side-loading to distribute the encrypted Cobalt Strike beacon. Notably, the ransomware gang is acting as a 'lone wolf' separated from the rest of the cybercrime community rather than as a RaaS (Ransomware-as-a-Service) platform for affiliates.






Iranian Hackers Launch Cyberattack Against US and the UK 

 

Secureworks, a cybersecurity firm, has detected a new attack attributed to the Iranian hacker organization known as APT34 or Oilrig, which utilized custom-crafted tools to target a Jordanian diplomat. APT35, Magic Hound, NewsBeef, Newscaster, Phosphorus, and TA453 are advanced persistent threat (APT) actors known for targeting activists, government organizations, journalists, and other entities. 

A ransomware gang with an Iranian operational connection has been linked to a succession of file-encrypting malware operations targeting institutions in Israel, the United States, Europe, and Australia.

"Elements of Cobalt Mirage activities have been reported as Phosphorus and TunnelVision," Secureworks, which tracks the cyberespionage group, said today. "The group appears to have switched to financially motivated attacks, including the deployment of ransomware." 

The threat actor used recently obtained access to breach the network of a nonprofit organization in the United States in January 2022, where they built a web shell which was then used to drop further files, according to the researchers. 

The threat actor has seemingly carried out two types of intrusions, one of which involves opportunistic ransomware assaults using genuine tools like BitLocker and DiskCryptor for financial benefit. The second round of attacks is more focused, with the primary purpose of securing access and acquiring intelligence, with some ransomware thrown in for good measure.

Initial access routes are enabled by scanning internet-facing servers for web shells and exploiting them as a route to move laterally and activate the ransomware, which is vulnerable to widely reported holes in Fortinet appliances and Microsoft Exchange Servers. 

The spear-phishing email, which Fortinet discovered, was sent to a Jordanian diplomat and pretended to be from a government colleague, with the email address faked accordingly. The email included a malicious Excel attachment with VBA macro code that creates three files: a malicious binary, a configuration file, and a verified and clean DLL. The macro also adds a scheduled job that runs every four hours to provide the malicious application (update.exe) persistence. 

Another unique discovery concerns two anti-analysis methods used in the macro: the manipulating of sheet visibility in the spreadsheet and a check for the presence of a mouse, both of which may not be available on malware analysis sandbox services.

Secureworks detailed a January 2022 attack on an undisclosed US charity organization but said the exact means by which full volume encryption capability is triggered is unknown. In mid-March 2022, another attack aimed at a US local government network is thought to have used Log4Shell holes in the target's VMware Horizon architecture to perform reconnaissance and network scanning tasks. 

While the group has managed to breach a huge number of targets around the world, the security researchers believe that "their capacity to leverage on that access for financial gain or information collection is limited." Secureworks determines that the group's use of publicly available tools for ransomware activities proves that it is still a threat.

Log4Shell is Employed in 31% of Malware infections, Lacework Labs Identifies

 

In the latest cloud threat report by Lacework, it was disclosed that the infamous Log4Shell vulnerability was exploited as an initial infection vector in 31% of cases identified by Lacework researchers over the past six months. 

The software vendor’s report confirms that the Log4j vulnerability was abused extensively by malicious actors, as cybersecurity researchers had suspected when it emerged in December last year. 

According to Lacework Labs, it initially noticed a flood of requests with malicious payloads immediately after the Log4Shell bug was disclosed, these were the result mainly of researchers searching for the vulnerability. However, these were replaced by malign requests over time, as threat actors adopted publicly available proof-of-concept exploits. 

“Over time, we watched scanning activity evolve into more frequent attacks, including some that deployed crypto-miners and Distributed Denial of Service (DDoS) bots to affected systems,” it explained. In addition to improving their payloads, adversaries continued to adapt their exploitation methods to stay ahead of signature-based detections used by many types of security products.”

In addition to Log4j, multiple threat actors have also employed one backdoor in the ua-parser-js NPM package to secure access to Linux systems and launch the XMRig open-source miner. The original hacking group had managed to exploit the NPM developer’s account to deploy a malicious payload to the package. 

In fact, malicious actors increasingly favor NPM as a vector for attack. A report from Checkmarx this week claimed that attackers have simplified the process of designing new NPM accounts from which to distribute supply chain malware. 

“The attacker has fully automated the process of NPM account creation and has open dedicated accounts, one per package, making his new malicious packages much harder to spot,” it explained. At the time of writing, the threat actor ‘RED-LILI’ is still active at the time of writing and continues to publish malicious packages.” 

The researchers at Lacework Labs also investigated issues around compliance, compromised Docker APIs and malicious containers, and additional bugs within the software supply chain. Based on the findings of this report, researchers advised that defenders should evaluate security infrastructure against the industry's best practices and execute proactive defence and intelligence weapons with active bug monitoring.

Log4Shell Utilized for Crypto Mining and Botnet Creation

 

The serious problem in Apache's widely used Log4j project, known as Log4Shell, hasn't caused the calamity predicted, but it is still being exploited, primarily from cloud servers in the United States. Because it was reasonably straightforward to exploit and since the Java application logging library is implemented in many different services, the Log4Shell vulnerability was brought to attention as it raised concerns for being potentially abused by attackers. 

According to a Barracuda study, the targeting of Log4Shell has fluctuated over the last few months, but the frequency of exploitation attempts has remained pretty stable. Barracuda discovered the majority of exploitation attempts originated in the United States, followed by Japan, Central Europe, and Russia. 

Researchers discovered the Log4j version 2.14.1 in December 2021. Reportedly, all prior versions were vulnerable to CVE-2021-44228, also known as "Log4Shell," a significant zero-day remote code execution bug.

Log4j's creator, Apache, attempted to fix the problem by releasing version 2.15.0. However, the vulnerabilities and security flaws prolonged the patching race until the end of every year, when version 2.17.1 ultimately fixed all issues. 

Mirai malware infiltrates a botnet of remotely managed bots by targeting publicly outed network cameras, routers, and other devices. The threat actor can then use this botnet to launch DDoS assaults on a single target, exhausting its resources and disrupting any online services. The malicious actors behind these operations either rent vast botnet firepower to others or undertake DDoS attacks to extort money from businesses. Other payloads which have been discovered as a result of current Log4j exploitation include: 

  • Malware is known as BillGates (DDoS)
  • Kinsing is a term used to describe the act of (cryptominer) 
  • XMRig XMRig XMRig X (cryptominer) 
  • Muhstik Muhstik Muhstik (DDoS) 

The payloads range from harmless online jokes to crypto-mining software, which utilizes another person's computers to solve equations and earn the attacker cryptocurrency like Monero. 

The simplest method to protect oneself from these attacks is to update Log4j to version 2.17.1 or later, and to maintain all of the web apps up to date. Even if the bulk of threat actors lose interest, some will continue to target insecure Log4j deployments since the numbers are still significant. 

Security updates have been applied to valuable firms which were lucrative targets for ransomware assaults, but neglected systems running earlier versions are good targets for crypto mining and DDoS attacks.

Phishing Attack Emerges as a Primary Threat Vector in X-Force Threat Intelligence Index 2022

 

IBM published its tenth X-Force Threat Intelligence Index last week unveiling phishing attacks as the primary threat vector in the past year, with manufacturing emerging as the most targeted sector. IBM security analysts spotted a 33% surge in attacks caused by vulnerability exploitation of Log4Shell, a point of entry that malicious actors relied on more than any other to launch their assaults in 2021, representing the cause of 44% of ransomware attacks. 

The 2022 Threat Intelligence Index was compiled from billions of data points, ranging from network and endpoint detection devices, incident response engagements, phishing kits, and domain name tracking. It was revealed that threat actors employed phishing in 41% of attacks, surging from 2020 when it was responsible for 33% of attacks. Interestingly, click rates for the average targeted phishing campaign surged nearly three-fold, from 18% to 53% when phone phishing (vishing) was also employed by malicious actors. 

The X-Force report highlights the record-high number of vulnerabilities unearthed in 2021, including a vulnerability in the Kaseya monitoring software that was exploited by REvil in July, and the Log4j (or Log4Shell) vulnerability in Apache’s popular logging library. Cybercriminals from across the globe were so quick to exploit Log4j that it occupied the number two spot on the X-Force top 10 lists of most exploited vulnerabilities in 2021, despite only being discovered in December last year. The top vulnerability was a flaw in Microsoft Exchange that allowed attackers to bypass authentication to impersonate an administrator. 

Additionally in the UK, nearly 80% of users received a malicious call or text last year. To counter the threat, regulator Ofcom published new guidelines this week which will require more proactive work from operators to root out the use of spoofed numbers. 

“X-Force observed actors leveraging multiple known vulnerabilities, such as CVE-2021-35464 (a Java deserialization vulnerability) and CVE-2019-19781 (a Citrix path traversal flaw), to gain initial access to networks of interest. In addition, we observed threat actors leverage zero-day vulnerabilities in major attacks like the Kaseya ransomware attack and Microsoft Exchange Server incidents to access victim networks and devices,” researchers explained. 

To mitigate the risks, researchers advised organizations to update their vulnerability management system, identify security loopholes, and prioritize vulnerabilities based on the likelihood they will be abused.

Log4j Attack Target SolarWinds and ZyXEL

 

According to reports published by Microsoft and Akamai, cybercriminals are targeting SolarWinds devices with the Log4Shell vulnerability, and ZyXEL is known to use the Log4j library in their software.

Attacks have been reported on SolarWinds and ZyXEL devices using the log4j library, according to Microsoft and Akamai reports. CVE-2021-35247 has been assigned to the vulnerability, which has been paired with a zero-day in the SolarWinds Serv-U file-sharing service.

According to Microsoft's Threat Intelligence Center (MSTIC), the SolarWinds vulnerability, dubbed CVE-2021-35247, is a data validation hole that might allow attackers to compose a query based on some data and send it across the network without sanitizing. 

Jonathan Bar-Or, a Microsoft security researcher, is credited with identifying the flaw, which affects Serv-U versions 15.2.5 and earlier. In Serv-U version 15.3, SolarWinds patched the vulnerability. "A closer look helped discover the feed Serv-U data and it generates an LDAP query using the user unsanitized input!" he claimed. Not only might this be included in log4j attacks but it also is used for LDAP injection. 

SolarWinds claimed in its advisory, the Serv-U online log-in screen for LDAP authentication is  permitting symbols that are not appropriately sanitized and it had modified the input method "to do further validation and sanitization." The attacker cannot log in to Serv-U, according to a SolarWinds official, and the Microsoft researcher is referring to failed attempts because Serv-U doesn't use Log4J code. 

The unverified remote code execution (RCE) vulnerability in Log4j – identified as CVE-2021-44228 – has also been repurposed to infect and assist in the dissemination of malware used for the Mirai botnet by targeting Zyxel networking equipment, according to Akamai researchers. When researchers intended to access the Java payload class, the LDAP server in which the exploit was located was no longer active. It's claimed that Zyxel was particularly singled out since published an article claiming to have been hit by the log4j flaw. 

The scenario surrounding the Log4Shell breach has remained unchanged since last month, and threat actors looking to get access to corporate networks continue to target and exploit the vulnerability. Threat actors including ransomware gangs, nation-state cyber-espionage groups, crypto-mining gangs, initial access brokers, and DDoS botnets have all been reported to have exploited the vulnerability in the past. Although the Apache Software Foundation has issued patches for the Log4j library, threats against applications using it are likely to persist because not all of these apps have published a set of security updates, abandoning many systems vulnerable and creating a breeding soil for exploitation that will last for years.

Dridex Banking Malware is Now Being Installed Using a Log4j Vulnerability

 

The Log4j vulnerability is presently being leveraged to infect Windows devices with the Dridex Trojan and Linux devices with Meterpreter, according to Cryptolaemus, a cybersecurity research firm. Dridex, also known as Bugat and Cridex, is a type of malware that specializes in obtaining bank credentials through a system that uses Microsoft Word macros. This malware targets Windows users who open an email attachment in Word or Excel, enabling macros to activate and download Dridex, infecting the computer and potentially exposing the victim to banking theft.

The major objective of this software is to steal banking information from users of infected PCs in order to conduct fraudulent transactions. Bank information is used by the software to install a keyboard listener and conduct injection attacks. The theft perpetrated by this software was estimated to be worth £20 million in the United Kingdom and $10 million in the United States in 2015. Dridex infections have been linked to ransomware assaults carried out by the Evil Corp hacker gang. 

Log4j, an open-source logging library widely used by apps and services on the internet, was revealed to have a vulnerability. Attackers can breach into systems, steal passwords and logins, extract data, and infect networks with harmful software if they are not fixed. Log4j is widely used in software applications and internet services around the world, and exploiting the vulnerability needs no technical knowledge. As a result, Log4shell may be the most serious computer vulnerability in years. 

Threat actors use the Log4j RMI (Remote Method Invocation) exploit version, according to Joseph Roosen, to force vulnerable devices to load and execute a Java class from an attacker-controlled remote server. When the Java class is launched, it will first attempt to download and launch an HTA file from several URLs, which will install the Dridex trojan, according to BleepingComputer. If the Windows instructions cannot be executed, the device will be assumed to be running Linux/Unix and a Python script to install Meterpreter will be downloaded and executed. 

On Windows, the Java class will download and open an HTA file, resulting in the creation of a VBS file in the C:ProgramData folder. This VBS program is the primary downloader for Dridex and has previously been spotted in Dridex email campaigns. When run, the VBS code will examine numerous environment variables to determine whether or not the user is a member of a Windows domain. If the user is a domain member, the VBS code will download and run the Dridex DLL with Rundll32.exe.

Conti Ransomware Exploits Log4j Flaw to Hack VMware vCenter Servers

 

The critical Log4Shell exploit is being used by the Conti ransomware operation to obtain quick access to internal VMware vCenter Server instances and encrypt virtual machines. The group wasted no time in adopting the new attack vector, becoming the first "top-tier" operation to exploit the Log4j flaw. 

On December 9, a proof-of-concept (PoC) exploit for CVE-2021-44228, also known as Log4Shell, was made public. A day later, numerous actors began scanning the internet in search of vulnerable systems. Cryptocurrency miners, botnets, and a new ransomware strain called Khonsari were among the first to leverage the flaw. 

By December 15, state-backed hackers and initial access brokers, who sell network access to ransomware gangs, had joined the list of threat actors using Log4Shell. Conti, one of today's largest and most prolific ransomware groups with tens of full-time members, seems to have developed an early interest in Log4Shell, viewing it as a potential attack channel on Sunday, December 12. 

The group began seeking fresh victims the next day, with the intention of lateral migration to VMware vCenter networks, as per Advanced Intelligence (AdvIntel), a cybercrime and hostile disruption firm. Log4Shell has impacted dozens of vendors, who have rushed to patch their products or provide workarounds and mitigations for customers. VMware is one among them, with 40 products listed as vulnerable. 

While the firm has suggested mitigations or fixes, a patch for the affected vCenter versions has yet to be released. Although vCenter servers are not generally accessible to the internet, there are a few scenarios in which an attacker may exploit the flaw.

“A malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system and/or perform a denial of service attack” – Vmware 

Log4Shell to move laterally 

"This is the first time this vulnerability entered the radar of a major ransomware group," according to a report shared with BleepingComputer. 

“The current exploitation led to multiple use cases through which the Conti group tested the possibilities of utilizing the Log4J exploit” - AdvIntel 

While most defenders are aimed at stopping Log4Shell attacks on Internet-connected devices, the Conti ransomware operation demonstrates how the vulnerability can be leveraged to attack internal systems that aren't as well-protected. 

Conti ransomware affiliates had already invaded the target networks and exploited vulnerable Log4j machines to obtain access to vCenter servers, according to the researchers. This indicates that Conti ransomware members used a different initial access vector to infect a network (RDP, VPN, email phishing) and are now utilising Log4Shell to move laterally on the network. 

Conti, the successor to the notorious Ryuk ransomware, is a Russian-speaking group that has been in the ransomware business for a long time. Hundreds of attacks have been carried out by the group, with its data leak site alone reporting over 600 victim firms who did not pay a ransom. Other firms who paid the actor to have their data decrypted are also included. The group has extorted more than $150 million from its victims in the last six months, according to AdvIntel.