CTI Report Log4j2 / Log4shell

What is Log4j 2

Log4j2 is an upgrade to Log4j that provides significant improvements over its predecessor, Log4j 1.x, and provides many of the improvements available in Logback while fixing some inherent problems in Logback’s architecture.[1]

Log4j shell vulnerability; Security Vulnerability CVE-2021–44228

A 0-day exploit was released for log4j, a Java-based logging utility that’s part of the Apache logging services project. Many systems use it worldwide to process logs. [2]

Identified ATT&CK IDs [4] :

T1190 (Ver 2.3) : Exploit Public-Facing Application (technique), Initial access (tactic)

T1496 (Ver 1.2) : Resource Hijacking (technique), Impact (tactic)

T1059 (Ver 2.2): Command and Scripting Interpreter (technique), Execution (tactic)

Indicators of Compromise captured on Windows based system (As of Dec 13, 2021, 4:29:11 PM):

IPv4 addresses [4]:

(45).83.193.150 (LDAP)

(31).220.58.29(172).105.241.146

File Hashes (SHA256) [4] -

4c97321bcd291d2ca82c68b02cde465371083dace28502b7eb3a88558d7e190c *(pty3)

eb76b7fb22dd442ba7d5064dce4cec79e6db745ace7019b6dfe5642782bf8660 **(Exploit.class)

e8b2a8d0c3444c53f143d0b4ba87c23dd1b58b03fd0a6b1bcd6e8358e57807f1 #(xmrig.exe)8

c70e6f8edfca4be3ca0dc2cfac8fddd14804b7e1e3c496214d09c6798b4620c5 ##(s.cmd)

File Hashes (MD5) [4] -

ceb9a55eaa71101f86b14c6b296066c9 *(pty3)

f6e51ea341570c6e9e4c97aee082822b **(Exploit.class)

c717c47941c150f867ce6a62ed0d2d35 #(xmrig.exe) [8]

1718956642fbd382e9cde0c6034f0e21 ##(s.cmd)

*pty3 is mainly used as trojan/bot and in defence evasion, but also has been linked to crypto mining, Ransomware, Phishing, exploitation, spyware, adware, banking trojan.

** Exploit.class is PS — compiled Java class data, version 52.0 (Java 1.8)

#xmrig.exe is a trojan for crypto currency mining. They are deployed in the portable executable format (PEXE) PE32+ executable (console) x86–64 (stripped to external PDB), for Microsoft Windows [6] [8]

##s.cmd is a shell command written in PowerShell, it was used to create an instance of a Microsoft .NET Framework or COM object. (also discovered as output.174578011.txt)

Mitigation [2]

In version 2.12.2, Log4j disables access to JNDI by default. Usage of JNDI in configuration now need to be enabled explicitly. Calls to the JndiLookup will now return a constant string. Also, Log4j now limits the protocols by default to only java. The message lookups feature has been completely removed.

In version 2.16.0, the message lookups feature has been removed. Lookups in configuration still work. Furthermore, Log4j now disables access to JNDI by default. JNDI lookups in configuration now need to be enabled explicitly. Also, Log4j now limits the protocols by default to only java, LDAP, and LDAPS and limits the LDAP protocols to only accessing Java primitive objects. Hosts other than the local host need to be explicitly allowed.

Other recommended steps are to patch the vulnerability and check for any existing infection.

Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. [5]

References:

1. https://logging.apache.org/log4j/2.x/

2. danielmiessler.com

3. isc.sans.edu

4. OTX AlienVault

5. nvd.nist.gov

6. joesandbox.com

7. attack.mitre.org

8. virustotal.com

#threathunting #threatintelligence #artificialintelligence #vulnerabilityscanning