top of page
Writer's pictureRudi Grace

Deadly Log4j Hole Expands Victim Vulnerability

Beware the Log4j vulnerability! This nasty software bug has much of the world in a panic as it follows us into the New Year.


No doubt, many organisations and SMBs with no IT staff do not even know about its existence. Ignorance of Log4j unfortunately only makes them more susceptible to an attack and they remain defenseless.


Log4j is a very common section of code that helps software applications keep track of their past activities. Code writers rely on this recurring code rather than reinvent the software wheel by creating more logging or record-keeping programs to duplicate the same functions.


Last month, cybersecurity experts found that by asking Log4j to log a line of malicious code, Log4j executes that code in the process. This gives bad actors access to controlling servers that are running Log4j.


That revelation put nearly every major software company in crisis mode. They searched their products to see if the Log4j vulnerability affected them and if so, how they could patch the hole.


Log4j has been around for nearly a decade. Think of it as your library of all things loggable. Log4J is often used by Java developers when they want to log that a person logged in and may even use it to track access to applications.


Many businesses may not even know if they have used Log4j, which makes knowing the scope of the problem even more difficult. In order for them to find out, they would need a software engineer to go through the various systems to look for the usage and then look at the versions.


Back Door for Hackers

Think of a door lock used in a variety of security hardware installations in millions of locations around the world. Some of the door locks have the same part failure in a tiny sprocket that lets almost any key open the lock. Changing your own lock is an easy fix if you know about the potential failure and have the tools to do the replacement job.


Doing that worldwide is an insurmountable task. That concept is what makes the Log4j debacle so threatening. Software running Log4j code drives enterprise and consumer applications everywhere. Cloud storage companies that provide the digital backbone for millions of other apps also are affected.


Attack Vectors Widening

Hackers are now fully aware of the Log4j vulnerability. Cybersecurity hunters are seeing numerous cases where bad guys are expanding what they can do with their attacks.


The Blumira research team recently discovered an alternative attack vector in the Log4j vulnerability that relies on a basic Javascript WebSocket connection to trigger the remote code execution vulnerability (RCE) locally via drive-by compromise. That discovery worsens the vulnerability situation.


One early assumption by cybersecurity experts was that the impact of Log4j was limited to exposed vulnerable servers. This newly-discovered attack vector means that anyone with a vulnerable Log4j version can be exploited through the path of a listening server on their machine or local network through browsing to a website and triggering the vulnerability.


Organisations should be pushing to patch quickly and mitigate by preventing outbound connections from potentially vulnerable services where patching is not an option.

While significant, attackers will likely favor the remote exploit versus the local one. That being said, this news does mean that relying on WAF, or other network defenses, is no longer effective mitigation. Patching remains the single most important step an organisation can take.


Log4Shell Vulnerability

The Log4j vulnerability, dubbed Log4Shell, already provides a relatively easy exploit path for threat actors. It does not require authentication to take full control of web servers.


Using this vulnerability, attackers can call external Java libraries and drop shells to deploy the RCE attack without additional effort. This new attack vector expands the attack surface for Log4j even further and can impact services even running as localhost which were not exposed to any network.


Log4j Linked to Dridex, Meterpreter

The Log4j vulnerability offshoot Log4Shell is yet another infection path that researchers recently discovered installing the notorious Dridex banking trojan or Meterpreter on vulnerable devices, according to a Bleeping Computer report.


Dridex malware is a banking trojan first developed to steal online banking credentials. It evolved into a loader that downloads various modules to perform tasks such as installing additional payloads, spreading to other devices, and taking screenshots.

Primarily used to execute Windows commands, if Dridex lands on a non-Windows machine it instead downloads and executes a Python script for Linux/Unix to install Meterpreter.


Meterpreter, a Metasploit attack payload, is deployed using in-memory DLL injection that resides in memory and writes nothing to disk. It provides an interactive shell an attacker uses to explore the target machine and execute code.


The Log4j vulnerability is the most serious vulnerability in decades and cybersecurity experts warn that the Log4j vulnerability is the biggest software hole ever in terms of the number of services, sites, and devices exposed.

Comments


bottom of page