Security researchers are seeing widespread scanning for the vulnerability as malicious actors quickly jump on the Apache Log4j attack bandwagon. In response, CISA is on high alert and says it will actively maintain a community-sourced GitHub repository of publicly available information and vendor-supplied advisories regarding the Log4j vulnerability, among other Log4j vulnerability guidance.
Log4j vulnerability explained
CISA said it is responding to active, widespread exploitation of a critical remote code execution (RCE) vulnerability in Apache’s Log4j software library, versions 2.0-beta9 to 2.14.1, known as "Log4Shell" and "Logjam.”
Log4j is “very broadly used” in a variety of consumer and enterprise services, websites, and applications, as well as operational technology product to log security and performance information, CISA said. The vulnerability allows an unauthenticated remote actor to potentially take control of an affected system.
The vulnerability appears in the action the Java Naming and Directory Interface (JNDI) takes to resolve variables, according to CISA. “Affected versions of Log4j contain JNDI features—such as message lookup substitution—that ‘do not protect against adversary-controlled LDAP [Lightweight Directory Access Protocol] and other JNDI related endpoints,’” according to the CVE-2021-44228 listing.
“An adversary can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows the adversary to take full control over the system. The adversary can then steal information, launch ransomware, or conduct other malicious activity,” CISA said.
Log4j attacks spike quickly
Early reports show attacks spiking quickly. Check Point Research said it saw a “pandemic-like spread since the outbreak on Friday” and attacks rose to over 40,000 Saturday.
Twenty four hours after the initial outbreak, Check Point recorded almost 200,000 attack attempts globally. As of Tuesday, Check Point recorded over 1,270,000 attempts with over 46% of those attempts made by known malicious groups.
“We have so far seen an attempted exploit on almost 44% of corporate networks globally,” Check Point said.
CISA Director: one of the most serious ‘in my career’
CISA Director Jen Easterly said in a phone briefing Monday (via Cyberscoop) that the vulnerability “is one of the most serious I’ve seen in my entire career, if not the most serious.”
In response, CISA and its partners, through the Joint Cyber Defense Collaborative, are tracking and responding to active, widespread exploitation of the vulnerability.
CISA urges organizations to review its Apache Log4j Vulnerability Guidance webpage and upgrade to Log4j version 2.15.0, or apply the appropriate vendor recommended mitigations immediately. CISA will continue to update the webpage as additional information becomes available.
Microsoft describes exploitation risk
A common pattern of exploitation risk is a web application with code designed to process usernames, referrer, or user-agent strings in logs, according to Microsoft. “These strings are provided as external input (e.g., a web app built with Apache Struts). An attacker can send a malformed username or set user-agent with the crafted exploit string hoping that this external input will be processed at some point by the vulnerable Log4j 2 code and trigger code execution,” Microsoft said.
Urgent action needed
CISA said it urges all organizations to review the latest CISA activity alert and upgrade to log4j version 2.15.0, or apply their appropriate vendor recommended mitigations immediately.
“To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action,” CISA said.
Brute-forcing RDP (Remote Desktop Protocol) is becoming one of the most common attacks. In the past these attacks were primarily used by sophisticated APT groups but in 2021 they became much more accessible and are now being utilized by a wide variety of threat actors, including those with limited resources and minimal technical skills. Even script kiddies can use this attack vector.
This trend started before the pandemic but has accelerated significantly with the broad adoption of remote work and we should expect this trend to accelerate in 2022 for a variety of reasons:
- An RDP compromise provides any threat actor with an open backdoor for a wide range of exploits, including ransomware attacks
- Misconfigured machines with open external RDP ports continue to be extremely common
- Many machines continue to use weak credentials which are vulnerable to RDP attacks and do not include additional security controls and RDP access continues to be sold on the Dark Web as a commodity dramatically increasing the pool of actors using these exploits