‘Vaccine’ released for Apache Zero Day operated

Third Party Risk Management, Application Security, Business Continuity Management / Disaster Recovery

Researchers say Severity 10 vulnerability is exploited by access brokers

Prajeet Nair (@prajeetspeaks) •
December 11, 2021

Urgent application of an interim fix is ​​advised, as advanced persistent threat actors and access brokers are now reported to perform mass scan for zero-day vulnerability detected in Java logging library Apache Log4j, which can lead to a complete takeover of the server and the departure of countless vulnerable applications.

See also: Live Webinar | How to deal with cyber insurance in the midst of the ransomware era

Cisco Talos researchers say they’re seeing active exploitation on their honeypot network and sensor telemetry by APT-level players. Whereas, cybersecurity company GreyNoise claims that a wide variety of use cases for this exploit have already started to emerge, ranging from mining Minecraft servers to larger issues potentially affecting Apple iCloud.

However, on Friday night, security firm Cybereason said it had developed and released an urgent “vaccine” for the easily exploitable flaw that was first detected in the popular game Minecraft, but cloud apps, including widely used ones in the company, also remain vulnerable. . This includes software, web applications, and products from Apple, Amazon, Cloudflare, Twitter, and Steam.

The unauthenticated remote code execution vulnerability – classified as severe and tracked as CVE-2021-44228, with a CVSS score of 10 – is actively exploited in the wild, and proof of concept code has been released, according to a New Zealand CERT notice on Friday (see: Critical Apache Log4j vulnerability threatens enterprise applications).

The advisory further stated that systems and services using the Apache Log4j Java logging library between versions 2.0 and 2.14.1 are vulnerable, including many applications and services written in Java.

Temporary correction

Cybereason experts have released an urgent fix for the vulnerability, available on GitHub. Researchers say that exploiting the flaw is trivial and that an attacker can exploit the vulnerability by sending a malicious code string that is logged by Log4j. At this point, the exploit will allow the attacker to load arbitrary Java code and take control of the server.

The researchers recommend that affected systems apply the patches as soon as possible. However, Cybereason says that for systems that can’t be updated (or at least not immediately updated), they’ve found a way to disable the vulnerability.

“Logout4Shell is a vaccine to protect against exploits targeting the Log4Shell flaw. The patch uses the vulnerability itself to set the flag that disables it. Because the vulnerability is so easy to exploit and so pervasive – that’s the ‘one of the very few ways to shut down in certain scenarios, “Cybereason researchers say.” You can shut down the vulnerability permanently by forcing the server to save a configuration file, but that’s a more difficult proposition. The easiest solution is to set up a server that will download and then run a class that changes the configuration of the server to not load things over. “

However, the researchers recommend that users update to the latest version immediately to permanently fix the vulnerability. This patch simply disables the vulnerability and allows users to stay protected while they assess and update their servers, the researchers said.

Jake Williams, a former member of the United States National Security Agency’s elite hacking team, told Information Security Media Group that this vulnerability is extremely serious and is an RCE vulnerability ( Remote Code Execution) in a widely used library.

“It is difficult to apply patches, and since many organizations don’t even realize they have the vulnerable library, they might not be thinking about applying a patch. The Cybereason vaccine is pretty neat in that it prevents the exploitation of a vulnerable server until it is restarted by exploiting the vulnerability, ”said Williams, who is also the company’s chief technical officer. cybersecurity BreachQuest, at ISMG. “The only problem with the vaccine is that some organizations may mistake it for a fix and not realize that they have to reuse the service on every reboot. Even in cases where organizations understand the need , they can still leave the vulnerable server exposed for some time between a restart and a new vaccine application.

Tim Mackey, Senior Security Strategist, Synopsys Cybersecurity Research Center, describes the implications of Apache Log4j being the way Java applications write their log information: “This means a very large number of applications are potentially impacted. by CVE-2021-44228, and we’ve already seen reports of how easy it is to trigger the exploit. This is the worrying aspect of most zero-day vulnerabilities: they are easy to trigger and impact ubiquitous software. In this case, the exploit of CVE-2021-44228 may allow remote code execution, and while this is quite problematic, the reality is that there are likely other potential results of an exploit – we just haven’t seen or heard them reported. This is because vulnerability disclosure is not a one-time activity. Instead, the disclosure serves as a trigger for security researchers and attackers to identify other potential weaknesses in the impacted code.

Mackey advises, “Protecting against exposure to CVE-2021-44228 begins with a basic piece of software supply chain risk management: Know the code that powers your business. If you are unsure which applications are running Java and have a vulnerable version of Log4j, you cannot guarantee that you have fixed everything. If you are relying on periodic software or configuration scans to determine if you are exposed to anything, then now is the time to start researching ongoing monitoring for software supply chain issues and possibly implementing capabilities. automated penetration testing. After all, it’s always possible that a vulnerable version of something that should have been patched could be used elsewhere or by another vendor. ”

Further exploitation

On December 9, researchers at GreyNoise noticed that armed proof of concept exploits began to appear, leading to a rapid increase in analysis and public exploitation on December 10. However, between 1200 EST and 1400 EST on December 10, 2021, GreyNoise observed a 5x increase in the number of hits per sensor related to the Log4shell event.

Williams says he is not aware of any state actors using the vulnerability, but he says it is certainly exploited by access brokers, many of whom sell access to ransomware operators. And he says he’s seen some abandoned RATs, which will be used by access brokers, however, he thinks it’s too early for the ransomware associated with that.

GreyNoise researchers also have an up-to-date list of all IP addresses that opportunistically scan the internet for or exploit CVE-2021-44228 vulnerabilities, as described in this tag summary in GreyNoise Visualizer.

VMware has also issued a Critical Security Advisory for its multiple products that use the open source Java Log4j logging component. The company has confirmed that attempts at exploitation have taken place in the wild.

So far, the company has published a list of more than 25 products that could be affected due to this vulnerability. Affected products included or currently under evaluation are VMware Horizon, VMware vCenter Server, VMware HCX, VMware NSX-T Data Center, Unified Access Gateway, WorkspaceOne Access, Identity Manager, vRealize Operations, vRealize Operations Cloud Proxy, vRealize Log Insight , among others.

“A malicious actor with network access to an affected VMware product can exploit this problem to gain full control of the target system,” VMware explains.

Previous A webinar on the role of skilled women in national prosperity
Next Surrender to SCSU; marketing plan in preparation | Local