How Log4J Turned Into A Pandemic With Over 840,000 Attacks within 72 hours?

Photo by RoonZ nl on Unsplash

How Log4J Turned Into A Pandemic With Over 840,000 Attacks within 72 hours?

Daniel Kebbe's photo
Daniel Kebbe
·Jan 17, 2022·

10 min read

A vulnerability in Log4J allows an attacker to trigger an arbitrary code execution remotely if he has the ability to submit data to an application that uses the log4j library to log the event.

This attack can be performed without being authenticated, for example by taking advantage of an authentication page that logs authentication errors. Companies specializing in cybersecurity indicate that the number of attacks taking advantage of this flaw is increasing.

Members of the Apache Software Foundation have developed a disaster patch to fix log4j vulnerability , version 2.15.0. Workarounds are also possible to reduce the risks.

What is Apache Log4j? How severe is the flaw?

On December 9, a vulnerability was discovered in the Apache log4j logging library. This library is widely used in Java / J2EE application development projects as well as vendors of off-the-shelf software solutions based on Java / J2EE.

Log4j includes a search mechanism that could be used to perform queries through special syntax in a format string. For example, it can be used to request various parameters like the version of the Java environment via$ {java: version}, etc.

Then specifying the keyjndiin the string, the search mechanism uses the JNDI API. By default, all requests are made using the prefixjava: comp / env /*; however, the authors implemented the option to use a custom prefix using a colon symbol in the key. This is where the vulnerability lies: ifjndi: ldap: //is used as the key, the request goes to the specified LDAP server. Other communication protocols, such as LDAPS, DNS, and RMI, can also be used.

Thus, a remote server controlled by an attacker could send an object back to a vulnerable server, potentially leading to the execution of arbitrary code in the system or the leakage of confidential data. All an attacker has to do is send a special string via the mechanism which writes this string to a log file and is therefore managed by the Log4j library.

This can be done with simple HTTP requests, for example, those sent through web forms, data fields, etc., or with any other type of interactions using server-side logging.

The vulnerability was characterized by Tenable as "the most significant and critical vulnerability of the past decade".

Proof of concept has already been published. This vulnerability is now actively exploited.

The severity of the breach is maximum 10 on the CVSS scale.

Here is the list of affected systems:

Apache Log4j versions 2.0 to 2.14.1
Apache Log4j versions 1.x (obsolete versions) subject to special configuration.
Products using a vulnerable version of Apache Log4j: European national CERTs maintain a complete list of products and their vulnerability status.

CERT-FR recommends performing a thorough analysis of network logs. The following reasons can be used to identify an attempt to exploit this vulnerability when used in URLs or certain HTTP headers as user-agent:


1$ {jndi: 2$% 7Bjndi: (takes into account simple obfuscation)

However, attackers can use obfuscation means to bypass the previous detection patterns. The following reasons allow certain obfuscation methods to be taken into account but can cause false positives:


1$ {$ { 2$ {:: - 3% 24% 7B% 3A% 3A- 4$ {env: 5$ {date: 6$ {lower: 7$ {upper: 8hostName} 9} $ { 10$ {(generates a lot of false positives, but very exhaustive)

In order to determine if an exploit attempt was successful, and in the event that you have logs containing DNS queries, it is recommended that you correlate them with the results of the above reasons. Indeed, if the execution of a query of type$ {jndi: xxx:}worked, then DNS resolution will be performed to resolve the external domain name

The issuance of a DNS query can also be tracked in the application server logs. So, it may be useful to look for the com.sun.jndi.dns.DnsContext @ pattern in these logs. An external domain resolution does not mean that a successful code execution, but rather confirms that the application is vulnerable. It will therefore be necessary to continue analyzing the logs to detect a compromise.

It is strongly recommended to use version 2.15.0 of log4j as soon as possible. However, in case of difficulty migrating to this version, the workarounds below can be applied temporarily:

For applications using versions 2.7.0 and later of the log4j library, it is possible to guard against any attack by modifying the format of the events to be logged with the% m {nolookups} syntax for the data that would be provided by the user. This modification requires modifying the log4j configuration file to produce a new version of the application. This, therefore, requires performing the technical and functional validation steps again before the deployment of this new version.

For applications using versions 2.10.0 and later of the log4j library, it is also possible to guard against any attack by changing the configuration parameter log4j2.formatMsgNoLookups to true, for example when launching the Java virtual machine with the -Dlog4j2.formatMsgNoLookups = true option. Another alternative is to remove the JndiLookup class in the classpath parameter to eliminate the main attack vector (the researchers do not rule out the existence of another attack vector).

More than 840,000 attacks have been launched

According to researchers, hackers, including groups supported by the Chinese state but also by Russia, have launched more than 840,000 attacks against companies around the world since last Friday via this vulnerability.

Cybersecurity group Check Point said attacks related to the vulnerability had accelerated in the 72 hours since Friday, and at times its researchers were seeing more than 100 attacks per minute. The publisher also observed strong creativity in adapting the attack. Sometimes more than 60 new variations appear in less than 24 hours, introducing new obfuscation or coding techniques.

The perpetrators include "Chinese government attackers," according to Charles Carmakal, chief technology officer of cyber company Mandiant.

The Log4J flaw allows attackers to take remote control of computers running Java applications.

Jen Easterly, director of the U.S. Cyber ​​and Infrastructure Security Agency (CISA), told industry executives that the vulnerability was "one of the most severe I've seen in my entire career, if not the most serious ”, according to the American media. Hundreds of millions of devices are likely to be affected, she said.

Check Point said that in many cases hackers take over computers and use them to mine cryptocurrency or be part of botnets, with vast networks of computers that can be used to overwhelm websites. traffic, to send spam or for other illegal purposes.

For Kaspersky, most of the attacks come from Russia.

The UK's CISA and National Cyber ​​Security Center have now issued alerts urging organizations to make upgrades related to the Log4J vulnerability, as experts attempt to assess the fallout. Amazon, Apple, IBM, Microsoft and Cisco are among those rushing to release fixes, but no serious breaches have been publicly reported until

The vulnerability is the latest to hit corporate networks after vulnerabilities emerged over the past year in commonly used software from Microsoft and computer company SolarWinds. Both of these vulnerabilities were reportedly initially exploited by state-backed spy groups from China and Russia respectively.

According to Charles Carmakal, Chief Technology Officer of the cyber company Mandiant, the perpetrators include “Chinese government attackers”.

Almost half of all attacks have been carried out by known cyber attackers, according to Check Point. These included groups using Tsunami and Mirai, malware that turns devices into botnets, or networks used to launch remotely controlled hacks.

Such as denial of service attacks. It also included groups using XMRig, software that exploits the Monero digital currency.

"With this vulnerability, attackers gain almost unlimited power - they can extract sensitive data, upload files to the server, delete data, install ransomware, or pivot to other servers," said Nicholas Sciberras, head of engineering at Acunetix, vulnerability scanner. It was “surprisingly easy” to deploy an attack, he said, adding that the flaw would be “exploited for months to come”.

The source of the vulnerability is faulty code developed by volunteers from the nonprofit Apache Software Foundation, which runs several open-source projects, raising questions about the security of vital parts of the IT infrastructure. Log4J has been downloaded millions of times.

The flaw has gone unnoticed since 2013, experts say. Matthew Prince, CEO of HLC eRates Cloudflare, said she had begun to be actively operated from the 1 st of December, although there was no "evidence of mass exploitation prior to public disclosure" of 'Apache the following week.

For its part, Bitdefender has seen attempts to install ransomware called Khonsari and a backdoor called Orcus, made thanks to Log4Shell:

“While most of the attacks seen so far seem to target Linux servers, we have also seen attacks against systems running the Windows operating system. For these attacks, we detected the attempted deployment of a family of ransomware called Khonsari.

“This attempt to exploit the Log4j vulnerability uses the malicious hxxp: //3.145.115 [.] 94 / Main.class to download additional payload. On Sunday, December 11, Bitdefender observed this payload as a malicious .NET binary file download from hxxp: //3.145.115 [.] 94 / zambo / groenhuyzen.exe. This is a new family of ransomware, called Khonsari after the extension used on encrypted files.

“Once executed, the malicious file will list all drives and fully encrypt them except for the C: \ drive. On the C: \ drive, Khonsari will only encrypt the following folders *:

C: \ Users \ <user> \ Documents
C: \ Users \ <user> \ Videos
C: \ Users \ <user> \ Images
C: \ Users \ <user> \ Downloads
C: \ Users \ <user> \ Desktop

“Files with .ini and .lnk extensions are ignored. The algorithm used for the encryption is AES 128 CBC using PaddingMode.Zeros. After encryption, the .khonsari extension is added to each file”.

How are companies trying to solve the Log4J flaw?

Last week, Minecraft posted a blog post announcing that a vulnerability had been discovered in a version of its game, and quickly posted a fix. Other companies have taken similar steps.

IBM, Oracle, AWS, and Cloudflare have issued advisories to their customers, with some of them releasing security updates or outlining their plans for potential patches.

For the sake of transparency and to help reduce misinformation, CISA said it would create a public website with updates on software products affected by the vulnerability and how hackers exploited them.

The pressure is heavily on companies to act. For now, users should be sure to update their devices, programs, and apps when business advises in the coming days and weeks. The patch that fixes critical Log4J day 0 has its own vulnerability that is being exploited

Open-source developers quickly released an update that fixed the flaw and urged all users to install it immediately.

Now, researchers are reporting that there are at least two vulnerabilities in the patch, released as Log4J 2.15.0, and that attackers are actively exploiting one or both against real-world targets that have already applied the update. The researchers urge organizations to install a new patch, released as version 2.16.0, as soon as possible to correct the vulnerability, which is tracked as CVE-2021-45046.

Researchers said, the above solution was incomplete in certain non-default settings" and made it possible for attackers to perform denial of service attacks, which generally make it easy to completely disconnect vulnerable services until victims reboot. their servers or take other actions.

Researchers at security firm Praetorian said there is a more serious vulnerability in 2.15.0 - an information disclosure flaw that can be used to download data from affected servers.

Researchers at content delivery network Cloudflare, meanwhile, said Wednesday that CVE-2021-45046 is now under active exploitation. The company urged people to update to version 2.16.0 as soon as possible.

The Cloudflare post did not say if attackers are using the vulnerability only to conduct DoS attacks or if they are also exploiting it to steal data. Researchers at Cloudflare were not immediately available to clarify. Praetorian researchers were also not immediately available to say if they are aware of attacks in the wild exploiting the data exfiltration flaw.

They also did not provide additional details about the vulnerability because they did not want to provide information that would make it easier for hackers to exploit it.

A representative from the Apache Foundation, the group that runs Log4J, said they were investigating the Praetorian and Cloudflare reports. This story will be updated if new information is required.

If you need a full-proof solution then consult the WP Hacked Help team for more information.

Share this