The impact of Log4j is no longer confined to vulnerable, exposed servers. Cyber security researchers have uncovered an alternative attack vector within the Log4j vulnerability.

The vector relies on a basic Javascript WebSocket connection to trigger the remote code execution locally through drive-by compromise.

In other words, the discovery vastly expands the number of possible cyber attacks that can be conducted in relation to Log4j.

The previous understanding

Previously, experts perceived the impact of Log4j as limited to vulnerable servers. This new attack vector implies that anyone with a vulnerable Log4j version on a system or local private network can visit a website and potentially trigger the vulnerability. At present, malicious use of this capability has not been observed in the wild.

New malicious use cases

However, new malicious use cases may emerge at any moment; beyond the well-documented ability to open a shell via a single strand of code in order to leave malware on internet-facing web servers. New use cases range from malvertising, to watering holes for drive-by attacks.

Apache’s response

Apache has offered a third update in order to fix bugs in the Java-based logging library for open source applications. The bug is being tracked as CVE-2021-45105.

What to do now

Leaning on web application firewalls and other network-level defenses may not be enough in mitigating Log4j-related threats.

  • Patching is mission-critical.
  • Consider a review, update or new implementation of egress filtering, which can help ensure that callbacks largely aren’t successful.
  • Observe when .*/java.exe serves as the parent process for cmd.exe/powershell.exe.
  • Your host detection for exploitation of Cobalt Strike, Trickbot and related common attacker tools must function well and provide a high degree of visibility.
  • Consider using a scanning script to identify where Log4j is used within environments.

“Users’ lack of visibility into their dependencies and transitive dependencies has made patching difficult; it has also made it difficult to determine the full blast radius of this vulnerability,” stated members of Google’s Open Source Insights Team.

Experts contend that the disclosure of additional vulnerabilities connected to Log4j shouldn’t come as a surprise. This past summer, for example, the original PrintNightmare vulnerability resulted in the discovery of a small avalanche of additional distinctive vulnerabilities.

Active exploits

Approximately 50% of attackers weaponing the Log4j vulnerabilities to conduct attacks disguise their identities via the Tor anonymity service. Initial telemetry data collected across a five day window indicates that Germany and the US have experienced 60% of all Log4j exploitation attempts.

Last week, Microsoft stated that nation-state groups and unnamed APTs are working to actively exploit Log4Shell in targeted attacks. The majority of the hacks, thus far, have focused on hijacking computers to run bitcoin mining software, which enables hackers to turn a profit. In addition, state-backed actors have used Log4j in attempts to disrupt Israeli government and business targets.

For further information about Log4j, see CyberTalk’s Log4j guide, warning around ransomware and musings on whether or not the internet is on fire.

Lastly, to learn more about pressing issues in the cyber world, please join us at the premiere cyber security event of the year – CPX 360 2022. Register here.