Log4j RCE activity began on December 1 as botnets start using vulnerability
The usage of the nasty vulnerability in the Java logging library Apache Log4j that allowed unauthenticated remote code execution could have kicked off as early as December 1.
“Earliest evidence we’ve found so far of #Log4J exploit is 2021-12-01 04:36:50 UTC,” Cloudflare CEO Matthew Prince said on Twitter.
“That suggests it was in the wild at least 9 days before publicly disclosed. However, don’t see evidence of mass exploitation until after public disclosure.”
Cisco Talos said in a blog post that it observed activity for the vulnerability known as CVE-2021-44228 from December 2, and those looking for indicators of compromise should extend their searches to at least that far back.
Thanks to the ubiquity of the impacted library, Talos said it was seeing lead time from attackers doing mass scanning to callbacks occurring, and could be due to vulnerable but non-targeted systems — such as SIEMs and log collectors — being triggered by the exploit.
It added that the Mirai botnet was starting to use the vulnerability. Researchers at Netlab 360 said they had seen the Log4j vulnerability used to create Muhstik and Mirai botnets that went after Linux devices.
Over the weekend, vendors have been rushing to get patches out and document workarounds for affected products. The end results have been product matrices such as those from VMware and Cisco where some products have patches available, some have workarounds, and others remain vulnerable. Both vendors scored CVE-2021-44228 as a perfect 10.
The suggested workarounds typically either set the log4j2.formatMsgNoLookups flag to true, or remove the JndiLookup class from the classpath used by Java.
A Reddit post from NCC Group is being regularly updated, and shows how the exploit can be used to exfiltrate AWS secrets, as well as all manner of Java system properties.
One security researcher was able to trigger the exploit by going Little Bobby Tables on his iPhone name.
Sophos said it was seeing the vulnerability already being used by cryptominers.
On the more enjoyable front, a Minecraft mod developer was able to use the vulnerability to turn a Minecraft server into one that played Doom instead.
“For some context, this is an entirely vanilla client connecting to a modded server, which, through this exploit, is sending over and executing the code to run doom,” Gegy said.
Microsoft threat analyst Kevin Beaumont said defence in depth was “probably your best option”.
“To give a spoiler for Log4Shell, this is going to take weeks to play out to establish attack surface (it is large) and then maybe a month or more for patches to be made available,” he said.