Already Compromised by Apache Log4j? Check Before You PatchMuhstik, Mirai Botnets Now Exploiting Flaw, Attempts Made to Install Coin Miners
Multiple security researchers have now spotted several instances of threat actors exploiting the Apache Log4j vulnerability by deploying malwares including Muhstik and Mirai botnets or by scanning for vulnerable servers. Responders are advised to check for compromise before they implement fixes.
The vulnerability, tracked as CVE-2021-44228 and detected in the Java logging library Apache Log4j, can result in full server takeover and leaves countless applications vulnerable. The component is used to log events and is part of tens of thousands of deployed applications and cloud-based services. It has a 10 severity rating on a scale of 1 to 10, as attackers can remotely exploit it without any input from the victim, and it requires limited technical ability to deploy.
The Apache Software Foundation issued an emergency patch, Log4j 2.15.0, which is now available, but many experts advise users to upgrade as soon as possible to the latest version.
Malware research organization vx-underground on Monday shared a list of malware abusing the Apache Log4j vulnerability, including -Unknown PS script, Elknot, M8220, SitesLoader, XMRig, Mirai, Kinsing and Muhstik.
We've updated the vx-underground Malware Sample collection. It is, unsurprisingly, more malware abusing the LOG4J exploit.— vx-underground (@vxunderground) December 13, 2021
-Unknown PS script
Download the samples here: https://t.co/xvJa5yJKws pic.twitter.com/ThsmHGNUy3
Security researchers also say there is evidence that a worm will be developed soon that will self-propagate with the ability to stand up a self-hosted server on compromised endpoints. The worm will spray traffic, drop payloads and have a command-and-control center, they say.
#Log4J based on what I've seen, there is evidence that a worm will be developed for this in the next 24 to 48 hours.— Greg Linares (@Laughing_Mantis) December 12, 2021
Self propagating with the ability to stand up a self hosted server on compromised endpoints.
In addition to spraying traffic, dropping files, it will have c2c
"Sophos has detected hundreds of thousands of attempts to remotely execute code using the Log4Shell vulnerability. Initially, these were Proof-of-Concept (PoC) exploit tests by security researchers and potential attackers, among others, as well as many online scans for the vulnerability. This was quickly followed by attempts to install coin miners, including the Kinsing miner botnet," says Sean Gallagher, senior threat researcher at Sophos. "The most recent intelligence suggest attackers are trying to exploit the vulnerability to expose the keys used by Amazon Web Service accounts."
Gallagher says that there are also signs of attackers trying to exploit the vulnerability to install remote access tools in victim networks, possibly Cobalt Strike, a key tool in many ransomware attacks.
He says he expects the speed with which attackers are harnessing and using the vulnerability will only intensify and diversify over the coming days and weeks.
"Once an attacker has secured access to a network, then any infection can follow. Therefore, alongside the software update already released by Apache in Log4j 2.15.0, IT security teams need to do a thorough review of activity on the network to spot and remove any traces of intruders, even if it just looks like nuisance commodity malware."
Jake Williams, CTO at BreachQuest, tweeted similar advice: "If you're patching #log4j today on an Internet facing service, you need to be doing an incident response too. The reality is that someone else almost certainly beat you to it. Patching doesn't remove the existing compromise."
Others share Gallagher’s views on the long-term nature of the threat. "It’s difficult to estimate the massive impact Log4Shell will have because historically patches (even for high-severity threats) take time for everyone to apply, if ever. We commonly see attacks successfully executed using fixed vulnerabilities that are two or three years old,” Silviu Stahie, security analyst at Bitdefender, says in a blog post.
Reporting on results seen by Bitdefender’s honeypots, Stahie says, "The number of total scans using Log4Shell has increased three-fold in a single day meaning we most likely are just at the beginning."
Researchers at the security firm Netlab report that their Anglerfish and Apacket honeypots caught two waves of attacks using the Log4j vulnerability to form Muhstik and Mirai botnets, both targeting Linux devices.
During an analysis, the Netlab researchers found a new variant of Mirai, which has made a couple of changes compared to the initial code. The table_init/table_lock_val/table_unlock_val and other mirai-specific configuration management functions have been removed and the attack_init function is also discarded, and the DDoS attack function is called directly by the command processing function, researchers say.
The Netlab researchers say they also spotted a .uy top-level domain for its command-and-control domain name, which they say is rare for Mirai. Whereas Muhstik botnet borrows from the Mirai code.
"The new Muhstik variant adds a backdoor module, ldm, which has the ability to add an SSH backdoor public key with an installed backdoor public key. Once this public key is added to the ~/.ssh/authorized_keys file, the attacker directly log into the remote server without password authentication," the researchers say. "Considering the special vulnerability mechanism of log4j2, Muhstik takes a blunt approach to spread the payload aimlessly knowing that there will be vulnerable machines, and in order to know who has been infected, Muhstik adopts TOR network for its reporting mechanism."
Cisco Talos also confirmed that it saw widespread exploitation activity targeting this vulnerability. "We have begun to observe threats such as Mirai attempting to leverage this vulnerability to automatically infect new systems," its researchers say.
The Cisco Talos researchers say that they have observed several obfuscation techniques as threat actors are attempting to evade pattern-based detection mechanisms, and the techniques may have been used as details of this vulnerability began to emerge.
"Threat actors are using the Log4j vulnerability to install cryptocurrency miners, Cobalt Strike, and create botnets. Threat actor groups and APTs are already scouring the internet for vulnerable hosts. For instance, the Log4j vulnerability was used to form Mirai and Mushtik botnets, which were however, flagged by honeypots around the world," says Anirudh Batra, threat analyst at Indian cybersecurity firm CloudSEK, tells ISMG. "A nonexhaustive search for potentially vulnerable products on Shodan shows that there are at least 1.05 million exposed products that could be vulnerable to this flaw, which also helps us determine the scope of its attack surface."
Microsoft too released a report saying that it has observed activities, including installing coin miners, Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems.
David Kennefick, product architect at cybersecurity firm Edgescan, tells ISMG that the Log4j vulnerability is present in a logging library that is fundamental to how technology works.
"Right now we are only seeing the tip of the wave on the horizon in terms of its effects. I expect that we'll still be talking about this vulnerability in 12 months’ time, and even then the full damage and ramifications may not have been completely understood. It's like finding out that the material used to build every bridge in the world is deficient and could fail at any time," Kennefick says. "This vulnerability will be weaponized for ransomware, cryptoware, botnets and everything in between - it will be stack-agnostic and organizations should work on the assumption that they are hosting vulnerable instances that require remediation."