Recent Log4j attacks use obfuscated LDAP requests to execute malicious scripts, establish persistence, and exfiltrate data. Multiple backdoors and encrypted channels maintain control, emphasizing the ongoing threat of the Log4j vulnerability, initially discovered in November 2021 with a CVSS score of 10.
Log4j Vulnerability Exploited Again
On July 30, 2024, a Confluence honeypot detected an exploitation attempt of the Log4Shell vulnerability originating from a known Tor exit node, 185.220.101 [34]. This incident marked the start of a new campaign by opportunistic threat actors. Upon deeper investigation, it was uncovered that the attackers were leveraging the Log4Shell vulnerability, a critical flaw in the Apache Log4j library, to deploy XMRig, a popular cryptocurrency mining software.
The Log4Shell vulnerability, initially discovered in November 2021, has a CVSS score of 10, indicating its high severity. It allows attackers to execute arbitrary code remotely, making it a prime target for exploitation. In this case, attackers used the vulnerability to gain unauthorized access to systems, where they then installed XMRig to mine cryptocurrency, effectively hijacking the system’s resources for their gain.
This event underscores the ongoing risk posed by the Log4Shell vulnerability, even years after its discovery.
An attacker exploited a Log4j vulnerability by sending an obfuscated payload with an LDAP URL. This caused the vulnerable Java application to download and run a malicious Java class from a remote server. The class then retrieved another script (“lte”) and executed it with root privileges. While the script’s exact purpose is unclear, its ability to run any command suggests it could be used for more harmful actions.
Additionally, the malicious Java class downloaded a hidden Bash script that scanned the system, installed a cryptocurrency miner, set up persistence through systemd or cron jobs, and created reverse shells for remote access.
The script collects detailed system information like CPU specs, OS version, user data, network connections, running processes, and system uptime, sending this data to a remote server via an HTTP POST request.
To avoid detection, it self-destructs by overwriting the bash history and erasing the current shell’s command history.
DataDog’s investigation into possible Log4Shell exploitation uncovered several indicators of compromise, including the suspicious IP address 185.220.101.34 and domains like superr.buzz and cmpnst.info. They also found suspicious file paths like /tmp/lte, suggesting attempts to exploit the vulnerability for unauthorized access.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment