A critical zero-day vulnerability in Apache Log4j2, a library used by millions for Java applications, that is being actively exploited in the wild was recently discovered that can allow a threat actor to gain system-level access to the vulnerable servers. Tracked as CVE-2021-42288, CERTS from different countries like New Zealand, Austria, and Germany have already spotted it being used by adversaries in the wild.

Apache is aware of the security vulnerability and already released the Apache Log4J v2.15.0 to address the issue.

A working proof of concept of this vulnerability was published on GitHub

______________________________

A. Nature of the Vulnerabilities

The following vulnerabilities were described as:

CVE-2021-44228

A security vulnerability in Apache Log4j versions 2.0-beta9 to 2.14.1 has a CVSS score of 10.0. Logging untrusted or user-controlled data with a vulnerable version of Log4J may result in Remote Code Execution (RCE) against your application. This includes untrusted data included in logged errors such as exception traces, authentication failures, and other unexpected vectors of user-controlled input.

______________________________

B. List of Vulnerable Systems

Vulnerable Windows OS:

  • All Log4J versions prior to v2.15.0 are affected by this specific issue.

______________________________

C. Actions to be Taken

CERT-PH recommends the following actions be taken:

  • Test and apply the necessary patches for the packages/applications/systems/devices:
    • Apache Log4j version 2.15.0

Note: For those who cannot upgrade to 2.15.0, in releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases >=2.7 and <=2.14.1, all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m. For releases >=2.0-beta9 and <=2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.

______________________________

D. Indicator of Compromised (IOC)

Item TypeIndicator TypeIndicator Value
MinerURLhttp[:]//45.137.155.55/ex.sh
MinerURLhttp[:]//45.137.155.55/kinsing
MinerURLhttp[:]//80.71.158.12/libsystem.so
MinerURLhttp[:]//80.71.158.12/kinsing
MinerURLhttp[:]//80.71.158.12/Exploit69ogQNSQYz.class
MinerSHA-2568933820cf2769f6e7f1a711e188f551c3d5d3843c52167a34ab8d6eabb0a63ef
MinerSHA-2566e25ad03103a1a972b78c642bac09060fa79c460011dc5748cbb433cc459938b
MinerSHA-256c38c21120d8c17688f9aeb2af5bdafb6b75e1d2673b025b720e50232f888808a
BotSHA-2563f6120ca0ff7cf6389ce392d4018a5e40b131a083b071187bf54c900e2edad26
BotSHA-256776c341504769aa67af7efc5acc66c338dab5684a8579134d3f23165c7abcc00
BotSHA-2568052f5cc4dfa9a8b4f67280a746acbc099319b9391e3b495a27d08fb5f08db81
BotSHA-2562b794cc70cb33c9b3ae7384157ecb78b54aaddc72f4f9cf90b4a4ce4e6cf8984
BotSHA-2560e574fd30e806fe4298b3cbccb8d1089454f42f52892f87554325cb352646049
BotSHA-25619370ef36f43904a57a667839727c09c50d5e94df43b9cfb3183ba766c4eae3d
BotSHA-2562a4e636c4077b493868ea696db3be864126d1066cdc95131f522a4c9f5fb3fec
BotSHA-2562b794cc70cb33c9b3ae7384157ecb78b54aaddc72f4f9cf90b4a4ce4e6cf8984
BotSHA-25639db1c54c3cc6ae73a09dd0a9e727873c84217e8f3f00e357785fba710f98129
BotSHA-2565c46098887e488d91f42c6d9b93b17b2736c9f4cb5a4a1e476c87c0d310a3f28
BotSHA-2566370939d4ff51b934b7a2674ee7307ed06111ab3b896a8847d16107558f58e5b
BotSHA-25663d43e5b292b806e857470e53412310ad7103432ba3390ecd4f74e432530a8a9
BotSHA-2566a8965a0f897539cc06fefe65d1a4c5fa450d002d1a9d5d69d2b48f697ee5c05
BotSHA-256715f1f821d028e165bfa750d73505f1a6136184999411300cc88c18ebfa6e8f7
BotSHA-256776c341504769aa67af7efc5acc66c338dab5684a8579134d3f23165c7abcc00
BotSHA-2568052f5cc4dfa9a8b4f67280a746acbc099319b9391e3b495a27d08fb5f08db81
BotSHA-256a3f72a73e146834b43dab8833e0a9cfee6d08843a4c23fdf425295e53517afce
BotSHA-256b3a6fe5bc3883fd26c682bb6271a700b8a6fe006ad8df6c09cc87530fcd3a778
BotSHA-256b55ddbaee7abf1c73570d6543dd108df0580b08f730de299579570c23b3078c0
BotSHA-256c154d739cab62e958944bb4ac5ebad6e965a0442a3f1c1d99d56137e3efa8e40
BotSHA-256c38f0f809a1d8c50aafc2f13185df1441345f83f6eb4ef9c48270b9bd90c6799
BotSHA-256e20806791aeae93ec120e728f892a8850f624ce2052205ddb3f104bbbfae7f80
BotSHA-256fe98548300025a46de1e06b94252af601a215b985dad31353596af3c1813efb0
BotDomainx41[.]me
BotDomainm3[.]wtf
BotDomaincuminside[.]club
BotDomainabrahackbugs[.]xyz
BotDomainpwn[.]af
BotDomainrce[.]ee
BotIPv462.210.130.250