Alternative Attack Vector Discovered for Log4J Vulnerability

An alternative local attack vector has been discovered for the log4j vulnerability, which already is wreaking havoc in the tech industry.

Blumira‘s research team discovered the alternative attack vector. It relies on a basic Javascript WebSocket connection to trigger the remote code execution (RCE) locally via drive-by compromise.

Last week, researchers discovered a zero-day exploit in the popular Java logging library log4j. It results in RCE by logging a certain string.

Expanded Exposure

Previously, it appeared the impact of log4j was limited to exposed vulnerable servers, Blumira said. This newly-discovered attack vector means attackers can exploit anyone with a vulnerable log4j version.

WebSocket connections within the host can be difficult to gain deep visibility into, increasing the complexity of detection for this attack. At this point, there is no proof of active exploitation.

The log4j vulnerability, dubbed Log4Shell, already provides a relatively easy exploit path for threat actors. This new attack vector expands the attack surface for log4j even further.

Matthew Warner is Blumira’s CTO and co-founder.

“When the log4j vulnerability was released, it became quickly apparent that it had the potential to become a larger problem,” he said. “This attack vector opens up a variety of potential malicious use cases, from malvertising to creating watering holes for drive-by attacks. Bringing this information to light ensures that organizations have the opportunity to act quickly and protect themselves against malicious threat actors.”

BreachQuest’s Jake Williams

Jake Williams is co-founder and CTO of BreachQuest.

“This represents one of the first REC exploits being relayed by WebSockets,” he said. “This shouldn’t change anyone’s position on vulnerability management though. Organizations should be pushing to patch quickly and mitigate by preventing outbound connections from potentially vulnerable services where patching is not an option.”

Khonsari Ransomware Gan Exploiting Log4Shell Vulnerability

StrikeReady’s Anurag Gurtu

The Khonsari ransomware gang is currently exploiting the Log4Shell vulnerability, said Anurag Gurtu, StrikeReady‘s chief product officer.

After execution, the malware enumerates all mounted drives (other than C:/) and targets user directories. Those include documents, videos, downloads and desktop. The attacker uses an AES 128 CBC algorithm for encryption.

The Log4Shell vulnerability isn’t slowing down, Gurtu said.

“In the second and third stages, threat actors are aggressively deploying malware families,” he said. “Among them are Kinsing, XMR and Mirai. Additionally, some coin-miners and CobaltStrike beacons have been observed in the wild.”

Researchers have observed nearly 2,000 malicious indicators of compromise (IOCs) so far, Gurtu said. That requires immediate attention.