Understanding Log4Shell Vulnerability And Mitigation Strategies

Overview of Log4Shell Vulnerability

At present, cybersecurity field is a hot topic that is discussed by all, where specifically, the commonly discussed area is the log4Shell vulnerability (CVE-2021-44228). According to various security professionals, it is worst exploitable vulnerability, and so it’s important to know such a vulnerability for getting its solution and action plan to ensure protection from it.

During December 2021, several researchers worked on cybersecurity based impactful vulnerability, which later was said to be dangerous. Respectively, in Java logging library Apache Log4j, this vulnerability turned out to be an exploit in no time. Though since many years this language has still stayed as insecure, and this impact increased the vulnerability and made it to be extremely vulnerable (Sommer, 2018) (Tattoli, Cena and Di Vella, 2019).

Before, the researchers were aware of this fact, it was already exploited.t The threat actors exploit CVE-2021-44228 to install ransomware, then commit to DoS (denial-of-service) attack, form botnets, and create the Cobalt Strike beacons. In the world, in different organizations, Log4Shell is a complex issue as it relies on the library of Apache Log4j logging. The following are the entities that are impacted (Elstub, 2018) (Hamilton, 2015):

• Cloudflare
• Amazon AWS
• Steam and so on.

For vulnerability, Apache released the patches, where with the increasing problems, each patch is incomplete. Thus, then the IT sector started competing against time to plug the leaks, which is surging and increasing the handling difficulty. Patching Log4Shell is difficult, and must finished at any cost (Hoog, 2011) (MacRae, Weinberg and Weinberg, 2019).

Here, the argument lies on the type of logical mitigation strategy to be utilized. Thus, the aim will be to present all the information related to Log4Shell, followed by the strategies it uses to protect from similar type of impact from the vulnerability. It is the responsibility of the IT teams to patch the latest Apache Log version. When it cannot be updated, the suggestion is to block the JNDI.

Java JNDI injection refers to a Log4Shell vulnerability, the library 1’s older versions. X isn’t vulnerable for code execution. In a string format, logs are encapsulated, and cannot be parsed. Thus, a new JNDI lookup feature with a version 2.0–2.15.0 introduced this vulnerability, which allowed any inputs to get parsed and interpreted by the application without minding about its origin. It has the ones that are listed below:

1. web applications
2. Databases
3. routers
4. IoT devices, particularly executes on Java
5. email servers
6. endpoint agents
7. mobile apps

An effective representation is depicted below, which displays the vulnerability’s impact. The DNS callbacks are got from each device such as listed below through the mobile app:

1. Fitness watch
2. Washing machine
3. Phone

Figure: Vulnerability’s impact

The API interface called JNDI (Java Naming Directory Interface) allows Java applications to perform search on the objects based on their associated names. It supports different directory services like the ones listed below:

• RMI
• DNS
• LDAP
• CORBA

Always, it is seen to have the payloads that uses the below listed protocols to conduct DNS’s requests:

• LDAP
• DNS
• RMI

For RCE pocs, the attackers need to set up LDAP server to allow connection of vulnerable applications. Therefore, LDAP’s outgoing connections must be allowed for the targeted applications, so that the attacker-controls the server to load the malicious object.

To confirm if an application is vulnerable to execute a remote code or not, it is not enough to just have the DNS requests, because it can still have impacts, as the DNS requests is capable to exfiltrate the sensitive information/data for assisting to compromise the targets.

Impact of Log4Shell Vulnerability

The below shown list refers to the vulnerability’s key impacts (U, 2018) (Widup, 2014):

1. Remote code execution through Rogue LDAP servers and the malicious Java objects.
2. With DNS, Data Exfiltration.

Generally, the attacker set up rogue LDAP server, to create exploit payload class, and it makes all the efforts to store it as the LDAP’s object such as the “Log4JPayload.class” to get future reference. Next, to the random requests, the attacker includes the crafted JNDI injection, and it might be logged in as request paths like shown below (Allen and Tafani-Dereeper, 2022):

1. Document/Images EXIF
2. Filenames
3. HTTP headers
4. And so on.

At the time, where a malicious request is logged, Log4J library parses injected the inputs and reaches out to rogue LDAP server for loading malicious class. Further, the referenced class is run by the application, and on the vulnerable application, the hacker gets the remote code execution (Casey, 2013) (Cunningham and Pollanen, 2015).

The below example shows the key injection point present in the “request paths”:

In the “HTTP Headers, the next one is present. In any of the HTTP Headers, the hacker can inject the payloads, where every single injection point is valid when performing the application’s testing (Nikkel, 2016) (Rodríguez Almada and Borches Duhalde, 2021).

It is vital to remember that, often the exploit won’t give callback immediately. Sometimes, it takes time, that might vary from few hours to long hours for getting a callback.

After its testing, it waits for 25 minutes for receiving its initial callback. Hence, for black-box testing, give sufficient application time before judging if it’s actually vulnerable or not. 

Several payloads will be posted on Twitter in few days, and they are interesting so one must check them. The obfuscation is used by some of the payloads to bypass the popular WAFs like the ones listed below:

• Cloud flare
• AWS WAF
• Akamai

The below figure depicts the payloads collected via Twitter.

When the application is not vulnerable to the execution of remote code or blocks outgoing connection of LDAP, in such case the hackers or the pen testers can still be there to influence such vulnerability and try to extract user’s sensitive information like – their secret keys, tokens, configuration files of the application, and hosted infrastructure. To choose an appropriate attack vector for compromising a targeted application, the hacker can further influence the information.

The automated checks denote automated scans. They are actually useful when black-box pen test is performed to conduct cursory checks on different hosts. The below list refer to the popular scanning tools:

• Burp Extensions: Log4Shell Scanner
• Nuclei Template for Log4J — id: CVE-2021–44228
• Log4J Scanner by mazen160
• Nmap NSE Script — nse-log4shell

To quickly test this application, utilize the below provided services, due to their effectiveness in supporting the creation of DNS token for a payload. Hence, this benefits in assessing if any callbacks have been got or not:

• Interactsh
• Canary Tokens
• cn
• Burp Collaborator

Log4j exploit allows the threat actors to take over the compromised web-facing servers by giving malicious text strings to them. Log4j is an open-source Apache library that is helpful in the Java-based applications for logging the errors and events. This solution is popular among the software developers, which is utilizes as a third-party logging solution like the Log4j is used to login the data in the application without custom solution creation. Log4 Shell has the capacity of exploiting this type of malicious string in Minecraft. The malicious string can enter by means of a chatbox. One more example state that the Apple iCloud’s web applications start compromising, when a text field of username is filled in this application.

Mitigation Strategies to Protect Against Log4Shell Vulnerability

It is true that Log4J refers to a vulnerability, which is caused when in a header field that is linked with a malicious server, the hacker adds JNDI lookup. When Log4j completes logging this string, the server queries and gives directory’s information, and it then downloads and runs java data class that is malicious. Hence, it denotes the capacity of the cybercriminals to extract the private keys. Further, as per the level of defence, then the malware must be immediately downloaded and executed on the impacted servers.

Log4j is a harmful threat, which should not be considered as a joke or take it light, because all the organizations are under threat and must take necessary steps to get protection. But first, the vital part includes determining the threat or vulnerabilities, and immediately they must be resolved by the security team appointed by the organizations. Only, this must be given a high priority. Then, proceed with updating it to the recently launched version like the patch of 2.17 version, when it identifies Log4j. For protecting from such vulnerabilities, the following steps must be taken:

• Log4J must be upgraded to its latest version.
• In formatMsgNoLookups’ message, disable the lookups to be “TRUE”.
• From classpath zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class, remove JndiLookup’s class.
• Use firewall to limit the communications with only certain number of allowed hosts, instead of all the hosts. 

In the next part, the provided image file that is seized by the officers from the organization will be analyzed. Actually, this file was found from one of the employees in the organization. This particular employee is believed to have done his homework of gathering the co-worker’s contact details and email IDs to send spam and get the illegal subscription of IPTV streaming services from the workstation of the organization. This must be confirmed and to determine this Autopsy software is used for forensic investigation, to provide highly effective analysis results.

In this part, spamming will be determined. To be precise, spamming includes a process of posting various multiple posts that are posted again and again.

Open the autopsy software, and create case management for the provided image file. Case management is used in Autopsy software, which is all about creating a case (with the investigated case’s name) and safely storing its information for easy access in the future. The creation of case requires these details such as, Case number, time, date, receiver and sender names, officers handling the case, type of crime, and description of the crime.

The following figure shows Autopsy software’s case management, where a case is created (Casey, 2013).

Consequently, go and type the Case Name (here, it is named Log4jshell), then chose the base directory to be the Local Disk (c), finally it must have a Case Type as Single user. Moe on and choose the VM file or disk image as data source (Apache Log4j (Log4Shell) Vulnerability, 2022) (Log4Shell Vulnerability Test Tool, 2022) (Mao, 2020).

Further open the browse, followed by opening the image file named, s5437615_win7. Next, look for Models of configure Ingest, then check the chosen file for including the data sources.

Thus, the provided image file is included into new case that was created in the Autopsy tool.

The type of investigation methodologies used in this report are file type identification, which are discussed below:

Java JNDI Injection and Log4Shell Vulnerability

The highly complex part in the digital forensic investigation is identifying the evidence, once the data is retrieved. File type detection methods are divided as follows- Extension-based method, Content-based method, and Magic bytes-based method. Each of these methods hold unique pros and cons, thus it is difficult to choose just one method to meet all the necessary requirements. Compared all these methods, the easiest and fastest method to detect the file type is the extension-based method, due to its high speed.  

For determining the type of file, the file need not be opened, just the extension of the file is enough to know its type. But there are tricky hackers, who change the file’s extension, and in this type of cases, this method alerts with extension mismatch in the digital forensic analysis. Therefore, file detection is essential in digital forensics and cybersecurity, which could be any of these types – Web page, image, email, spreadsheet, executable program, text document and so on.

As per the file type identification, we can see the image type evidence. There is no images are related to cases.

The overall findings of the conducted investigations will be outlined in this part of the report. Totally, three points were found and they are as follows:

The very first finding is associated to email. The digital forensic analysis has the capacity of tracking the user details from whom the emails are sent, for instance, it provides the details like the “from” and “to” fields in the email. This helps in determining the receiver and the recipient. Respectively, the IP addresses of the recipient is stored to investigate the http server hosting, which is mainly beneficial to track the sender of the email. Subsequently, conduct header analysis to know the sender. This finding determines that Mr. Sparrow is suspected to be the one who shared the spam with the employees in the organization via email.

A message of Mr. Sparrow states that he has attached a pcap file that is present on his desktop, which needs to be fixed, as it has a problem of freezing every now and then. Thus, a request is made her to fix this problem.

Now, we are going to analysis the pcap file on Wireshark. Before do this, export the pcap file as demonstrated below.

Next, we can open the exported pcap file on Wireshark as presented below.

After, we can see the SMTP protocol for determine the spam email or subscription email  as demonstrated below.

The given pcap does not have any SMTP protocol. So, we can check the network traffic is there or not in the given pcap file by using following command. tcp.flags.syn==1 and tcp.flags.ack==0

This command will identify the TCP SYN flood attack in the given file.

As per the result, there is no network traffic on the given pcap file. Therefore, there is no streaming problems in broadband connection.

The below shared image of the email is supporting evidence of the first finding.

Payloads and Obfuscation to Bypass Popular WAFs

The evidence shows a copyrighted material shared via user’s broadband connection. This mail is found in the desktop of Mr. Sparrow, including the other spam information, such as the email IDs of his co-workers, to whom the spam email is shared. The only difference is that the from field shows the name of John instead of Mr. Sparrow. This creates a suspicion that he might have faked his identity as John for spamming. With respect to the service of cp Broadband, the spam mail asks the users to login to their portal (i.e., cp broadband service) using their username and id. It is suspected to be a fake email to gather the login details of the users, by faking a genuine email from a genuine company.

The below shared image of the email is supporting evidence of the second finding. A copyrighted material is seen in the following image, which is shared through the user’s broadband connection (i.e., on 02/02/19 at 03:02 pm, Brooklyn nine-nine shared the connection of cp broadband, which is depicted in the following image).

The other email finding is a normal email that is exchanged between Mr. Sparrow and emkei.cz, which is regarding a passport application. Regarding the passport, some of the details found in the mail states that Mr. Sparrow is charged 2000 USD for passport creation, and he has shard his photo for the passport (Menashe, Peles and Hollander, 2021) (Wortley, Allison and Thompson, 2021).

Mr. Sparrow has also messaged to [email protected] In return, an envelope is received by Mr. Sparrow from emkei.cz on 27th of October 2021, around 1:01 pm. And, emkei cz is regarded as a website to send fake emails. It means that the user can send fake and anonymous email to any individual (emkei.org at WI. Emkei.cz – Emkei.org – Fake mailer Working, 2022). Thus, this looks fishy, as this website looks like helping to fill in the required name or ID in the “from” field of the email, then directly puts it into the user’s inbox.

Generally, here the hacker in his/her email, portrays to be a genuine staff or head, like CP team in our case, and asks the victim (co-workers) to open the attachments or link shared in the mail, which will direct them to a website, for filling their details in a form. This in true sense is a serious attack, from which the victims must be protected, as the form might ask for their personal details to cause them harm. Moreover, remember that the attackers can utilize the attachments for delivering malicious software to the victim via their email’s inbox (Husein, 2020) (Emkei’s Anonymous Mailer, 2022).

The below shared image of the email is supporting evidence of the third finding. Here, the details of the received envelope from emkei.cz to Mr. Sparrow are shows as follows:

Even the last finding determined through digital forensic analysis indicates suspicion on Mr. Jack Sparrow. Unfortunately, no other employees’ name is found in this investigation other than that of John, who is not an employee in this organization. Thus, the suspicion increases it to be Mr. Sparrow based on the fake email in his inbox and fake ID of John.

Conclusion

The summary of the conducted digital forensic investigation is that, there is a lot of suspicion on only one person in the whole organization, and it is Mr. Jack Sparrow. The digital proofs don’t directly prove that he is the one who has sent the spam emails, however, it is clear that his desktop is used for sending the spam, with the use of another email ID of a person named Mr. John. Further, the spam is shown to have been sent to all the workers in the organization via anonymous email ID. No other details were found in this investigation, except that an envelope is received to Mr. Sparrow from emkei cz, which is determined to be a website to send fake emails. Hence, suspicion on Mr. Sparrow increases, as there are high possibilities that he has crated these fake mails and sent them to his own inbox. Next, based on the fact that his system is used in this spamming process, it is possible to take him into the custody for further questioning related to this case.

It is concluded that, there are high chances that Mr. Jack Sparrow has faked his identify as John for spamming and sending the links through his emails. All this is done to get illegal subscription of IPTV streaming services from the workstation of the organization. And, Autopsy software has successfully analyzed and determined the suspect. And, this investigation has brough out an important point about the significance of educating the employees on email handling and securing them from the threats of spams, which can help to avoid various serious harms. All the organizations must consider taking this suggestion seriously, for its own benefits too.

References

Allen, Z. and Tafani-Dereeper, C., 2022. The Log4j Log4Shell vulnerability: Overview, detection, and remediation. [online] datadoghq. Available at: <https://www.datadoghq.com/blog/log4j-log4shell-vulnerability-overview-and-remediation/> [Accessed 28 April 2022].

Casey, E., 2013. Experimental design challenges in digital forensics. Digital Investigation, 9(3-4), pp.167-169.

Casey, E., 2013. New developments in digital &amp; multimedia forensics. Digital Investigation, 10(3), pp.205-206.

Cunningham, K. and Pollanen, M., 2015. Evolution of a Molecular Autopsy Program from within a Death Investigation System. Academic Forensic Pathology, 5(2), pp.211-220.

Elstub, H., 2018. A discussion of decomposition: challenges at autopsy and the utility of forensic investigation. Pathology, 50, p.S23.

Emkei.cz. 2022. Emkei’s Anonymous Mailer. [online] Available at: <https://emkei.cz/> [Accessed 28 April 2022].

Hamilton, L., 2015. Teaching the Forensic Autopsy. Academic Forensic Pathology, 5(2), pp.201-210.

Hoog, A., 2011. Android forensics. Burlington, MA: Syngress.

Husein, 2020. How to Perform a Phishing (whaling) attack via Emkei’s Fake Mailer. [online] zsecurity. Available at: <https://zsecurity.org/how-to-perform-a-phishing-whaling-attack-via-emkeis-fake-mailer/> [Accessed 28 April 2022].

Log4shell.tools. 2022. Log4Shell Vulnerability Test Tool. [online] Available at: <https://log4shell.tools/> [Accessed 28 April 2022].

MacRae, C., Weinberg, S. and Weinberg, M., 2019. Attitudes Towards Forensic Autopsy Standard B3.7 and the Use of Physician Extenders in Select Autopsy Cases. Academic Forensic Pathology, 9(3-4), pp.181-190.

Mao, X., 2020. THE THREE FACES OF VULNERABILITY. Angelaki, 25(1-2), pp.209-221.

Menashe, S., Peles, O. and Hollander, O., 2021. Log4Shell Zero-Day Vulnerability – CVE-2021-44228. [online] JFrog. Available at: <https://jfrog.com/blog/log4shell-0-day-vulnerability-all-you-need-to-know/> [Accessed 28 April 2022].

Nikkel, B., 2016. NVM express drives and digital forensics. Digital Investigation, 16, pp.38-45.

Rodríguez Almada, H. and Borches Duhalde, F., 2021. Historical autopsy: A contribution to the investigation of State terrorism crimes in Uruguay. Forensic Science International: Reports, 4, p.100242.

Sommer, P., 2018. Accrediting digital forensics: What are the choices?. Digital Investigation, 25, pp.116-120.

Tattoli, L., Cena, G. and Di Vella, G., 2019. An unusual work-related fatality: the importance of scene investigation combined with autopsy findings. Forensic Science, Medicine and Pathology, 15(3), pp.513-515.

trendmicro. 2022. Apache Log4j (Log4Shell) Vulnerability. [online] Available at: <https://www.trendmicro.com/en_us/apache-log4j-vulnerability.html> [Accessed 28 April 2022].

U, K., 2018. Autopsy Cases in 2017- A Retrospective Study. Journal of Forensic Sciences &amp; Criminal Investigation, 9(1).

Website.informer.com. 2022. emkei.org at WI. Emkei.cz – Emkei.org – Fake mailer Working. [online] Available at: <https://website.informer.com/emkei.org> [Accessed 28 April 2022].

Widup, S., 2014. Computer forensics and digital investigation with EnCase Forensic v7. New York [u.a.]: McGraw-Hill Education.

Wortley, F., Allison, F. and Thompson, C., 2021. https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/. [online] lunasec.io. Available at: <https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/> [Accessed 28 April 2022].