Security News
Log4j exploitation: Risk and effects of remediation efforts. While cybersecurity vendors continue to flag attacks involving Log4Shell exploitation, "The Board also found that to date, generally speaking, exploitation of Log4j occurred at lower levels than many experts predicted, given the severity of the vulnerability."
Organizations can expect risks associated with Log4j vulnerabilities for "a decade or longer," according to the US Department of Homeland Security. "ICS operators rarely know what software is running on their XIoT devices, let alone know if there are instances of Log4j that can be exploited," Thomas Pace, a former Department of Energy cybersecurity lead and current CEO NetRise, told The Register.
The "Hotpatch" released by Amazon Web Services in response to the Log4Shell vulnerabilities could be leveraged for container escape and privilege escalation, allowing an attacker to seize control of the underlying host. The issues - CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, and CVE-2022-0071 - affect the hotfix solutions shipped by AWS, and stem from the fact that they are designed to search for Java processes and patch them against the Log4j flaw on the fly but without ensuring that the new Java processes are run within the restrictions imposed on the container.
Amazon Web Services has updated its Log4j security patches after it was discovered the original fixes made customer deployments vulnerable to container escape and privilege escalation. The vulnerabilities introduced by Amazon's Log4j hotpatch - CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, CVE-2022-0071 - are all high-severity bugs rated 8.8 out of 10 on the CVSS. AWS customers using Java software in their off-prem environments should grab the latest patch set from Amazon and install.
VMware's Horizon virtualization platform has become an ongoing target of attackers exploiting the high-profile Log4j flaw to install backdoors and cryptomining malware. VMware in late December released an updated version of Horizon and continued with patches for Horizon this month for the Log4j flaw - called Log4Shell and tracked as CVE-2021-44228 - but the threat continues.
If you breathed a sigh of relief after dealing with the Log4j vulnerability last year, here's some bad news. There are further equally nasty zero day vulnerabilities to come, so now is not the time to relax.
A new Linux botnet is using the infamous Log4j vulnerability to install rootkits and steal data. Researchers at Chinese internet security company Qihoo's 360's Network Security Research Lab discovered the botnet family, which they dubbed B1txor20, as it was infecting new hosts via the Log4j vulnerability.
First observed propagating through the Log4j vulnerability on February 9, 2022, the malware leverages a technique called DNS tunneling to build communication channels with command-and-control servers by encoding data in DNS queries and responses. B1txor20, while also buggy in some ways, currently supports the ability to obtain a shell, execute arbitrary commands, install a rootkit, open a SOCKS5 proxy, and functions to upload sensitive information back to the C2 server.
The newly found malware, dubbed B1txor20 by researchers at Qihoo 360's Network Security Research Lab, focuses its attacks on Linux ARM, X64 CPU architecture devices. The botnet uses exploits targeting the Log4J vulnerability to infect new hosts, a very appealing attack vector seeing that dozens of vendors use the vulnerable Apache Log4j logging library.
With so many security and developer teams doing post mortems on the Log4j security vulnerability fiasco that unfolded in late 2021, just 10 days before Christmas, the main question is: how do we avoid this type of pain in the future? The answer is it's complicated. On the upside the pain of that experience has triggered a major software supply-chain security rethink from developers and security teams.