Let me remind you that the CVE-2021-44228 vulnerability, also called Log4Shell and LogJam, was discovered in the popular Log4j logging library in early December.

The researchers report that Aquatic Panda uses a modified version of the exploit for a bug in Log4j to gain initial access to the target system and then performs various post-exploitation activities, including exploration and credential collection.

To compromise an unnamed educational institution, the hackers targeted VMware Horizon, which used the vulnerable Log4j library. The exploit used in this attack was published on GitHub on December 13, 2021.

The attackers also conducted reconnaissance efforts to understand privilege levels better and learn more about the domain. Also, they attempted to interrupt a third-party endpoint threat detection and response solution.

After deploying additional scripts, the hackers tried to run PowerShell commands to extract the malware and three VBS files, which appeared to be reverse shells. In addition, Aquatic Panda made several attempts to collect credentials by performing memory dumps and preparing them for theft.

Experts write that the attacked organization was timely warned of suspicious activity and could quickly use the incident response protocol, fixing vulnerable software and preventing further development of the malicious activity.

The Aquatic Panda group has been active since at least May 2020 and typically engages in intelligence gathering and industrial espionage, targeting organizations in the government, telecommunications, and technology sectors. The group’s toolbox includes Cobalt Strike, FishMaster downloader, and njRAT.

Let me also remind you that I wrote that Log4j vulnerability threatens 35,000 Java packages, as well as that Another vulnerability found in Log4j, this time it is a denial of service.

The post Chinese hack group Aquatic Panda exploits Log4Shell to hack educational institutions appeared first on Gridinsoft Blog.

On December 9th the information security ecosystem learned of the vulnerability’s existence that poses great degree of severity and widespread impact. Tens of thousands of software packages (artifacts in the Java ecosystem) and projects use a popular logging tool, log4j that turned out to have the vulnerabilities discussed. As specialists explain these vulnerabilities allow for the remote code execution by exploiting the diffident JNDI lookups feature laid bare by the logging library log4j. In many versions of the library the exploited feature existed by default.

Apache Log4j Vulnerability will take a while to fix

Not long ago disclosed log4j vulnerabilities touched more than 35,000 Java packages, numbering to over 8% of the Maven Central repository. With the repository being the most significant Java package repository it caused an extensive outcome for the software industry. Specialists point out that 8% is a huge result for the ecosystem outcome while the average number for the Maven Central advisories outcome goes with 2% and the median less than 0.1%. Though the numbers mentioned do not enclose all Java packages, for instance directly distributed binaries.

At the time of the post publishing nearly five thousand of the artifacts in question have been fixed. And over 30,000 artifacts, many dependent on another artifact, still wait to be patched. The Team mentions that they counted an artifact as fixed if the artifact had at least one version impacted and has released a greater unimpacted stable version (that’s according to semantic versioning). In the case of log4j an artifact is considered fixed if it has been updated to 2.16.0 or no longer has dependency on log4j.

Two significant problems hinder the fix process

Although the situations in general can be defined as clear, the specialists point out two significant fixing problems. The first objective they define is the fact that many artifacts depend on log4j indirectly. Those of direct dependencies account for around 7,000 of the affected artifacts. In such a case any of its versions depend upon an affected version of log4j-core or log4j-api, described in the CVEs. The indirect dependency or transitive dependency means the dependencies of one’s own dependencies.

All this dependency’s staff creates significant hinders in fixing if to look at it with dependency chains. Here everything stays quite clear: The deeper the vulnerability falls down, the more steps one should go to fix it. According to the Team`s consumers dependency graphs histogram results showed big numbers. In more than 80% of the packages vulnerability is more than one level deep. In majority of which it`s five levels down and in some nine levels down. The process of fixing will require going first to the deepest dependencies first and all tree afterwards.

Open ranges gives the opportunity to select the most recently released version

Another difficulty lies in ecosystem-level choices in the dependency resolution algorithm and requirement specification conventions. The practice differs from those such as npm where they routinely specify open ranges for dependency requirements. Open ranges gives the opportunity to select the most recently released version that satisfies dependency requirements. And it subsequently pulls in new fixes. Users receive a patched version on the next build after the availability of the patch. It generates the dependencies more quickly.

“In the Java ecosystem, it’s common practice to specify “soft” version requirements — exact versions that are used by the resolution algorithm if no other version of the same package appears earlier in the dependency graph. Propagating a fix often requires explicit action by the maintainers to update the dependency requirements to a patched version,” Open Source Insights Team wrote on this second one problem.

With these Team advises the open source community to enable automated dependency updates and add security mitigations. They also provided a list of 500 affected packages with some of the highest transitive usage. In the specialists opinion prioritizing these packages will facilitate fixing efforts and subsequently unblock more of the community. Team thanked those open source maintainers and consumers who have upgraded their versions of log4j.

For the question how long it would take to completely fix everything the Team expressed vague opinion. They say it is hard to know. If it`s all publicly disclosed critical advisories affecting Maven packages then the process might take a while. They say less than half (48%) of the artifacts that a vulnerability impacted have been fixed. But on the log4j front things seem to be promising with about 13% that have been fixed.

The post Apache Log4j Vulnerability explained by Google appeared first on Gridinsoft Blog.

The packages are vulnerable to either the original Log4Shell exploit (CVE-2021-44228) or the second RCE problem discovered after the patch was released (CVE-2021-45046).

This vulnerability has gripped the information security ecosystem since its disclosure on December 10 due to its severity and widespread impact. As a popular logging tool, log4j is used by tens of thousands of software packages (known as artifacts in the Java ecosystem) and projects in the software industry.

Researchers note that usually after the discovery of the next vulnerability, it turns out that it affects only about 2% of the content of Maven Central. However, the 35,000 packages vulnerable to Log4Shell is roughly 8% of all Maven Central content, and experts point out that the percentage is “huge.”

Currently, 4620 developers out of 35,863 packages (13% of the total number of vulnerable packages) have already updated their products. For comparison, the researchers cite similar statistics for past Java vulnerabilities, when about 48% of libraries received patches.

Alas, experts write that the Log4Shell problem is unlikely to be completely fixed in the coming years. The main difficulty is that Log4j is not always a direct dependency and is often a dependency on another dependency. In such situations, developers of vulnerable packages have to wait for other developers to update their applications, which in some cases can take weeks or even months.

For example, according to statistics collected by Google, Log4j is a direct dependency only for 7000 out of 35000 packages, which means that many developers will most likely have to disable indirect dependencies that have not been updated to use safe alternatives.

Let me remind you that we also reported that Experts are already fixing attacks on the Log4Shell vulnerability.

The post Log4j vulnerability threatens 35,000 Java packages appeared first on Gridinsoft Blog.