New Log4j attack vector is capable of affecting local hosts that are not connected to the internet
New Log4j attack vector is capable of affecting local hosts that are not connected to the internet
The latest bad news for IT professionals battling Log4j security exploits comes from the researchers at Blumira. Prior findings indicated that impacted systems required network or internet connectivity, but a new discovery by the security firm claims services running on a local host without an external connection can also be exploited, contrary to previous findings. The discovery led to the discovery of several additional use cases demonstrating alternative methods for hacking Log4j assets that had not yet been patched.
In a technical blog post, Blumira's Chief Technology Officer, Matthew Warner, describes how a malicious actor can affect vulnerable local machines. According to Warner, WebSockets, which are tools that enable fast, efficient communication between web browsers and web applications, could be used to deliver payloads to vulnerable applications and servers that are not connected to the internet. WebSockets are tools that enable fast, efficient communication between web browsers and web applications. Because of this specific attack vector, assets that are not connected but are vulnerable to compromise could be compromised simply by an attacker sending a malicious request over an existing WebSocket. In his blog post, Warner describes in detail the steps that a malicious actor would take in order to launch a WebSocket-based attack.
The newly discovered attack vector will result in an increase in vulnerable assets across already-vulnerable industries as a result of the newly discovered attack vector. According to Check Point Software, the Log4j vulnerability is currently affecting more than half of all government, military, finance, distribution, internet service provider, and educational organizations worldwide..
To identify any existing Log4j vulnerabilities, organizations can employ the following techniques, according to Warner.
- In order to determine the locations of Log4j instances in local environments, Windows PoSH or cross-platform scripts should be executed.
- See if there are any instances of ".*/java.exe" that are being used as the parent process for "cmd.exe" or "powershell.exe."
- Determine whether or not the Cobalt Strike, TrickBot, and other commonly used attacker tools are being detected by your organization's security system.
Organizations that are affected by this vulnerability can mitigate the risk by upgrading to Log4j 2.16. This includes any organization that may have used the previous version of the remediation, 2.15, which was later discovered to contain a separate set of related vulnerabilities in addition to the ones already identified.
