Cadastre-se agora para um orçamento mais personalizado!

Log4j: How hackers are using the flaw to deliver this new 'modular' backdoor

12 de janeiro de 2022 Hi-network.com

Iran-backed hacking group Phosphorous or APT35 is using the Log4j vulnerability to distribute a new modular PowerShell toolkit, according to security firm Check Point. 

APT35 is one of several state-backed hacking groups known to have been developing tools to exploit public-facing Java applications that use vulnerable versions of the Log4j error-logging component.

more Log4j

  • Log4j zero-day: How to protect yourself
  • Apache releases new 2.17.0 patch
  • Security firm discovers new attack vector
  • 10 questions you need to be asking
  • Governments release Log4j advisory
  • So far, nearly half of corporate networks have been attacked
  • US: Hundreds of millions of devices at risk

Microsoft, which tracks the group as Phosphorous and has called it out for increasingly using ransomware in attacks, found it had operationalized a Log4j exploit for future campaigns less than a week after Log4Shell's December 9 disclosure. 

SEE:Log4j zero-day flaw: What you need to know and how to protect yourself

According to a further analysis by Check Point, APT35's Log4j work was sloppy and "obviously rushed", using a basic publicly available JNDI exploit kit (now removed from GitHub) for attacks that were easy to detect and attribute. 

After exploiting Log4j on public-facing systems, the group uses what Check Point describes it as 'a PowerShell-based modular backdoor' for persistence, communication with a command and control (C&C) server, and command execution for additional modules. 

The main module of the attacker's PowerShell framework validates network connections, enumerates characteristics about a compromised system, retrieves the C&C domain from a hardcoded URL, and takes, decrypts and executes subsequent modules. After receiving information about compromised systems, the C&C server either issues no command or instructs the module to execute other modules that are written as PowerShell scripts or C#code. 

Back and forth communication between target and C&C runs continuously to determine what subsequent modules should be submitted to the target, according to Check Point. 

Each of the additional modules are responsible for encrypting data, exfiltration via the web or an FTP server, and sending execution logs to a remote server. 

But each module has unique capabilities, such as one for listing installed applications, another for taking screenshots, and more for listing running processes, enumeration, and executing predefined commands from the C&C. A final "cleanup module" is dropped at the end of collection activity that removes evidence, such as running processes created by previously used modules.

"The modules sent by the C&C are executed by the main module, with each one reporting data back to the server separately," explains Check Point. 

"This C&C cycle continues indefinitely, which allows the threat actors to gather data on the infected machine, run arbitrary commands and possibly escalate their actions by performing a lateral movement or executing follow-up malware such as ransomware."

On the quality of the group's work, Check Point had few compliments because, unlike most advanced persistent threats, they don't bother changing tools and infrastructure for new attacks and are known for making operational security (OpSec) blunders.

"The group is famous in the cybersecurity community for the number of OpSec mistakes in their previous operations, and they tend not to put too much effort into changing their infrastructure once exposed," Check Point notes. 

The firm says there are similar coding styles between the PowerShell scripts used for Log4Shell and the ones that the group used in Android spyware detailed by Google's Threat Analysis Group in October. 

Despite the US Cybersecurity and Infrastructure Security Agency's (CISA) confirmation it had seen no major breaches arise from Log4j exploitation, Microsoft assesses the Log4Shell issue as a "high-risk" situation because it's difficult for organizations to know which applications, devices and services are affected. CISA also warned that attackers that have exploited Log4j may be waiting for alert levels to drop before using new but undetected footholds in targets.  

Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next
  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

tag-icon Tags quentes : Tecnologia Segurança

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.