야생에서의 Log4Shell 감지 및 대응
In this blog, we’ll take a look at the Log4Shell vulnerability and provide real-world examples of how Darktrace detects and responds to attacks attempting to leverage Log4Shell in the wild.
Log4Shell is now the well-known name for CVE-2021-44228 – a severity 10 zero-day exploiting a well-known Java logging utility known as Log4j. Vulnerabilities are discovered daily, and some are more severe than others, but the fact that this open source utility is nested into nearly everything, including the Mars Ingenuity drone, makes this that much more menacing. Details and further updates about Log4Shell are still emerging at the publication date of this blog.
Typically, zero-days with the power to reach this many systems are held close to the chest and only used by nation states for high value targets or operations. This one, however, was first discovered being used against Minecraft gaming servers, shared in chat amongst gamers.
While all steps should be taken to deploy mitigations to the Log4Shell vulnerability, these can take time. As evidenced here, behavioral detection can be used to look for signs of post-exploitation activity such as scanning, coin mining, lateral movement, and other activities.
Darktrace initially detected the Log4Shell vulnerability targeting one of our customers’ Internet-facing servers, as you will see in detail in an actual anonymized threat investigation below. This was highlighted and reported using Cyber AI Analyst, unpacked here by our SOC team. Please take note that this was using pre-existing algorithms without retraining classifiers or adjusting response mechanisms in reaction to Log4Shell cyber-attacks.
How Log4Shell works
The vulnerability works by taking advantage of improper input validation by the Java Naming and Directory Interface (JNDI). A command comes in from an HTTP user-agent, encrypted HTTPS connection, or even a chat room message, and the JNDI sends that to the target system in which it gets executed. Most libraries and applications have checks and protections in place to prevent this from happening, but as seen here, they get missed at times.
Various threat actors have started to leverage the vulnerability in attacks, ranging from indiscriminate crypto-mining campaigns to targeted, more sophisticated attacks.
Real-world example 1: Log4Shell exploited on CVE ID release date
Darktrace saw this first example on December 10, the same day the CVE ID was released. We often see publicly documented vulnerabilities being weaponized within days by threat actors. This attack hit an Internet-facing device in an organization’s demilitarized zone (DMZ). Darktrace had automatically classified the server as an Internet-facing device based on its behavior.
The organization had deployed Darktrace in the on-prem network as one of many coverage areas that include cloud, email and SaaS. In this deployment, Darktrace had good visibility of the DMZ traffic. Antigena was not active in this environment, and Darktrace was in detection-mode only. Despite this fact, the client in question was able to identify and remediate this incident within hours of the initial alert. The attack was automated and had the goal of deploying a crypto-miner known as Kinsing.
In this attack, the attacker made it harder to detect the compromise by encrypting the initial command injection using HTTPS over the more common HTTP seen in the wild. Despite this method being able to bypass traditional rules and signature-based systems Darktrace was able to spot multiple unusual behaviors seconds after the initial connection.
Initial compromise details
Through peer analysis Darktrace had previously learned what this specific DMZ device and its peer group normally do in the environment. During the initial exploitation, Darktrace detected various subtle anomalies that taken together made the attack obvious.
- 15:45:32 Inbound HTTPS connection to DMZ server from rare Russian IP — 45.155.205[.]233;
- 15:45:38 DMZ 서버가 2가지 새로운 사용자 에이전트를 사용해 위와 동일한 러시아 IP로 새로운 아웃바운드 연결 설정: 평소 패턴으로 보아 HTTP 요청을 처리하는 것이 비정상적인 동작으로 보이는 포트에 있는 Java 사용자 에이전트와 Curl;
- 15:45:39 DMZ 서버가 또다른 새 curl 사용자 에이전트(‘curl/7.47.0’)를 통해 동일한 러시아 IP로 HTTP 연결 사용. 해당 URL에는 DMZ 서버의 정찰 정보가 포함되어 있습니다.
이 모든 활동을 탐지할 수 있었던 것은 Darktrace가 이를 과거에 확인한 적이 있어서가 아니라, 해당 조직에서 사용 중인 이 서버 및 다른 유사한 서버들이 평소 ‘행동 패턴’에서 상당히 벗어나 있었기 때문입니다.
이 서버는 한 번도 사용한 적이 없는 사용자 에이전트를 사용해 사용한 적 없는 프로토콜과 포트로 인터넷에서 보기 드문 IP 주소로 연결한 적이 없었던 것입니다. 각 시점의 이상 징후 자체만 보면 아주 비정상적인 동작이라 할 수는 없었지만, 이 특정 디바이스와 환경이라는 맥락에서 탐지 항목을 종합해 분석해보면 진행 중인 사이버 공격을 알려주는 명백한 단서임을 알 수 있습니다.
Darktrace는 다양한 모델에서 이러한 활동을 탐지했는데, 그 예는 다음과 같습니다.
- Anomalous Connection / New User Agent to IP Without Hostname
- Anomalous Connection / Callback on Web Facing Device
추가 툴링 및 암호화폐 채굴 프로그램 다운로드
최초 보안 침해 후 90분이 채 지나지 않아 감염된 서버가 보기 드문 우크라이나 IP 80.71.158[.]12에서 악성 스크립트와 실행 파일을 다운로드하기 시작했습니다.
The following payloads were subsequently downloaded from the Ukrainian IP in order:
Using no threat intelligence or detections based on static indicators of compromise (IoC) such as IPs, domain names or file hashes, Darktrace detected this next step in the attack in real time.
해당 DMZ 서버는 이처럼 보기 드문 포트로 이 우크라이나 IP 주소와 과거에 통신한 적이 없었습니다. 게다가 이 디바이스와 피어가 이런 방식으로 이런 유형의 외부 대상에서 스크립트나 실행 파일을 다운로드하는 것은 매우 드문 경우였습니다. 다운로드가 시작되자 곧이어 DMZ 서버가 암호화폐 채굴을 시작했습니다.
Darktrace는 다양한 모델에서 이러한 활동을 탐지했는데, 그 예는 다음과 같습니다.
- Anomalous File / Script from Rare External Location
- Anomalous File / Internet Facing System File Download
- Device / Internet Facing System with High Priority Alert
Surfacing the Log4Shell incident immediately
In addition to Darktrace detecting each individual step of this attack in real time, Darktrace Cyber AI Analyst also surfaced the overarching security incident, containing a cohesive narrative for the overall attack, as the most high-priority incident within a week’s worth of incidents and alerts in Darktrace. This means that this incident was the most obvious and immediate item highlighted to human security teams as it unfolded. Darktrace’s Cyber AI Analyst found each stage of this incident and asked the very questions you would expect of your human SOC analysts. From the natural language report generated by the Cyber AI Analyst, a summary of each stage of the incident followed by the vital data points human analysts need, is presented in an easy to digest format. Each tab signifies a different part of this incident outlining the actual steps taken during each investigative process.
The result of this is no sifting through low-level alerts, no need to triage point-in-time detections, no putting the detections into a bigger incident context, no need to write a report. All of this was automatically completed by the AI Analyst saving human teams valuable time.
The below incident report was automatically created and could be downloaded as a PDF in various languages.
Figure 1: Darktrace’s Cyber AI Analyst surfaces multiple stages of the attack and explains its investigation process
Real-world example 2: Responding to a different attack using Log4Shell
On December 12, another organization’s Internet-facing server was initially compromised via Log4Shell. While the details of the compromise are different – other IoCs are involved – Darktrace detected and surfaced the attack similarly to the first example.
Interestingly, this organization had Darktrace Antigena in autonomous mode on their server, meaning the AI can take autonomous actions to respond to ongoing cyber-attacks. These responses can be delivered via a variety of mechanisms, for instance, API interactions with firewalls, other security tools, or native responses issued by Darktrace.
In this attack the rare external IP 164.52.212[.]196 was used for command and control (C2) communication and malware delivery, using HTTP over port 88, which was highly unusual for this device, peer group and organization.
Antigena reacted in real time in this organization, based on the specific context of the attack, without any human in the loop. Antigena interacted with the organization’s firewall in this case to block any connections to or from the malicious IP address – in this case 164.52.212[.]196 – over port 88 for 2 hours with the option of escalating the block and duration if the attack appears to persist. This is seen in the illustration below:
Figure 2: Antigena’s response
Here comes the trick: thanks to Self-Learning AI, Darktrace knows exactly what the Internet-facing server usually does and does not do, down to each individual data point. Based on the various anomalies, Darktrace is certain that this represents a major cyber-attack.
Antigena now steps in and enforces the regular pattern of life for this server in the DMZ. This means the server can continue doing whatever it normally does – but all the highly anomalous actions are interrupted as they occur in real time, such as speaking to a rare external IP over port 88 serving HTTP to download executables.
Of course the human can change or lift the block at any given time. Antigena can also be configured to be in human confirmation mode, having the human in the loop at certain times during the day (e.g. office hours) or at all times, depending on an organization’s needs and requirements.
This blog illustrates further aspects of cyber-attacks leveraging the Log4Shell vulnerability. It also demonstrates how Darktrace detects and responds to zero-day attacks if Darktrace has visibility of the attacked entities.
While Log4Shell is dominating the IT and security news, similar vulnerabilities have surfaced in the past and will appear in the future. We’ve spoken about our approach to detecting and responding to similar vulnerabilities and surrounding cyber-attacks before, for instance:
- the recent Gitlab vulnerability;
- the ProxyShell Exchange Server vulnerabilities when they were still a zero-day;
- and the Citrix Netscaler vulnerability.
As always, companies should aim for a defense-in-depth strategy combining preventative security controls with detection and response mechanisms, as well as strong patch management.
Thanks to Brianna Leddy (Darktrace’s Director of Analysis) for her insights on the above threat find.