Log4Shell exploitation: Which applications may be targeted next?

Spring4Shell (CVE-2022-22965) has dominated the information security news these last six days, but Log4Shell (CVE-2021-44228) continues to demand attention and action from enterprise defenders as diverse vulnerable applications are being targeted in attacks in the wild.

Attackers in the wild exploiting Log4Shell

Log4Shell is widespread because Apache Log4j – the logging library that it affects – is widely used. While its exploitability depends on the Java version, the Log4j version (only Log4j v2 is vulnerable) and how it’s used, the vulnerability is easily triggered with the right exploit.

Since the revelation of its existence, many threat actors have been targeting it to compromise VMware Horizon servers, Ubiquity Unifi applications, MobileIron mobile device management systems, IoT devices, and other products.

VMware Horizon servers are a particularly popular target and are being mostly compromised to deploy cryptocurrency mining malware, Sophos researchers Gabor Szappanos and Sean Gallagher noted. But some attackers are popping them and deploying backdoors, reverse shells and remote monitoring tools, possibly preparing them for future attacks involving ransomware or corporate espionage.

Fortiguard Labs researchers Rotem Sde-Or and Eliran Voronovitch also recently flagged a a campaign by a threat actor they believe to be Deep Panda, a Chinese APT group, exploiting Log4Shell in VMware Horizon servers to deploy a backdoor and a novel kernel rootkit (“Fire Chili”) onto target machines.

Mandiant researchers, on the other hand, have documented several threat actors attempting to exploit MobileIron MDM systems. Some, they believe, have financial motivations, while others are engaged in espionage. They have also been unable to discern the motivation of one particular threat actor.

Which other widespread applications can make good targets?

Log4Shell affects a wide variety of software products and many organizations will have trouble assessing their exposure and choosing which patches should be proritized.

Randori’s team of researchers have assessed that VMware Horizon and MobileIron are, indeed, among the top 3 most “attackable” applications using Log4j out there, despite the latter not being among the top 10 most widespread apps using the logging library and being exposed on the internet.

“Attackers cannot afford to be caught or sent on wild goose chases. As such, the most attackable assets are determined based on where the most initial damage (access) would likely occur,” they explained their reasoning.

Solutions that allow attackers privileged access, that don’t have security software on them, and that provide hackers “downstream” access are likely to be the most attractive targets, and this is why Randori’s lists of most widespread and most attackable applications do not match.

Log4Shell applications targeted

“Most of the widespread software are app servers or middleware – cPanel, [Apache] Tomcat, [Eclipse] Jetty, [Eclipse] JSP, Wildfly – which are not 100% confirmed to use a vulnerable version of Log4j, making them a less interesting target to an attacker. These types of services may use optional components that use Log4j, and might come in a variety of configurations which can complicate locating an exploitable mechanism, so an attacker may not want to waste his time (especially if there is an easier target),” the researchers noted.

VMware Horizon extremely common (10% of large enterprises have an internet-exposed instance) and if hacked, it gives a hacker downstream access.

Jamf is a configuration automation platform that is known to be vulnerable and exploitable, and a compromised instance would allow attackers to influence any device that is being administered by it, the researchers explained. MobileIron – an MDM solution – offers similar access.

Ping Identity’s PingFederate – an authentication and SSO platform – may be similarly helpful. “If an adversary can control the AUTH server and process, they can likely impact many other services that are serviced by that authentication mechanism. This becomes even more interesting if the way it’s configured enables the attacker to create users in your environment,” they pointed out.

The list continues with Jenkins (automation server vulnerable through plugins that use Log4j), Avaya IP Office (management system is vulnerable) and SAP’s NetWeaver (a Java application server).

Don't miss