2021-12-15 02:03:16
#news We continue to follow the IB-Hiroshima this year.
⋅ More than 60 new Log4j mutations have appeared in a day, many of which work both against HTTP and in prot. It seems that some of these options manage to bypass the existing defenses. Researchers advise rolling over multiple layers (like patch and vaccine) to be sure.
⋅ The tactics of hackers have changed. The first attacks were quite primitive - the exploit was stuffed into the User-Agent or Uniform Resource Identifier (URI) of the request. Now they put a line encrypted in Base64 there. Having decrypted it, the vulnerable system downloads malware from the hacker's infrastructure. In addition, hackers then began to obfuscate the Java Naming and Directory Interface (JNDI) themselves. Example:
$ {jndi: $ {lower: l} $ {lower: d} a $ {lower: p}: // world80
$ {$ {env: ENV_NAME: -j} n $ {env: ENV_NAME: -d} i $ {env: ENV_NAME: -:} $ {env: ENV_NAME: -l} d $ {env: ENV_NAME: -a} p $ {env: ENV_NAME: -:} //
$ {jndi: dns: //
⋅ The vulnerability will be exploited from the very beginning of December. The first exploits were noticed on the 1st, and since December 9, Sophos researchers have counted hundreds of thousands of exploits. Judging by the analyzed logs, the vulnerability has been used for several weeks.
⋅ Yesterday Check Point said that they prevented more than 845 thousand attempts of the Log4j exploit; there are more than 100 attempts per minute. By 17:00 Monday Moscow time, 40% of all corporate networks in the world have experienced exploit attempts.
@hackthespace
73 viewsedited 23:03
H
