New Log4j attack vector can affect local hosts with no internet access


Posts: 83   +8
In context: The past week has kept IT organizations scrambling to respond to the Log4j vulnerability impacting systems around the world. As security experts have continued to identify additional bugs in the logging utility, network administrators have worked tirelessly to identify and close off any potential access that that may allow the vulnerability to be exploited. Unfortunately, a newly discovered vector has proven that even isolated systems with no internet connectivity may be just as vulnerable, further complicating the already enormous problem.

Researchers at Blumira have more bad news for the IT community battling Log4j security exploits. While previous findings indicated that impacted systems would require some type of network or internet connectivity, the security firm's recent discovery now asserts that services running as local host with no external connection can also be exploited. The finding pointed researchers to several more use cases outlining alternative approaches to compromise unpatched assets running Log4j.

A technical post by Blumira CTO, Matthew Warner outlines how a malicious actor can impact vulnerable local machines. Warner states that WebSockets, which are tools that allow fast, efficient communication between web browsers and web applications, could be used to deliver payloads to vulnerable applications and servers with no internet connectivity. This specific attack vector means the unconnected but vulnerable assets could be compromised simply by an attacker sending a malicious request using an existing WebSocket. Warner's post details the specific steps a malicious actor would take to initiate the WebSocket-based attack.

The newly identified attack vector will result in a greater number of vulnerable assets across already heavily affected industries. According to Check Point Software, over 50% of all government, military, finance, distribution, ISP, and education organizations are currently affected by the Log4j vulnerability.

Warner notes that there are available methods organizations can use to detect any existing Log4j vulnerabilities:

  • Run Windows PoSh or cross platform scripts designed to identify where Log4j is used within local environments
  • Look for any instance of .*/java.exe” being used as the parent process for “cmd.exe/powershell.exe”
  • Ensure your organization is set up to detect the presence of Cobalt Strike, TrickBot, and related common attacker tools

Impacted organizations can update their instances of Log4j to version 2.17 to mitigate the tool's vulnerability (which keep popping up). This includes any organization that may have applied the previous remediations, versions 2.15 and 2.16, which were later found to include their own set of related vulnerabilities.

Permalink to story.

...websockets use a network connection...just because an application is local doesn't mean it's not connected. You are literally describing how websockets send information from a computer to another server. Please correct your article mate, it's misleading and no one needs more misinformation.
I noticed back in the late 90's that China was already building DUPLEX RADIO communications circuitry into PC peripheral cards that had no purpose related to wireless communications... Especially in Cheap after-market peripheral cards for various tasks, that were being produced under unidentified labels...

I personally installed a riser card to give more I/O for CD drives on a system I built @ 99... Before adding anything onto the riser card, I installed the drivers for it... Only to discover I was getting clear radio traffic bleed through that was really troublesome... I returned the card, but should have gone to the trouble of getting the transmission frequency and process verified... I was already a disable Gulf war veteran and had my hands pretty full, just trying to do a build at home... I was pretty "f-ed" up from the first Gulf War... So It never happened... I was just too busy getting things like total hip replacements etc...

So no I see this has become a serious issue, now that cards are populated by solder paste-on silicon chips so small, and unreadable, that the circuit functions can no longer be traced without a littoral microscope... Back in the 1990's I could still look at a card and without giving myself an Ocular Hernia, I could still make out the basic Radio Comm. circuitry that was being snuck onto these aftermarket cards... This came to my attention, because I was a U.S.A.F. Microwave technology Engineer and Mechanic for Wide Band, Sat-Com, and Ground Radio Systems... We had a lot of Security Training and were trained into a state of Vigilance in the Communications Technology field... That was the 1990's - 2010's... I ran AN/TRC-170B Wideband, Sat-com, and Ground Radio in a Combined shop... Back then much of the circuitry was still through-the-hole design... One could follow what was being done much of the time... This also applied to much of the standard PC card design of the 90's and early 2000's... Easy to see how hacking, and data-mining, and every manner of Data Theft and compromise has suddenly become a problem, even for isolated rigs... However... Running a System offline, and isolating it and the terminal in a Gauss-Cage should still be secure. As for the Science of Psionics and Remote viewing... Sorry people... your Shoit out -o- Luck on that one ;-P
Last edited: