Log4j exploit targets vulnerable Unifi network application (Ubiquiti)

Following on from our previous Blog post on VMWare Horizon targeted by Log4j vulnerability, we have now identified Unifi Network applications similarly targeted multiple times. Based on Morphisec’s prevention logs, the first appearance of a successful exploit occurred on January 20, 2022.

The uniqueness of the attack is that the C2 is correlated to a previous SolarWind attack, as reported CrowdStrike.

Unsurprisingly, a POC for Unifi Network exploitation was released a month prior (December 24th), so we expected to see this type of targeted exploitation in the wild.

POC for Unifi Network Operation

Technical details

The unifi vulnerability was first published by @sprocket_ed.

Log4j (Log4Shell) vulnerability on Ubiquiti UniFi

Log4j (Log4Shell) vulnerability on Ubiquiti UniFi

Ubiquiti normal execution command line:

-Dfile.encoding=UTF-8

-Djava.awt.headless=true

-Dapple.awt.UIElement=true

-Dunifi.core.enabled=false

-Xmx1024M

-Xrs

-XX:+ExitOnOutOfMemoryError

-XX:+CrashOnOutOfMemoryError

-XX:ErrorFile=C:UsersAdministratorUbiquiti UniFilogshs_err_pid%p.log

-pot

C:UsersAdministratorUbiquitiUniFilibace.jar

start

(We recommend that you identify PowerShell execution as a child process of this command line execution instruction)

Origin:

https://github.com/ivan-sincek/powershell-reverse-tcp/blob/master/src/prompt/powershell_reverse_tcp_prompt.ps1

We found that the C2 used in the attack had already been noted as part of the SolarWind supply chain attack, the Cobalt C2 beacon, and was attributed to TA505 aka GRACEFUL SPIDER, a well-known group of financially motivated threat actors. These attacks are often motivated by opportunities to sell sensitive data or launch ransomware demands to avoid exposure. TA505, the name given by point of proof, has worked in the area of ​​cybercrime for at least five years. This is the group behind the infamous Dridex banking trojan and Locky ransomware, distributed through malicious email campaigns via the Necurs botnet. Other malware associated with TA505 includes Philadelphia and GlobeImposter ransomware families. Learn more about TA505 here.

These types of attacks show how traditional security solutions fail to detect and prevent newer threats, which have become much more frequent and sophisticated. With an average ransomware attack now occurring every few seconds and ransoms costing organizations millions, security teams must explore ways to augment or replace current solutions that are no longer adequate. Leading analysts, such as Gartner, point to Moving Target Defense as a way to detect and prevent attacks that now bypass next-generation antivirus (NGAV) solutions and endpoint detection and response (EDR) solutions. Organizations should also consider incident response (IR) services, not only to respond to indicators of compromise (IOCs), but also to assess security postures to detect weaknesses and provide recommendations for improving defenses.

Related Tweet on C2:

Indicators of Compromise (IOC)

C2

179.60.150[.]32

Vulnerable jars observed

2275247244f03091373f51d613939f5a96c48481c60832d443c112611142ceba

5e53ee9c3299a60b313bdfa3d8b8aaafae67d70eb565a7999e42139d51614462

cccd16f0c8e1f490f9cf8b0a42d61b52185f0e44e66e098c4f116b3e19f75b1c

079089176ad528393c0641a630d90ca90a353a3c1765fb052e8c43ed45a29506

Book a demo of Morphisec Guard



Source link

Comments are closed.