Log4j exploit targets vulnerable Unifi network application (Ubiquiti)
Following on from our previous Blog post on VMWare Horizon targeted by Log4j vulnerability, we have now identified Unifi Network applications similarly targeted multiple times. Based on Morphisec’s prevention logs, the first appearance of a successful exploit occurred on January 20, 2022.
The uniqueness of the attack is that the C2 is correlated to a previous SolarWind attack, as reported CrowdStrike.
Unsurprisingly, a POC for Unifi Network exploitation was released a month prior (December 24th), so we expected to see this type of targeted exploitation in the wild.
Technical details
The unifi vulnerability was first published by @sprocket_ed.
Log4j (Log4Shell) vulnerability on Ubiquiti UniFi
Ubiquiti normal execution command line:
-Dfile.encoding=UTF-8 -Djava.awt.headless=true -Dapple.awt.UIElement=true -Dunifi.core.enabled=false -Xmx1024M -Xrs -XX:+ExitOnOutOfMemoryError -XX:+CrashOnOutOfMemoryError -XX:ErrorFile=C:UsersAdministratorUbiquiti UniFilogshs_err_pid%p.log -pot C:UsersAdministratorUbiquitiUniFilibace.jar start |
(We recommend that you identify PowerShell execution as a child process of this command line execution instruction)
Origin:
We found that the C2 used in the attack had already been noted as part of the SolarWind supply chain attack, the Cobalt C2 beacon, and was attributed to TA505 aka GRACEFUL SPIDER, a well-known group of financially motivated threat actors. These attacks are often motivated by opportunities to sell sensitive data or launch ransomware demands to avoid exposure. TA505, the name given by point of proof, has worked in the area of cybercrime for at least five years. This is the group behind the infamous Dridex banking trojan and Locky ransomware, distributed through malicious email campaigns via the Necurs botnet. Other malware associated with TA505 includes Philadelphia and GlobeImposter ransomware families. Learn more about TA505 here.
These types of attacks show how traditional security solutions fail to detect and prevent newer threats, which have become much more frequent and sophisticated. With an average ransomware attack now occurring every few seconds and ransoms costing organizations millions, security teams must explore ways to augment or replace current solutions that are no longer adequate. Leading analysts, such as Gartner, point to Moving Target Defense as a way to detect and prevent attacks that now bypass next-generation antivirus (NGAV) solutions and endpoint detection and response (EDR) solutions. Organizations should also consider incident response (IR) services, not only to respond to indicators of compromise (IOCs), but also to assess security postures to detect weaknesses and provide recommendations for improving defenses.
Related Tweet on C2:
Comments are closed.