New Log4j attack allows hacking devices that are not exposed to internet via localhost

In recent days it was revealed the detection of a new attack vector for the successful exploitation of remote code execution (RCE) vulnerabilities in Log4j, the Java logging library present in millions of implementations. According to the report, this attack method relies on a JavaScript WebSocket connection to trigger the error locally through a drive-by compromise, resulting in the compromise of unexposed deployments on the network.

This report was published by Blumira researchers, who say that this behavior dismisses the idea that Log4Shell faults were only exploitable remotely: “This means that anyone with a vulnerable version of Log4j can be exploited through a listening server path on their machine or on the local network when navigating to a vulnerable website,”  experts point out.

In other words, there is more malicious potential for exploit development and successful attacks: “New attack vectors include everything from malvertising to creating watering holes for drive-by attacks,” says Matthew Warner, a researcher at Blumira.

WebSockets allows communication between a web browser and web applications, such as chats and alerts on websites. While it allows the browser to quickly send data back and forth to these types of applications, it can also be used for system detail logging and port scanning, so in itself it poses a security risk.

Experts mention that in the case of Log4j, threat actors could make malicious requests via WebSockets to a local host or a vulnerable local network server, so hackers don’t have to target an exposed target on the network.

To make matters worse, this attack could be considered even stealthier than its remote counterparts, as the researchers mention that it can be difficult to get a complete security approach to WebSocket connections within a host, increasing the complexity to detect the attack.

To detect a potential attack, Warner recommends looking for instances of “.*/java.exe” which is used as the primary process for “cmd.exe/powershell.exe”, which can be considered the most accurate indicators of compromise.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.