Threat actor target Ubiquiti network appliances using Log4Shell exploits

Threat actors are using a customized public exploit for the Log4Shell vulnerability to attack and take over Ubiquiti network appliances running the UniFi software, security firm Morphisec said in a report last week.

  • The first active exploitation was seen on January 20, 2022.
  • The attackers used a proof-of-concept exploit previously shared on GitHub.
  • Developed the Sprocket Security, the PoC adapts the Log4Shell exploit in the Log4j Java library to work on Ubiquiti's UniFi devices, complete with post-exploitation steps.

Developed by Ubiquiti Networks, one of the largest hardware vendors in the world, the UniFi software can be installed on Linux and Windows servers and allow network administrators to manage Ubiquiti wireless and networking equipment from a centralized web-based application.

This application was built using Java and utilized the Log4j library for its logging capabilities and was listed as impacted by the Log4Shell, having received a patch on December 10, just a day after the Log4Shell news became made public.

While Sprocket Security published its adaptation of the Log4Shell attack for UniFi devices in late December, attacks haven't been seen in the wild until Morphisec's public report last Friday.

Morphisec said the attackers took over UniFi devices and ran malicious PowerShell code that later downloaded and installed a version of the Cobalt Strike Beacon backdoor.

Researchers noted that this malware communicated with a command and control server that was previously seen attacking SolarWinds Serv-U servers before the Log4Shell attacks.

Log4j attacks ramping up slowly 

Immediately after the Log4Shell vulnerability was disclosed, many security experts warned that attacks using this bug would ramp up and lead to some sort of internet catastrophe and a huge hacking spree.

Almost two months later, this has yet to happen, primarily because exploiting Log4Shell didn't turn out to be that simple. Because the library was implemented differently in each app that used it, there was no universal exploit code that worked everywhere out-of-the-box and granted attackers the ability to take over systems indiscriminately.

For each software they would want to attack, threat actors had to reverse engineer the code and see how the exploit needed to be adapted, a very complex, complicated, and time-consuming job that threat actors rarely bother with.

Instead, attackers relied on public exploits shared online, and two months later, reports of Log4Shell exploitation have been limited only to a handful of devices, such as VMWare HorizonVMWare vCenterZyXEL routers, and SolarWinds Serv-U servers. MobileIron has escaped attacks, despite a public PoC—for now.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Catalin Cimpanu

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.