Oxeye today announced an open source deobfuscation tool, dubbed Ox4Shell, that makes it simpler for cybersecurity teams to uncover hidden payloads that attempt to exploit Log4Shell vulnerabilities.
Many enterprise IT organizations have been roiled by a series of zero-day vulnerabilities discovered in the open source Log4j tool widely used to collect log data from Java applications.
Ron Vider, Oxeye CTO, said Ox4Shell is designed to counter the obfuscation tactics many cybercriminals use to hide payloads that exploit Log4jShell vulnerabilities. Those vulnerabilities enable remote code execution (RCE) attacks that inject text into log messages or log message parameters. That text then finds its way into server logs and can then be uploaded from a remote server for malicious purposes.
Ox4Shell works by exposing obscured payloads so it’s easier to understand what attackers are trying to achieve, which Vider noted makes it easier for cybersecurity teams to determine what vulnerabilities might require their immediate attention.
The Log4j vulnerabilities are especially problematic because the logging tool includes lookup functions that permit users to look up, for example, environment variables and Java process runtime information. Armed with that information, attackers can launch additional attacks against specific servers. The Ox4Shell tool counters that threat by making it possible to comply with such lookup functions by feeding back mock data, added Vider.
As cyberattacks become more sophisticated, it’s apparent cybercriminals are becoming more adept at using a range of obfuscation techniques to embed code within an application environment, said Vider.
In 2021, Oxeye launched a namesake application security testing platform that, in addition to pinpointing issues in code, also provides advice to best remediate the issues it found. It requires developers download an observer tool that scans code for vulnerabilities. Once pinpointed, the Oxeye platform guides developers through the remediation process without requiring them to inject agent software into every application.
The company is now promising to make available a series of open source tools in 2022 that address specific threat classes, such as the Log4jShell vulnerabilities.
RCE attacks, in general, are becoming more prevalent as cybercriminals increasingly target software supply chains. The goal is to compromise software components that are widely used downstream across a wide range of applications. Those attacks have led to increased concerns about open source software projects, especially those that only have a handful of contributors. Those smaller projects are especially vulnerable because there simply isn’t enough security expertise available to ensure the integrity of the code being created.
In fact, it appears the same vulnerabilities found in the Log4j logging tool also affect other projects. Similar vulnerabilities have now been found in an H2 database also written in Java. These exploits collectively impact hundreds of millions of applications and devices.
It’s increasingly clear that cybercriminals are exploiting zero-day vulnerabilities within hours of disclosure. It’s now more important than ever for cybersecurity teams to collaborate with developers to determine how best to respond to those threats before those attacks are launched.