Log4j Exploit Targets Vulnerable Unifi Network Application (Ubiquiti) at Risk

As a continuation to our previously published blog post on a VMWare Horizon being targeted through the log4j vulnerability, we now identified Unifi Network applications being targeted in a similar way on a number of occasions. Based on prevention logs from Morphisec, the first appearance of successful exploitation occurred on January 20, 2022.

The uniqueness of the attack is that the C2 is correlated to a previous SolarWind attack as reported by CrowdStrike

Not surprisingly, a POC for the exploitation of Unifi Network was released a month prior (24th of December), and we, therefore, expected to see this type of targeted exploitation in the wild.

Technical Details

The unifi vulnerability was first posted by @sprocket_ed.

Log4j Vulnerability (Log4Shell) on Ubiquiti UniFi

Ubiquiti normal execution command line:

-Dfile.encoding=UTF-8

-Djava.awt.headless=true

-Dapple.awt.UIElement=true

-Dunifi.core.enabled=false

-Xmx1024M

-Xrs

-XX:+ExitOnOutOfMemoryError

-XX:+CrashOnOutOfMemoryError

-XX:ErrorFile=C:UsersAdministratorUbiquiti UniFilogshs_err_pid%p.log

-jar

C:UsersAdministratorUbiquiti UniFilibace.jar

start

(We recommend identifying powershell execution as a child process to this command-line execution statement)

Origin:

https://github.com/ivan-sincek/powershell-reverse-tcp/blob/master/src/prompt/powershell_reverse_tcp_prompt.ps1

We found that the C2 used in the attack was previously noted as part of the SolarWind supply chain attack, Cobalt beacon C2, and was attributed to TA505 aka GRACEFUL

Read More: https://blog.morphisec.com/log4j-exploit-targets-vulnerable-unifi-network-application-un