Are you monitoring your enterprise’s messaging app communications? Depending on which industry you are in, there can potentially be a hefty fine if you aren’t monitoring what your employees are saying on these apps. Recently, JPMC paid a $125 million fine for not monitoring business communications by employees on personal devices and applications like WhatsApp.

Logging messages from messaging applications is the most straightforward response to comply with these requirements, but in today’s world this also poses another threat. The recently discovered vulnerability for Log4j 2, CVE-2021-44228 (Log4shell), has left many servers that use Log4j as a logging framework vulnerable to remote execution from malicious actors. If your messaging application logging solution uses Log4j 2, then it is possible that it could be exploited with just a simple message.

Analysts from SafeGuard Cyber’s Division Seven (D7) threat intelligence team successfully tested an exploit of a logging server using just messages on a common messaging platform, showing that these messaging applications can be an attack vector for exploiting the recent Log4shell vulnerability. In this instance, the D7 team set up a Slack instance and logging server with the following parameters:

  • A Slack Slash Command to send text to a logging bot
  • A bot to take these messages and send them to the logging server
  • A logging server utilizing vulnerable version of Log4j 2
    • Vulnerable versions are between 2.0-beta9 and 2.14.1

Once set up, the analysts sent the unaltered Log4shell proof of concept payload through a Slack message with a slash command to log it. The logging bot then took the message and sent it to the logging server. This message was logged and executed on the logging server, exploiting the Log4shell vulnerability. No exploits have been found in the wild at the time of this blog.

While this specific exploitation set up would be hard to execute in the wild (a malicious actor would have to have access to the target enterprise through Slack Connect and knowledge of the target enterprises Slack Slash commands), it does show that by logging messages from Slack, and potentially other messaging applications, you may be exposed to the Log4shell vulnerability.

The D7 team also noted that several of these logging set ups have to be custom crafted by information technology experts, and as such they may not have the benefits of automatic or notified updates. Additionally, if they have been custom crafted by one or two individuals in a company, it is possible that these will be overlooked or forgotten as only a couple of people know about them. This problem could be even further exacerbated if the employees who implemented or knew about the logging service are no longer with the company.

These messaging logging servers also would tend to house highly sensitive and potentially damaging information that would be highly appealing to a wide variety of actors.

  • Ideologically motivated actors might target organizations to expose damaging private conversations.
  • Cyber criminals could target financial organizations for insider information that could benefit stock trades.
  • Espionage actors might target competitive companies or government contractors to gain secrets shared in chat for a competitive advantage.

In response to this, SafeGuard Cyber D7 team stresses the following for enterprises using messaging applications:

  • Review your enterprise messaging applications for any compliance requested message logging (realizing that this may require more than simply asking).
  • If you find any logging servers, test them with the Log4Shell Vulnerability Tester from Huntress.
  • Isolate and patch any vulnerable logging servers.

The D7 team utilized public resources provided by Lunasec and Huntress in their testing of the attack method.