Cybercriminals are exploiting a critical vulnerability in Log4j, which is named Log4Shell, to spread malware or find vulnerable servers. The vulnerable software is said to be used by thousands of applications and websites.

What has happened?

Recently, an exploit was publicly released for Log4Shell vulnerability (CVE-2021-44228) in the Apache Log4j Java-based logging utility. Soon after, cybercriminals started abusing the flaw to spread malware.
  • The flaw allows attackers to remotely execute a command on an exposed server. To exploit the vulnerability, they can search for or change their browser's user agent to a special string.
  • Apache has released Log4j 2.15.0 to fix the vulnerability, however, the attackers were already scanning for exploiting vulnerable servers to steal data, install malware, or take over the server.

Abusing the flaw 

Just after the exploit for the vulnerability was disclosed, multiple threads started exploiting the flaw.
  • Cryptominers: Some groups of attackers are exploiting the vulnerability to execute shell scripts that download/install multiple cryptominers. For example, the Kinsing miner was found exploiting the flaw.
  • Botnets: Two waves of attacks were discovered using the Log4j vulnerability to form botnets. Further, the analysis of a malware sample revealed that they were used to form Mirai and Muhstik botnets.
  • Cobalt Strike: The Microsoft Threat Intelligence Center observed the Log4j vulnerability being exploited to drop Cobalt Strike beacons.

Concluding notes

The Log4Shell vulnerability is actively being exploited and widely adopted by multiple threat actors as an attack vector to target enterprise networks. Thus, the first and simplest method to fix the issue is installing the recent version of the Log4j library, 2.15.0. Moreover, always update the OS and applications with the latest security patches. 

Cyware Publisher

Publisher

Cyware