Skip to main content

Log4Shell attacks are spreading fast after flaw exploited

A white padlock on a dark digital background.
(Image credit: Shutterstock.com)

Days after the dangerous Log4Shell zero-day vulnerability was found in the Apache Log4j Java-based logging platform, experts have begun warning that malicious actors are already exploiting the flaw against vulnerable endpoints in various ways.

Microsoft has published a list of ways Log4Shell (tracked as CVE-2021-44228) is being used: to install malware, cryptominers, to add the devices to the Mirai and Muhstik botnets, to drop Cobalt Strike beacons, to scan for information disclosure, or for lateral movement throughout the affected network.

“At the time of publication, the vast majority of observed activity has been scanning, but exploitation and post-exploitation activities have also been observed,” the company warned in a blog post. “Microsoft has observed activities including installing coin miners, Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems,” the company said.

Patches and workarounds

Log4Shell is a particularly dangerous type of vulnerability, as it can be used to deploy practically any code on the target device, by virtually all malicious actors, as the threshold to entry is quite low. Given how ubiquitous Apache’s Log4j is in Java applications, the number of vulnerable devices is quite big.

The exploit was first discovered after an unknown hacker published a Proof of Concept on a public GitHub repository. 

The flaw affects versions 2.0, up to 2.141, and although Apache has issued a patch, it’s now up to individual software makers to patch up their versions to make sure their customers remain safe. In the meantime, the vulnerability has already been successfully exploited on some Java 11 runtimes.

Those who are unable to patch up their versions immediately can also deploy a workaround, courtesy of security vendor Cybereason. The company’s tool, which can be found here, disables the vulnerability, giving customers the time needed to update to version 2.15.

Via: Bleeping Computer