December 1, 2023

Log4Shell, the critical unauthenticated remote code execution vulnerability identified in early December 2021 in the Apache Log4j logging utility, hasn’t seen the mass exploitation that many expected, but an exploit for it is now part of the Mirai botnet’s arsenal, researchers warn.

Both cybercriminals and nation-state threat actors have been observed exploiting the security bug – which is tracked as CVE-2021-44228 – in their attacks, including in assaults targeting industrial organizations.

Advertisements

Despite that, no mass exploitation of the vulnerability has been observed to date, most likely because the industry jumped into action and took the necessary steps to address or mitigate Log4Shell and the remaining security issues identified in Log4j over the past two months.

With more threat actors adding exploits to their arsenals, exploitation of the Log4j vulnerabilities is expected to continue.

Recently, even malware spreading the Mirai botnet well known for being used to launch massive, distributed denial of service (DDoS) attacks  was observed packing code designed to exploit Log4Shell (CVE-2021-44228).

An examination of a recently captured ARM binary revealed the adaptation of CVE-2021-44228 to infect and assist in the proliferation of malware used by the Mirai botnet. This vulnerability impacts multiple versions of Log4j and the applications that depend on it. These include Apache Struts2, Apache Solr, Apache Druid, Apache Flink, and many others. The exploit appears designed to specifically target devices from Zyxel, which has already confirmed impact from the vulnerability.

Advertisements

One of the observed samples was designed to scan for many devices vulnerable to remote code execution, while a second one dropped these functions in favour of Log4j exploitation. The standard Mirai attack functions were still present in it.

Indicators of Compromise

  • 3d604ebe8e0f3e65734cd41bb1469cea3727062cffc8705c634558afa1997a7a
  • 02fffc6b4fbb0b7994ae4d5a9010cb93617113dbbef694d873e062476f155520
  • 8d80490b35ebb3f75f568ed4a9e8a7de28254c2f7a6458b4c61888572a64197e
  • 80e89d07d7fd35bda93fd2dc03a93fe2bfb5a3a53ef0ab7c97694cfa935cbb6c
  • 3d604ebe8e0f3e65734cd41bb1469cea3727062cffc8705c634558afa1997a7a
  • 8d80490b35ebb3f75f568ed4a9e8a7de28254c2f7a6458b4c61888572a64197e
  • 212.192.216.46
  • 179.43.175.101
Tags:

Leave a Reply

You may have missed

TheCyberThrone Security Week In Review – November 25, 2023

November 30, 2023

BlueVoyant Acquires Conquest Cyber

November 30, 2023

Google Fixes Sixth Chrome ZeroDay of 2023

November 29, 2023

Ardent Health Services affected by a cyber incident

November 29, 2023

GE and DARPA – Claimed Hack raises concerns

November 28, 2023

POC released for Splunk Enterprise Vulnerability- CVE-2023-46214

November 28, 2023
%d bloggers like this: