April 1, 2023

Log4Shell, the critical unauthenticated remote code execution vulnerability identified in early December 2021 in the Apache Log4j logging utility, hasn’t seen the mass exploitation that many expected, but an exploit for it is now part of the Mirai botnet’s arsenal, researchers warn.

Both cybercriminals and nation-state threat actors have been observed exploiting the security bug – which is tracked as CVE-2021-44228 – in their attacks, including in assaults targeting industrial organizations.

Advertisements

Despite that, no mass exploitation of the vulnerability has been observed to date, most likely because the industry jumped into action and took the necessary steps to address or mitigate Log4Shell and the remaining security issues identified in Log4j over the past two months.

With more threat actors adding exploits to their arsenals, exploitation of the Log4j vulnerabilities is expected to continue.

Recently, even malware spreading the Mirai botnet well known for being used to launch massive, distributed denial of service (DDoS) attacks  was observed packing code designed to exploit Log4Shell (CVE-2021-44228).

An examination of a recently captured ARM binary revealed the adaptation of CVE-2021-44228 to infect and assist in the proliferation of malware used by the Mirai botnet. This vulnerability impacts multiple versions of Log4j and the applications that depend on it. These include Apache Struts2, Apache Solr, Apache Druid, Apache Flink, and many others. The exploit appears designed to specifically target devices from Zyxel, which has already confirmed impact from the vulnerability.

Advertisements

One of the observed samples was designed to scan for many devices vulnerable to remote code execution, while a second one dropped these functions in favour of Log4j exploitation. The standard Mirai attack functions were still present in it.

Indicators of Compromise

  • 3d604ebe8e0f3e65734cd41bb1469cea3727062cffc8705c634558afa1997a7a
  • 02fffc6b4fbb0b7994ae4d5a9010cb93617113dbbef694d873e062476f155520
  • 8d80490b35ebb3f75f568ed4a9e8a7de28254c2f7a6458b4c61888572a64197e
  • 80e89d07d7fd35bda93fd2dc03a93fe2bfb5a3a53ef0ab7c97694cfa935cbb6c
  • 3d604ebe8e0f3e65734cd41bb1469cea3727062cffc8705c634558afa1997a7a
  • 8d80490b35ebb3f75f568ed4a9e8a7de28254c2f7a6458b4c61888572a64197e
  • 212.192.216.46
  • 179.43.175.101
Tags:

Leave a Reply

You may have missed

Cylance Ransomware Dissection

Cylance Ransomware Dissection

April 1, 2023
WordPress Elementor Pro Plugin Vulnerability

WordPress Elementor Pro Plugin Vulnerability

April 1, 2023
QNAP Critical Sudo Vulnerability

QNAP Critical Sudo Vulnerability

March 31, 2023
AlienFox Malware Toolset -SwissArmy Knife

AlienFox Malware Toolset -SwissArmy Knife

March 31, 2023
3CX Application Malvertised

3CX Application Malvertised

March 31, 2023
Microsoft Azure Super FabriXss Bug

Microsoft Azure Super FabriXss Bug

March 31, 2023
%d bloggers like this: