Log4Shell, a zero-day exploit unveiled to the public late last week, is now putting most of the internet on fire. Researchers spotted that several threat actors actively exploit this bug for various reasons.
Few among them are scanning the web for vulnerable servers to exfiltrate data, installing malware for running cryptocurrency miners, and even compromising the IoT devices to pull them into a botnet. A patch is available from the vendor and is recommended to apply immediately.
Log4Shell Exploits in Wild
Like BlueKeep and SolarWinds campaigns, we are now starting to see a big wave of cyberattacks based on the recently unveiled Log4j security vulnerability. Named as the Log4Shell, this was discovered by the Alibaba Cloud Security Team last week with the proof-of-concept exploit published openly.
This led many security researchers and threat actors to jump in with their personal reasons for exploiting. For example, as noted by BleepingComputer, several researchers and threat actors are actively scanning the web for Log4j vulnerable servers and are deploying malware for installing cryptocurrency miners!
They’ve found a Kinsing backdoor and crypto-mining botnet that’s exploiting the Log4j bug with Base64 encoded payloads to execute shell scripts and codes, which remove any existing malware in the system and install their cryptocurrency miner.
Also, there’s a report from Netlab 360 that threat actors exploit vulnerable servers to install Mirai and Muhstik malware, whose job is to compromise and add as many IoT devices and servers to their botnets. These will, in return, be used for deploying cryptominers or conducting large-scale DDoS attacks.
Microsoft’s Threat Intelligence Center too noted attacks against servers with Log4j vulnerabilities, where the threat actors were dumping Cobalt Strike beacons to remote network surveillance and executing further commands.
At last, security researchers are scanning and exploiting vulnerable Log4j bugged servers for bug bounties and exposing the weakness of particular companies. They’re forcing the servers to access URLs or perform DNS requests for callback domains. Some of them include:
interactsh.com
burpcollaborator.net
dnslog.cn
bin${upper:a}ryedge.io
leakix.net
bingsearchlib.com
205.185.115.217:47324
bingsearchlib.com:39356
canarytokens.comApache software foundation, the Log4j Java logging package maker, has recently released a patched version of this software. Yet, many are unaware of the exploitations in the wild and are falling prey to hackers. So it’s strongly recommended to update the systems as soon as possible to remain secure.
