We have learned that the Log4Shell vulnerability in Log4j software is being leveraged by attackers to deploy a variety of malware payloads, including recruiting devices into DDoS botnets and installing crypto-miners.
Although the Log4Shell vulnerabilities have been known for more than two months, Barracuda researchers analyzed the attacks and payloads detected on our systems since December 10, 2021 and found that these vulnerabilities We found that the volume of attacks attempting to exploit has remained relatively constant over the past two months, with some increases and decreases. Given the popularity of the software, the exploitability of the vulnerabilities, and the payoff when a breach occurs, we expect this attack pattern to continue, at least in the short term.
Barracuda reports that while Log4Shell’s targets have changed over the past several months, the volume of attacks has remained relatively constant.
After analyzing these attacks, Barracuda confirmed that most attacks came from U.S.-based IP addresses, followed by Japan, Central Europe, and Russia.
In December 2021, researchers discovered that Log4j version 2.14.1 and all prior versions were vulnerable to a critical zero-day remote code execution flaw called “Log4Shell”, CVE-2021-44228.
Apache, the developer of Log4j, attempted to resolve this issue by releasing version 2.15.0, but subsequent vulnerability discoveries and security gaps prevented patching until the end of the year when version 2.17.1 finally addressed all issues The situation has continued.
Barracuda says, however, that many systems continue to run older versions of common logging frameworks, leaving them vulnerable to exploitation.
Leveraged for DDoS and Mining
Barracuda researchers have discovered a variety of payloads targeting vulnerable Jog4j deployments, but at this time the majority appear to be derivatives of the Mirai botnet.
The Mirai malware targets publicly available network cameras, routers, and other devices and enlists them in a remote control botnet. Threat actors can take control of this botnet and launch DDoS attacks against specific targets, depleting resources and disrupting online services.
As the Barracuda report explains, Mirai is distributed in a variety of forms and from a variety of sources, indicating an attempt to build a massive botnet that will target victims of all sizes in the future.
The attackers behind these operations are either renting the botnet’s firepower to others or launching DDoS attacks themselves to blackmail companies
Other payloads that appear to have been dropped by recent Log4j exploits include
- BillGates malware (DDoS)
- Kinsing (crypto-miner)
- XMRig (crypto-miner)
- Muhstik (DDoS)
- Script to set miners
Barracuda analysts say they have not seen any ransomware groups exploiting publicly available VMWare installations and believe they are being used more as insider threats against already compromised networks.
For example, Conti Ransomware used the Log4j exploit to deploy laterally on a VMware vCenter installation.
The easiest way to protect yourself from this attack is to update Log4j to version 2.17.1 or later and generally keep all your web applications up to date.
Most of the devices targeted by Mirai do not have the ability to update individual packages, so you should check for updated firmware that includes the Log4j fix and apply it if available.
Barracuda reports that Log4Shell attacks have been occurring steadily, but Sophos reports a recent decline. However, all analysts agree that the threat remains.
Even as the interest of the majority of attackers wanes, some threat actors will continue to target vulnerable Log4j deployments because of their sheer numbers.
While organizations sensitive to ransomware attacks are applying security updates, neglected systems running outdated versions are prime targets for crypto-mining and DDoS attacks.