Monday, May 20, 2024

Log4Shell flaw: Still being used for crypto mining, botnet building… and Rickrolls

Log4Shell is still a threat, however the flaw is currently mostly being used for crypto mining and knocking out websites

Nearly three months on, at the time of writing, Log4Shell, the critical bug in Apache’s widely used Log4j project, hasn’t triggered the disaster that was feared, but it’s still being exploited and predominantly from cloud computers in the US. 

The Log4Shell vulnerability came to light in December and sparked concern that it would be exploited by attackers because it was relatively easy to do and because the Java application logging library is embedded in many different services.

Microsoft has observed Log4Shell being used by state-sponsored and criminal attacks but early on found it was mostly being used for coin mining and ransomware. It advised customers to “assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments.”

The Cybersecurity and Infrastructure Security Agency warned that, while it hadn’t seen any major breach happen due to the flow, attackers might be waiting to use access gained through Log4Shell until alert levels fall. Oracle, Cisco, IBM and VMware have spent the past two months releasing patches for affected software. 

Barracuda Networks, a maker of network security appliances, has now said that Log4Shell attacks are happening at consistent levels. However, it hasn’t found evidence of an onslaught of attacks. 

“The majority of attacks came from IP addresses in the U.S., with half of those IP addresses being associated with AWS, Azure and other data centers. Attacks were also being sent from Japan, Germany, Netherlands, and Russia,” it notes

Recommended:  Ransom Cartel Linked To Colonial Pipeline Attacker REvil

It adds that these IP addresses are linked to scans and attempted intrusions, which mean the scans could be from researchers or attackers. 

The payloads range from trivial internet memes to the somewhat more serious category of crypto-mining malware that uses another person’s hardware to solve equations that earn the attacker crypto such as Monero. 

One, for example, attempts to delivery a “relatively benign (or depending on your viewpoint, very annoying) payload” in the form of a a YouTube video that plays Rick Astley’s “Never Gonna Give You Up.” 

“I do wonder if anyone was actually Rick-Rolled by this one. It is, as noted earlier, a benign payload in my opinion, but one that will get you patching very quickly!” says Baracuda’s Tushar Richabadas.

Other notable malware it reports being used in connection with Log4Shell include the distributed denial of service (DDoS) malware called BillGates. It’s an old piece of malware that has no connection with Microsoft’s co-founder and that targets Linux machines. Log4Shell has also been used to deploy Mirai DDoS malware, which is often used in conflicts between online gamers.  

Barracuda has seen also seen Log4Shell being used to deploy cypto miners Kinsing and XMRig, as well as the Muhstik DDoS malware

Overall, Barracuda’s report suggests there is no change in the threat level from Log4Shell than was the case in January. 

Go to Cybersecurity Knowledge Base

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Recommended:  Vodafone Portugal hit by hackers, says no client data breach

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
ClosePlease login
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates