Friday, July 19, 2024
EHA

Hackers Exploiting Log4j2 Vulnerability in The Wild To Deploy Ransomware

An emergency security update has been released recently by the Apache Software Foundation to fix a 0-day vulnerability in the popular Log4j logging library.

This 0-day vulnerability in Log4j was exploited by the threat actors to deploy ransomware.

The Log4j is a Java library that is widely used in business systems and web applications. The cybersecurity experts have tracked this 0-day vulnerability as CVE-2021-44228 and with the 2.15.0 release, the patch was released.

Flaw profile

This 0-day vulnerability was named as Log4Shell and achieved a score of 10 out of 10 points on the CVSS vulnerability rating scale.

This 0-day allows attackers to execute arbitrary code remotely since it’s an RCE.

  • CVE ID: CVE-2021-44228
  • Flaw Name: Log4Shell
  • Published Date: 12/10/2021
  • Last Modified: 12/14/2021
  • Source: Apache Software Foundation
  • Severity: Critical
  • Base Score: 10.0

Log4j is a work environment for activity log in Apache that allows monitoring the activity in an application, and here to exploit the 0-day flaw an attacker had to send a piece of malicious code.

It forces Java-based applications and servers that use the Log4j library to log a specific line in their internal systems.

When an application or server processes such logs, a string can cause the vulnerable system to load and run a malicious script from the domain controlled by the attacker.

Affected Products & Projects

This 0-day vulnerability was originally discovered while searching for the bugs on the servers of Minecraft, but Log4j is present in almost all corporate applications and Java servers.

So, here we have mentioned below all the popular affected products and projects:-

  • Apache Struts
  • Apache Flink
  • Apache Druid
  • Apache Flume
  • Apache Solr
  • Apache Flink
  • Apache Kafka
  • Apache Dubbo
  • Redis
  • ElasticSearch
  • Elastic Logstash
  • Ghidra

Attackers Exploiting The Vulnerability

The 0day flaw, CVE-2021-44228 can only be exploited if the log4j2.formatMsgNoLookups parameter is set to false. Bitdefender said.

In Log4j 2.15.0 release this parameter is set to true, primarily to stop such attacks. 

In short, the Log4j users who have already upgraded to version 2.15.0 and then set the flag to false will again become vulnerable to these attacks, the users who have not updated the same will remain safe.

However, here the hackers exploit this 0-day vulnerability by deploying several botnets, miners, malware, and ransomware. That’s why here we have mentioned the deployments used by the hackers:-

  • Muhstik Botnet
  • XMRIG miner
  • Khonsari (New Ransomware family)
  • Orcus (Remote Access Trojan)

Mitigations

Here, the cybersecurity analysts have recommended users to follow some immediate steps to mitigate this 0-day vulnerability, and here they are mentioned below:-

  • To identify all systems that implement the Apache Log4j2 logging framework, conduct a comprehensive infrastructure and software application audit.
  • Make sure to review all your software bills of materials, and software supply chain.
  • Enforce defense-in-depth approach.
  • Actively monitor the infrastructure for potential exploitation attempts.

While apart from this, with this latest update (Apache Log4j 2.16.0 update) no additional risks are posed by this vulnerability to users.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,'...

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users,...

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have...

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles