Hackers Exploiting Log4j2 Vulnerability in The Wild To Deploy Ransomware

An emergency security update has been released recently by the Apache Software Foundation to fix a 0-day vulnerability in the popular Log4j logging library.

This 0-day vulnerability in Log4j was exploited by the threat actors to deploy ransomware.

The Log4j is a Java library that is widely used in business systems and web applications. The cybersecurity experts have tracked this 0-day vulnerability as CVE-2021-44228 and with the 2.15.0 release, the patch was released.

Flaw profile

This 0-day vulnerability was named as Log4Shell and achieved a score of 10 out of 10 points on the CVSS vulnerability rating scale.

This 0-day allows attackers to execute arbitrary code remotely since it’s an RCE.

• CVE ID: CVE-2021-44228
• Flaw Name: Log4Shell
• Published Date: 12/10/2021
• Last Modified: 12/14/2021
• Source: Apache Software Foundation
• Severity: Critical
• Base Score: 10.0

Log4j is a work environment for activity log in Apache that allows monitoring the activity in an application, and here to exploit the 0-day flaw an attacker had to send a piece of malicious code.

It forces Java-based applications and servers that use the Log4j library to log a specific line in their internal systems.

When an application or server processes such logs, a string can cause the vulnerable system to load and run a malicious script from the domain controlled by the attacker.

Affected Products & Projects

This 0-day vulnerability was originally discovered while searching for the bugs on the servers of Minecraft, but Log4j is present in almost all corporate applications and Java servers.

So, here we have mentioned below all the popular affected products and projects:-

• Apache Struts
• Apache Flink
• Apache Druid
• Apache Flume
• Apache Solr
• Apache Flink
• Apache Kafka
• Apache Dubbo
• Redis
• ElasticSearch
• Elastic Logstash
• Ghidra

Attackers Exploiting The Vulnerability

The 0day flaw, CVE-2021-44228 can only be exploited if the log4j2.formatMsgNoLookups parameter is set to false. Bitdefender said.

In Log4j 2.15.0 release this parameter is set to true, primarily to stop such attacks. 

In short, the Log4j users who have already upgraded to version 2.15.0 and then set the flag to false will again become vulnerable to these attacks, the users who have not updated the same will remain safe.

However, here the hackers exploit this 0-day vulnerability by deploying several botnets, miners, malware, and ransomware. That’s why here we have mentioned the deployments used by the hackers:-

• Muhstik Botnet
• XMRIG miner
• Khonsari (New Ransomware family)
• Orcus (Remote Access Trojan)

Mitigations

Here, the cybersecurity analysts have recommended users to follow some immediate steps to mitigate this 0-day vulnerability, and here they are mentioned below:-

• To identify all systems that implement the Apache Log4j2 logging framework, conduct a comprehensive infrastructure and software application audit.
• Make sure to review all your software bills of materials, and software supply chain.
• Enforce defense-in-depth approach.
• Actively monitor the infrastructure for potential exploitation attempts.

While apart from this, with this latest update (Apache Log4j 2.16.0 update) no additional risks are posed by this vulnerability to users.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.