The trouble and the chaos that the Log4j vulnerability caused keeps going. The flaw emerged, its mitigation guidance shared by CISA. Then a patch was released by Apache which is incomplete. Lastly, Log4j 2.16.0 has been released, disabling features that are the heart of the flaw. Currently, 2.16.0 seems to be safe.
- Related: How to scan your server to detect Log4j (Log4Shell) vulnerability
- You can also check the full list of the affected apps or systems, constantly updating, here.
While the corporations fix their systems, threat actors are exploiting unpatched systems in different ways. Most of the attacks were using the LDAP service to target Log4j. It is now being observed that they have switched from LDAP (Lightweight Directory Access Protocol) callback URLs to RMI (Remote Method Invocation) API. Some of them even used them both in a single request to increase the chance of success. The full documentation that Juniper released can be seen here.
Some of the actors have been detected injecting Monero miner software into the systems. Monero miner uses system resources to “mine” Monero cryptocurrency, which goes into the hijackers’ crypto wallet, later to be exchanged into other currencies. This is considered one of the most innocent outcomes that actors can achieve since it is not going to harm anyone.
The recently released patch for Log4j, 2.16.0 is the only feasible way to defend against the attackers. It is also advised to keep an eye on Apache’s security section and take the needed actions immediately.
- Two new vulnerabilities are found on Log4j, only one of them is fixed yet
- CISA published an emergency directive for Log4j
- Google joining the war against Log4j exploits
- A third, new Apache Log4j vulnerability is discovered
- How to scan your server to detect Log4j (Log4Shell) vulnerability
- The Log4j flaw is patched but it is still vulnerable
- CISA published Log4j vulnerability guidance
- Zero-day Apache Log4j RCE vulnerability (Log4Shell) is being exploited