[MART] - Daily Diary #410 - Log4j's Flaw Activities Spotted Prior To Disclosed Date

CTAS-MAT ctas-mat at appgate.com
Mon Dec 13 19:09:22 UTC 2021


I hope everyone is doing well!

Below is the entry for today.

12/13/2021 - Diary entry #410:

Continuing our last Daily Diary (#409) about the Log4j vulnerability, today we are going to cover threat actors, including two Linux botnets, that already are exploiting the vulnerability in the wild. One of them was exploring it days before public disclosure, starting on December 1st.

The first botnet, disclosed in 2018, called Muhstik, has a backdoor module that adds an SSH public key into the victim's authorized keys. It allows an attacker to directly log into the server, remotely and without authentication. The second botnet is a variant of the well-known threat, Mirai. This variant removed some mirai-specific configuration management functions and used an uncommon ".uy" top-level domain for the C2 infrastructure.

Besides those botnets, other threat actors were spotted scanning the vulnerability before December 10, when it was disclosed publicly. Exploitation and post-exploitation activities were also observed, including the deployment of cryptocurrency miners and Cobalt Strike beacons used to exfiltrate data from compromised systems.

Critical and easy-to-exploit RCE vulnerabilities like Log4j's are widely targeted by threat actors. Although a patch was already released by Apache Foundation, Log4j is widely used by uncounted applications, posing a huge risk since it was being exploited more than a week before public disclosure.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Tarijon de Almeida
Malware Analyst

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20211213/f9f4ce97/attachment.htm>

More information about the MART mailing list