<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>

</head>

<body dir="ltr">

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

Hello,

<div><br>

</div>

<div>I hope everyone is doing well!</div>

<div><br>

</div>

<div>Below is the entry for today.</div>

<div><br>

</div>

<div>12/13/2021 - Diary entry #410:</div>

<div><br>

</div>

<blockquote style="margin-top:0;margin-bottom:0">

<div>Continuing our last Daily Diary (#409) about the Log4j vulnerability, today we are going to cover threat actors, including two Linux botnets, that already are exploiting the vulnerability in the wild. One of them was exploring it days before public disclosure,

 starting on December 1st.

<div><br>

</div>

<div>The first botnet, disclosed in 2018, called Muhstik, has a backdoor module that adds an SSH public key into the victim's authorized keys. It allows an attacker to directly log into the server, remotely and without authentication. The second botnet is a

 variant of the well-known threat, Mirai. This variant removed some mirai-specific configuration management functions and used an uncommon ".uy" top-level domain for the C2 infrastructure.</div>

<div><br>

</div>

<div>Besides those botnets, other threat actors were spotted scanning the vulnerability before December 10, when it was disclosed publicly. Exploitation and post-exploitation activities were also observed, including the deployment of cryptocurrency miners and

 Cobalt Strike beacons used to exfiltrate data from compromised systems.</div>

<div><br>

</div>

Critical and easy-to-exploit RCE vulnerabilities like Log4j's are widely targeted by threat actors. Although a patch was already released by Apache Foundation, Log4j is widely used by uncounted applications, posing a huge risk since it was being exploited more

 than a week before public disclosure.<br>

</div>

</blockquote>

<div><br>

</div>

Kind Regards,<br>

</div>

<div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div id="Signature">

<div>

<div></div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<table style="font-size:medium; font-family:"Times New Roman"">

<tbody>

<tr>

<td style="width:180px" align="left">

<table width="120" align="left">

<tbody>

<tr>

<td colspan="3" align="center"><a href="https://www.appgate.com/" target="_blank" rel="noopener noreferrer" style="margin:0px"><img style="margin:0px" width="120" height="30" src="https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png"></a></td>

</tr>

<tr>

<td colspan="3" align="center"> </td>

</tr>

<tr>

<td width="37%" align="center"><a href="https://www.linkedin.com/company/appgate-security/" target="_blank" rel="noopener noreferrer" style="margin:0px"><img style="margin:0px" width="18" height="18" src="https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png"></a></td>

<td width="28%"><a href="https://twitter.com/AppgateSecurity" target="_blank" rel="noopener noreferrer" style="margin:0px"><img style="margin:0px" width="20" height="18" src="https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png"></a></td>

<td width="35%"><a href="https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ" target="_blank" rel="noopener noreferrer" style="margin:0px"><img style="margin:0px" width="26" height="18" src="https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png"></a></td>

</tr>

</tbody>

</table>

<p style="margin-top:0px; margin-bottom:0px"> </p>

</td>

<td colspan="2" rowspan="2" style="width:350px">

<p style="color:rgb(12,12,12); font-size:13px; font-family:Arial,Helvetica,sans-serif; margin-top:0px; margin-bottom:0px">

<strong>Felipe Tarijon de Almeida</strong><br>

Malware Analyst<br>

<strong>Appgate</strong></p>

<p style="color:rgb(12,12,12); font-size:13px; font-family:Arial,Helvetica,sans-serif; margin-top:0px; margin-bottom:0px">

E:<span style="margin:0px"> <a href="mailto:felipe.tarijon@appgate.com" title="mailto:felipe.tarijon@appgate.com">

felipe.tarijon@appgate.com</a></span><br>

O:<span> </span><span style="margin:0px; background-color:white">+55 11 97467 9549</span></p>

</td>

</tr>

</tbody>

</table>

<br>

</div>

</div>

</div>

</div>

</body>

</html>