Security researchers have warned that cyber attackers are attempting over a hundred times per minute to exploit a significant security flaw in the Java logging library Apache Log4j. The Log4j issue (also known as “Log4Shell”) is a zero-day vulnerability (CVE-2021-44228) that was discovered on December 9 and had the potential to provide illegal remote code execution and access to systems.
Log4j is widely used in commercial and open-source software, including cloud platforms, online apps, and email services. It implies that attempts to exploit the vulnerability might put a large range of software at risk.
Attackers are already scouring the internet for vulnerable Log4j instances, with Check Point cybersecurity analysts estimating that over 100 attempts to exploit the flaw are made every minute. Meanwhile, Sophos cybersecurity analysts say they’ve seen hundreds of thousands of attempts to remotely execute malware using the Log4j weakness in the days since it was made public, as well as scans looking for the flaw.
There already are active examples of attackers attempting to exploit Log4j vulnerabilities to install cryptocurrency-mining malware, as well as reports of several botnets trying to control it, including Mirai, Tsunami, and Kinsing.
Microsoft researchers have also issued a warning about attacks aiming to exploit Log4j flaws, including crypto-mining malware and active attempts to install Cobalt Strike on susceptible computers, which might allow attackers to steal usernames and passwords.
Cybercriminals frequently attempt to exploit newly disclosed vulnerabilities to have the best chance of exploiting them before they’re remediated – but in this case, the ubiquity of Log4j, as well as the fact that many organizations may be unaware that it’s part of their network, means that attempts to scan for access may have a much larger window.
While cybercriminals aiming to exploit Log4j vulnerabilities to install crypto-mining malware may appear to be a low-level threat at first, higher-level, more serious cybercriminals may follow. The most critical part of this vulnerability, CVE-2021-44228, is to install the latest patches as quickly as possible, according to a warning from the UK’s National Cyber Security Centre (NCSC).