Home News Hackers Actively Exploit Log4Shell Flaw in Apache Log4j

Hackers Actively Exploit Log4Shell Flaw in Apache Log4j

The remote code execution (RCE) vulnerability ‘Log4Shell’ in the Apache Log4j library allows attackers to execute arbitrary code and take full control of the vulnerable devices.

Log4Shell

Log4Shell, a severe zero-day vulnerability in Apache Log4j library, sheds light on the risky practices of organizations relying on open-source code libraries to build enterprise-scale applications. The remote code execution (RCE) vulnerability CVE-2021-44228 reportedly allows remote hackers to execute arbitrary code and take full control of the vulnerable devices.

Apache Log4j is a popular Java logging library leveraged by numerous organizations worldwide to enable logging in a wide set of popular applications.

Security researchers from Netlab stated that adversaries are actively exploiting vulnerable servers by leveraging Log4Shell to deploy cryptocurrency miners and malware variants like Cobalt Strike.

Botnets to Exploit Log4Shell

The researchers also found threat actors using botnets like Mirai and Muhstik against vulnerable systems to spread malware and orchestrate distributed denial-of-service (DDoS) attacks.

“The Log4j vulnerability that came to light at the end of the year can undoubtedly be considered a major event in the security community. We have been concerned about which botnets would be exploiting this since the vulnerability was made public. Our Anglerfish and Apacket honeypots have caught two waves of attacks using the Log4j vulnerability to form botnets, and a quick sample analysis showed that they were used to form Muhstik and Mirai botnets respectively, both targeting Linux devices,” the researchers said.

Affected Systems Include:

Systems and services that use the Java logging library, Apache Log4j between versions 2.0 and 2.14.1. This includes many applications and services written in Java.

Mitigation

The Apache Foundation recommended that all developers and users update the library to version 2.15.0 using methods described on the Apache Log4j Security Vulnerabilities advisory to avoid hackers exploiting their servers.

If applying the patch is impossible, Apache also provided certain remediation steps in its advisory. These include:

  • For Log4j 2.10 or higher: add -Dlog4j.formatMsgNoLookups=true as a command line option or add log4j.formatMsgNoLookups=true to the log4j2.component.properties file on the classpath to prevent lookups in log event messages.
  • For Log4j 2.7 or higher: specify %m{nolookups} in the PatternLayout configuration to prevent lookups in log event messages.
  • Consider blocking LDAP and RMI outbound traffic to the internet from vulnerable servers.