Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

MobileIron Users Targeted in Log4Shell Attacks as Exploit Activity Surges

Log4Shell Attacks Can Be Launched by Luring Targets to Malicious Website

Log4Shell Attacks Can Be Launched by Luring Targets to Malicious Website

Customers of the MobileIron security and endpoint management product are being targeted in Log4Shell attacks, just as researchers identify new attack vectors and Cloudflare reports a surge in exploit activity.

Ivanti, which owns MobileIron, has informed customers that the MobileIron Core, Sentry and Core Connector products are affected by the recently disclosed Log4j vulnerability tracked as CVE-2021-44228, Log4Shell and LogJam. The vendor provided mitigations and warned that “the risk associated with CVE-2021-44228 is High because these products sit in the DMZ and are vulnerable to a RCE attack due to the CVE.”

The Log4Shell flaw has been exploited by both profit-driven cybercriminals and state-sponsored groups, including ones linked to China, Iran, North Korea and Turkey.

NCC Group’s researchers have seen attacks aimed at MobileIron users — the company had seen 5 instances in its customer base as of December 15. The attacks appear to rely on a Log4Shell payload aimed at MobileIron that was made public this week.

There are more than 4,600 MobileIron instances exposed to the internet, mainly in the United States and Germany.

Cloudflare reported that overall Log4Shell activity surged on December 16, with well over 100,000 attacks per minute at certain times — this includes both actual exploitation attempts and scanning for vulnerable systems.

On the other hand, threat intelligence company GreyNoise reported seeing a drop in the number of unique IP addresses scanning for the Log4j vulnerability. The company has published a graph showing activity by both researchers and other actors.

Log4Shell attack IPs

New attack vectors and shifting focus to other protocols

Exploitation of the Log4Shell vulnerability involves sending a specially crafted request to the targeted system. The request generates a log using Log4j, which leverages the Java Naming and Directory Interface (JNDI) lookup feature to perform a request to an attacker-controlled server, from which a malicious payload is fetched and executed.

Log4j developers have disabled access to JNDI by default in response to the risk posed by this functionality.

In most cases, the vulnerability has been exploited using the Lightweight Directory Access Protocol (LDAP) service, but there are several other protocols that can be — and have been — abused as well.

Fastly has also seen a surge in attacks this week and noted that while attackers still mainly focus on LDAP, a significant percentage leverages Remote Method Invocation (RMI). Juniper Networks reported that attackers had started shifting focus from LDAP to RMI.

Another important finding comes from Blumira, whose researchers have found a way to exploit the Log4Shell vulnerability by getting the target to access a specially crafted website. For the time being, there is no evidence that this method has been used for malicious purposes.

“Previously, we understood that the impact of Log4j was limited to vulnerable servers,” Blumira explained. “This newly-discovered attack vector means that anyone with a vulnerable Log4j version on their machine or local private network can browse a website and potentially trigger the vulnerability.”

Related: Log4Shell Tools and Resources for Defenders – Continuously Updated

Related: Industry Reactions to Log4Shell Vulnerability (12/15/2021)

Related: Industrial Organizations Targeted in Log4Shell Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.