Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?



Russian Cyberspy Groups Start Exploiting Log4Shell Vulnerability

Severity of Second Log4j Vulnerability Increased to Critical 

Russia has been added to the list of nation states targeting the recently disclosed Log4Shell vulnerability, with exploitation attempts linked to several of the country’s cyberespionage groups.

Severity of Second Log4j Vulnerability Increased to Critical 

Russia has been added to the list of nation states targeting the recently disclosed Log4Shell vulnerability, with exploitation attempts linked to several of the country’s cyberespionage groups.

Exploitation of the Log4j vulnerability tracked as CVE-2021-44228, Log4Shell and LogJam started in early December, with initial attack reports describing activity associated with profit-driven cybercriminals delivering cryptocurrency miners, DDoS malware, ransomware and other malicious programs.

Then, on December 14, Mandiant reported seeing Chinese and Iranian state-sponsored threat actors exploiting the Log4Shell flaw. The next day, Microsoft said it had observed activity that it had connected to China, Iran, North Korea and Turkey.

On Friday, cybersecurity rating and risk management company SecurityScorecard reported seeing reconnaissance activity apparently linked to Chinese and Russian APTs. In the case of China, the company named APT10, and in the case of Russia it mentioned APT28, Turla, Ursnif and Grizzly Steppe.

Interestingly, SecurityScorecard’s analysis also showed IP addresses that were previously tied to Drovorub domains. Drovorub is a mysterious piece of malware that U.S. intelligence agencies linked to Russia’s APT28 in the summer of 2020. The NSA and FBI issued a warning at the time, but as of February 2021 none of the major cybersecurity firms contacted by SecurityWeek had found any actual samples of the malware.

In addition to cyberspy groups, Advintel reported that the notorious Conti ransomware group had been leveraging Log4Shell against VMware vCenter servers for lateral movement.

CVE-2021-45046 becomes critical

CVE-2021-44228 was patched on December 6 with the release of Log4j 2.15.0. However, it was soon discovered that the fix was incomplete in certain non-default configurations, and exploitation could still lead to denial-of-service (DoS) attacks “or worse.”

A new CVE identifier, CVE-2021-45046, was assigned to this issue, and another round of updates was released — versions 2.12.2 and 2.16.0 — to patch this vulnerability and disable access to the functionality abused in attacks.

CVE-2021-45046 was initially assigned a CVSS score of 3.7, but after further analysis it has been assigned a CVSS of 9, which makes it “critical severity.” Its severity rating was upgraded after researchers discovered that its exploitation could lead to information leaks, local code execution and remote code execution.

Cloudflare said on Wednesday that it had seen exploitation attempts targeting CVE-2021-45046. SecurityWeek reached out to the company on Friday for more information on these attacks, but they couldn’t share any data.

On Thursday, Cloudflare reported a surge in Log4Shell attacks, with the company seeing more than 100,000 attempts per minute during certain times of day.

It’s worth noting that log4j 2.16.0 patches both CVE-2021-44228 and CVE-2021-45046 — affected organizations are advised to update the logging utility to this version.

It also came to light recently that the Log4Shell vulnerability can be exploited by getting the target to access a malicious website — not only by sending specially crafted requests to vulnerable servers — but currently there is no evidence that this method has been used for malicious purposes.

One week after Log4Shell was disclosed, a scanning of enterprise cloud environments conducted by cloud security company Wiz found that only 30% of vulnerable resources have been patched.

Related: Log4Shell Tools and Resources for Defenders – Continuously Updated

Related: Industry Reactions to Log4Shell Vulnerability (12/15/2021)

Related: Industrial Organizations Targeted in Log4Shell Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.