Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Two Years On, Log4Shell Vulnerability Still Being Exploited to Deploy Malware

More than two years after the Log4j crisis, organizations are still being hit by crypto-currency miners and backdoor scripts.

More than two years after the critical Log4j zero-day sparked chaos around the world, organizations are still being hit by exploits pushing crypto-currency miners and malicious backdoor scripts.

According to researchers at Datadog Security Labs, opportunistic cybercriminals are still finding targets for ‘Log4Shell’ exploits that evade detection and plant malware scripts on unpatched corporate systems.

The Datadog discovery highlights the long tail of risk from critical vulnerabilities that remain unpatched years after fixes are available, even for remote code execution issues known to be actively exploited.

The Log4j flaw, flagged as CVE-2021-44228, was first discovered and reported by the Alibaba cloud security team in November 2021.  Less than two weeks later, exploitation was spotted in the wild, prompting the release of multiple high-priority patches and an industry-wide scramble to apply practical mitigations.

Nation-state APT actors linked to China, Iran, North Korea and Turkey have added exploits for the code-execution flaw into hacking toolkits and malware hunters have also spotted ransomware and botnet gangs launching Log4j malware exploits.

Security experts have warned that eradicating the problem will be a long, laborious process because of software dependencies and so-called “transitive dependencies” that make patching very difficult.

In the latest campaign, Datadog researchers discovered the attackers using obfuscated LDAP requests to evade detection, leading to the execution of malicious scripts on compromised systems.

“On July 30, 2024, one of our Confluence honeypots built with HASH received what appeared to be a traditional Log4Shell exploitation probe at a known Tor exit node. Upon further analysis, we discovered a new opportunistic campaign leading to XMRig deployment for crypto mining,” the company said.

Advertisement. Scroll to continue reading.

The attackers are also planting scripts to establish persistence, exfiltrate data, and maintain control through multiple backdoors and encrypted communication channels. 

Related: Exploits Swirling for Major Security Defect in Apache Log4j

Related: US Gov Warning: Start Hunting for Iranian APTs That Exploited Log4j

Related: Attackers Hitting VMWare Horizon Servers With Log4j Exploits

Related: Google Finds 35,863 Java Packages Using Defective Log4j

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Jill Popelka has been appointed CEO at Darktrace, after serving as COO for three months.

GitHub has appointed Alexis Wales as its new Chief Information Security Officer.

Cybersecurity and intelligence solutions provider Nightwing has appointed Christopher Jones as CTO and CDO.

More People On The Move

Expert Insights