Hackers Are Actively Exploiting Log4Shell Exposed Servers

The Log4j security vulnerability discovered last week is stirring the internet now. Several reports revealed that threat actors are exploiting this bug in the wild, for various malicious purposes.

Also, researchers too are scanning for vulnerable servers to exploit them for checking the strength, and for bug bounties. A patch for this bug is available already and is recommended to apply immediately.

Actively Exploiting of Log4Shell

Hackers Are Actively Exploiting Log4Shell Exposed Servers

On Friday morning last week, a security researcher from the Alibaba Cloud Security team has published a report on a critical zero-day bug available in Log4j – a Java-based logging package made by the Apache software foundation.

This is widely used by many tech companies in their regular operations, thereby exposing all of them to cyberattacks. And it’s happening as expected! As per Netlab 360, threat actors are striking Log4Shell exposed servers to install Mirai and Muhstik malware, which set backdoors in compromised IoT devices and have them included in their botnets.

This in turn will be used for performing DDoS attacks or cryptocurrency mining. In another instance, BleepingComputer noted that Kinsing hackers are setting a backdoor on compromised servers to install their cryptocurrency miners.

They initially do this through Base64 encoded payloads, which execute shell scripts and code that dethrones any existing malware from the servers and install their own miners. And then there’s Microsoft Threat Intelligence Center who discovered another group of threat actors are setting Cobalt Strike beacons in Log4Shell infected severs, for executing more commands and remote network surveillance.

And at last, there are legitimate security researchers who’re scanning the web for vulnerable Log4Shell servers, and exploit the Log4j bug to forcefully make the compromised servers access certain URLs, or perform DNS requests from the below callback domains;

interactsh.com
burpcollaborator.net
dnslog.cn
bin${upper:a}ryedge.io
leakix.net
bingsearchlib.com
205.185.115.217:47324
bingsearchlib.com:39356
canarytokens.com

These domains host next-level payloads for exploiting the server further. Apache software foundation has released a patch for this bug already, with version 2.15, but it’s the job of system admins to update their servers immediately for securing.

Other Trending News:-  News

LEAVE A REPLY

Please enter your comment!
Please enter your name here