Cyber attackers are making over a hundred attempts to exploit a critical security vulnerability in Java logging library Apache Log4j every minute, security researchers have warned.
The Log4j flaw (also now known as “Log4Shell”) is a zero-day vulnerability (CVE-2021-44228) that first came to light on December 9, with warnings that it can allow unauthenticated remote code execution and access to servers.
Log4j is used in many forms of enterprise and open-source software, including cloud platforms, web applications and email services, meaning that there’s a wide range of software that could be at risk from attempts to exploit the vulnerability.
Attackers are already attempting to scan the internet for vulnerable instances of Log4j, with cybersecurity researchers at Check Point warning that there are over 100 attempts to exploit the vulnerability every minute.
Meanwhile, cybersecurity researchers at Sophos have warned that they’ve detected hundreds of thousands of attempts to remotely execute code using the Log4j vulnerability in the days since it was publicly disclosed, along with scans searching for the vulnerability.
There are already active examples of attackers attempting to leverage Log4j vulnerabilities to install cryptocurrency-mining malware, while there also reports of several botnets, including Mirai, Tsunami, and Kinsing, that are making attempts to leverage it.
Researchers at Microsoft have also warned about attacks attempting to take advantage of Log4j vulnerabilities, including a range of cryptomining malware, as well as active attempts to install Cobalt Strike on vulnerable systems, something that could allow attackers to steal usernames and passwords.
It’s common for cyber criminals to make efforts to exploit newly disclosed vulnerabilities in order to have the best chance of taking advantage of them before they’re remediated – but in this case, the ubiquity of Log4j and the way many organisations may be unaware that it’s part of their network, means there could be a much larger window for attempts to scan for access.
And while cyber criminals attempting to leverage Log4j vulnerabilities to install cryptomining malware might initially appear to be a relatively low level threat, it’s likely that higher level, more dangerous cyber attackers will attempt to follow.
“I cannot overstate the seriousness of this threat. On the face of it, this is aimed at cryptominers but we believe this creates just the sort of background noise that serious threat actors will try to exploit in order to attack a whole range of high-value targets such as banks, state security and critical infrastructure,” said Lotem Finkelstein, director of threat intelligence and research for Check Point.
The severity of the vulnerability in such a widely used library means that organisations and technology vendors are being urged to counter the threat as soon as possible.
“In the case of this vulnerability CVE-2021-44228, the most important aspect is to install the latest updates as soon as practicable,” said an alert by the UK’s National Cyber Security Centre (NCSC).
While the Log4j security issue only recently came to light, evidence suggests that attackers have been exploiting the vulnerability for some time before it was publicly disclosed.