Using InsightVM to Find Apache Log4j CVE-2021-44228

 

Description

There are many methods InsightVM can use to identify vulnerable software. Which method is best depends on the software and specific vulnerability in question, not to mention variability that comes into play with differing network topologies and Scan Engine deployment strategies. When it comes to a vulnerability like CVE-2021-44228, affecting a software library (Log4j) that is used to build other software products and may not expose its presence in an obvious way, the situation gets even more complicated. For in-depth analysis on the vulnerability and its attack surface area, see AttackerKB.

The intent of this post is to walk InsightVM and Nexpose users through how to best approach detecting exposure to Log4Shell in your environment, while providing some additional detail about how the various checks work under the hood. This post assumes you already have an operational deployment of InsightVM or Nexpose. For additional documentation on scanning for Log4j CVE-2021-44228, take a look at our docs here.

Before (or while) you scan

Even before a vulnerability check has been made available, it can be possible to get a sense of your exposure using InsightVM features such as Query Builder, or Nexpose’s Dynamic Asset Groups. Because we use generic fingerprinting techniques such as querying Linux package managers and enumerating software found in Windows Registry uninstaller keys, the software inventory for assets may include products that are not explicitly supported. Using the search predicate software.product CONTAINS log4j will show packages on Linux systems that have been installed via package managers such as rpm or dpkg.

An alternative approach to this is using an SQL Query Export using the following query:

SELECT
    da.sites AS "Site_Name",
    da.ip_address AS "IP_Address",
    da.mac_address AS "MAC_Address",
    da.host_name AS "DNS_Hostname",
    ds.vendor AS "Vendor",
    ds.name AS "Software_Name",
    ds.family AS "Software_Family",
    ds.version AS "Software_Version",
    ds.software_class AS "Software_Class"
FROM
    dim_asset_software das
JOIN
    dim_software ds USING(software_id)
JOIN
    dim_asset da ON da.asset_id = das.asset_id
WHERE
    ds.software_class like'%'
  AND
    ds.name ilike '%log4j%'
ORDER BY
    ds.name ASC

Authenticated and agent-based assessments

The most reliable way to find vulnerable instances of CVE-2021-44228 is via our authenticated checks (check IDs: apache-log4j-core-cve-2021-44228, apache-log4j-core-cve-2021-44228-2_16), which perform a complete filesystem search for JAR files matching log4j-core.*.jar. The authenticated checks support both Linux and Windows scanning as of version 6.6.121 released December 17, 2021. Note: Searching entire file systems across Windows assets is an intensive process that may increase scan time and resource utilization. To allow this, you can enable Windows file system searching in the scan template in order to use the authenticated check for Log4j on Windows systems.

In addition to enabling Windows file system search, WMI must be enabled for the authenticated check to run in Windows environments. The check looks for Log4j version information in the JAR filename. On Linux systems, when the unzip command is available, that command is used to extract the version from the JAR’s manifest file. There is also a fallback mechanism that allows the scanner to attempt to extract the version information from the filename. Customers should ensure they are running version 6.6.121 of the Scan Engine and Console.

For the find command to run and locate vulnerable JARs, scans must be configured with root credentials (either directly or via a privilege elevation mechanism) in the Site Configuration interface. On Windows systems, scans should run with local administrator privileges for the most comprehensive results.

Windows scanning functionality requires product version 6.6.121 or later. Insight Agent collection on Windows for Log4j has begun rolling out in version 3.1.2.38 as of December 17, 2021. It will take several days for this roll-out to complete. If you are using the Insight Agent to assess your assets for vulnerabilities and you are not yet on version 3.1.2.38, you can uncheck the “Skip checks performed by the Agent” option in the scan template to ensure that authenticated checks run on Windows systems. Use the Agent Management interface to determine the version of the Agent being used in your environment.

Read more about scanning for Log4Shell here or visit our Customer Resource Center.

Remote scanning

IMPORTANT: For the unauthenticated remote check to correctly identify log4shell occurrences in your environment, target assets must be able to communicate back to your scan engine on port 13456.

A remote (unauthenticated) check for CVE-2021-44228 was published in a content release on December 12 9pm ET with Check ID apache-log4j-core-cve-2021-44228-remote. This check is platform-independent (will work against Linux, Windows, and other operating systems) and works as follows:

• IF any of the following TCP ports are found open: 80, 443, 8080, 8888 — or, alternatively, if: Nmap service fingerprinting detects HTTP or HTTPS running (note that enabling Nmap service fingerprinting may negatively impact scan times)
• THEN the Scan Engine will attempt to exploit the vulnerability and make the scan target open a connection to the Engine on port 13456.
• The Engine does not open a TCP listener but does a packet capture to identify connection attempts against 13456/TCP. If a connection attempt to the Engine is detected, this indicates that the target is vulnerable, and the check will fire accordingly. No data is returned from the scanned asset itself; the Engine is only monitoring for connection attempts, and not any additional data.
• This approach relies on bi-directional networking and requires the scan engine and scan target to be able to “talk” to each other. In some cases, such as scanning through a VPN, NAT, or firewall, that required bi-directional networking is not available.

Further information on enabling bi-directional communication

1. Create a rule in your firewall (or Layer 3 switch) to allow your Windows Asset / Network Segment (so in this case 192.169.1.10) to respond BACK to your Scan Engine (10.10.190.4) on TCP 13456.
   Source 192.168.1.10 Service TCP 13456 Destination 10.10.190.4
2. You should already have a Rule from your Scan Engine to allow scan on ports 80,443,8080 and 8888 to your Windows Asset / Network Segment.
   Source 10.10.190.4 Service 80/443/8080/8888 Destination 192.168.1.255
3. If you are not seeing any response back or seeing that you are finding ZERO vulnerabilities it is very possible that the issue is with the firewall rule (or network configuration). Check your firewall logs for any drops from the Windows Asset on Port 13456 attempting to talk to your Scan Engine. Also make sure that your Scan Engine is allowed to make the request to your Network Segments on ports 80,443,8080,8888 to initialize the trap/attack.

Product-based checks

We know that many downstream vendors will issue security advisories of their own in the coming days and weeks. We continue to monitor several vendors for related security advisories. We will have checks for affected products included in our recurring coverage list as vendors provide details about affected and/or fixed versions. Users can also adapt the Query Builder or SQL Export queries provided above to find products of concern in the meantime, with the caveat that they may not be visible if they use non-standard installation mechanisms.

Specific vulnerability dashboard and Log4j helpful query

Rapid7 released the Specific Vulnerability Dashboard template and the “Log4j by CVE ID” helpful query in the Query Builder on Tuesday, December 13, 2021. Our intent is to allow customers to quickly and easily report on the Log4j vulnerability. More importantly, this gives us a dashboard template that we can leverage in the event of other urgent vulnerability notices.

The Helpful Query searches a customer’s environment for Log4j via the corresponding CVE ID (not paradoxically). Users can apply this query to the Specific Vulnerability dashboard template to create a view into how their environment is being affected.

Follow these steps to create and focus this new dashboard template on Log4j.

• Navigate to the query builder.
  • Click on the add button.
  • Go to the helpful queries section and select the Log4j by CVE ID query.
    
  • Click the Select Query button.
  • Click Save As for the new query.
    • Give the query a name.
• Click the Save button.
• Go to the Dashboards page.
  • Click on the Down Arrow next to the Dashboard name.
  • Select Specific Vulnerability Dashboard.
    
  • Edit the information provided if desired
  • Click the OK button
• To filter the dashboard for Log4j
  • Click the Load Dashboard Filter button
  • Search for your saved Log4j query
  • Click on the name of the query
    

InsightVM users may also create a report that’s based on the Specific Vulnerability dashboard template and have this generated on a recurring basis (N number of days, weeks or months). Follow these steps in order to create this report.

• Navigate to the query builder.
  • Click on the Add button.
  • Go to the helpful queries section and select the Log4j by CVE ID query.
    
  • Once loaded, click the Create Report button.
  • In the report wizard, select Pre-built Reports as the report type.
    
  • From the list that appears, select Specific Vulnerability Dashboard.
    
  • Enter in the relevant information in the Configure selection.
    • Select “I want to schedule and run a recurring report” to have the report generated multiple times.
    • Click the checkbox titled “Permit users who do not have access to console,” and enter an email address or addresses to have this report automatically delivered as it’s generated.
  • Once ready, click the Save and Complete button

We hope these additions will help InsightVM users respond to the threat of Log4Shell and reduce friction in identifying its impact to their environments.

Container security

Customers who are worried about vulnerable images in their container repos have been able to scan for CVE-2021-44228 using InsightVM’s Container Security since December 10 at 2pm ET, thanks to our integration with the Snyk vulnerability database. It is also possible to rerun an assessment on any images that are particularly sensitive to be sure of up-to-date results. Retrieve results via the Container API or the Containers Dashboard:

Read More

CVE-2021-4104

 

Description

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Read More

Hackers Exploit Log4j Vulnerability to Infect Computers with Khonsari Ransomware

 

Description

Romanian cybersecurity technology company Bitdefender on Monday revealed that attempts are being made to target Windows machines with a novel ransomware family called Khonsari as well as a remote access Trojan named Orcus by exploiting the recently disclosed critical Log4j vulnerability.

The attack leverages the remote code execution (RCE) flaw to download an additional payload, a .NET binary, from a remote server that encrypts all the files with the extension “.khonsari” and displays a ransom note that urges the victims to make a Bitcoin payment in exchange for recovering access to the files.

Tracked as CVE-2021-44228, the RCE vulnerability is also known by the monikers “Log4Shell” or “Logjam” and impacts versions 2.0-beta9 to 2.14.1 of the software library. In simple terms, the bug could force an affected system to download malicious software, giving the attackers a digital beachhead on servers located within corporate networks.

Log4j is an open-source Java library maintained by the nonprofit Apache Software Foundation. Amassing about 475,000 downloads from its GitHub project and adopted widely for application event logging, the utility is also a part of other frameworks, such as Elasticsearch, Kafka and Flink, that are used in many popular websites and services.

The disclosure comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) sounded an alarm warning of active, widespread exploitation of the flaw that, if left unaddressed, could grant unfettered access and unleash a new round of cyber attacks, as fallout from the bug has left companies rushing to find and patch vulnerable machines.

“An adversary can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code,” the agency said in guidance issued Monday. “The request allows the adversary to take full control over the system. The adversary can then steal information, launch ransomware, or conduct other malicious activity.”

Furthermore, CISA has also added the Log4j vulnerability to its Known Exploited Vulnerabilities Catalog, giving federal agencies a deadline of December 24 to incorporate patches for the flaw. Similar advisories have been previously issued by government agencies in Austria, Canada, New Zealand, and the U.K.

So far, active exploitation attempts recorded in the wild have involved the abuse of the flaw to rope the devices into a botnet, and drop additional payloads such as Cobalt Strike and cryptocurrency miners. Cybersecurity firm Sophos said it also observed attempts to exfiltrate Amazon Web Services (AWS) keys and other private data from compromised systems.

In a sign that the threat is rapidly evolving, Check Point researchers cautioned of 60 new variations of the original Log4j exploit being introduced in less than 24 hours, adding it blocked more than 1,272,000 intrusion attempts, with 46% of the attacks staged by known malicious groups. The Israeli security company dubbed Log4Shell a "true cyber pandemic."

A vast majority of the exploitation attempts against Log4Shell have originated in Russia (4,275), based on telemetry data from Kaspersky, followed by Brazil (2,493), the U.S. (1,746), Germany (1,336), Mexico (1,177), Italy (1,094), France (1,008), and Iran (976). In comparison, only 351 attempts were mounted from China.

The mutating nature of the exploit notwithstanding, the prevalence of the tool across a multitude of sectors has also put industrial control systems and operational technology environments that power critical infrastructure on high alert.

“Log4j is used heavily in external/internet-facing and internal applications which manage and control industrial processes leaving many industrial operations like electric power, water, food and beverage, manufacturing, and others exposed to potential remote exploitation and access,” said Sergio Caltagirone, vice president of threat intelligence at Dragos. “It’s important to prioritize external and internet-facing applications over internal applications due to their internet exposure, although both are vulnerable.”

The development once again highlights how major security vulnerabilities identified in open-source software could spark a serious threat to organizations that include such off-the-shelf dependencies in their IT systems. The broad reach aside, Log4Shell is all the more concerning for its relative ease of exploitation, laying the foundation for future ransomware attacks.

“To be clear, this vulnerability poses a severe risk,” CISA Director Jen Easterly said. “This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use. Vendors should also be communicating with their customers to ensure end users know that their product contains this vulnerability and should prioritize software updates.”

Read More

Update on Log4Shell’s Impact on Rapid7 Solutions and Systems

 

Description

Like the rest of the security community, we have been internally responding to the critical remote code execution vulnerability in Apache’s Log4j Java library (a.k.a. Log4Shell). We have been continuously monitoring for Log4Shell exploit attempts in our environment and have been urgently investigating the implications for our corporate and production systems. Log4Shell has kept the security community extremely busy for the past several days, and we are no exception. At this time, we have not detected any successful Log4Shell exploit attempts in our systems or solutions. We will continue monitoring our environment for new vulnerability instances and exploit attempts and will update this page as we learn more.

Rapid7 solutions

In terms of Rapid7’s solutions, we prioritized remediation efforts on the Insight Platform and other hosted web application products (e.g. non-Insight branded products such as Logentries). We have remediated the Log4Shell vulnerability in our deployed application services’ code.Customers do not need to take action for any of our hosted web solutions.

Update for December 17, 2021: All hosted solutions that were updated to Log4j-core 2.15 have now been updated to Log4j-core 2.16.

Update for December 20, 2021: We are aware of a new denial-of-service (DoS) vulnerability discovered in Log4j-core 2.16 (CVE-2021-45105) and are working on updating our codebases to use Log4j-core 2.17. We will update this blog post once completed.

Customer action required

There is no action for most customers using our solutions. However, for those using on-premise solutions, the following products and product components have been patched but require customers to take action to fully remediate Log4Shell in their environments. We strongly urge all customers using vulnerable versions of these products and product components to apply updates immediatelysince this vulnerability is being actively exploited and could result in highly impactful remote code execution.

Product or Component	Affected Version(s)	Remediation and Mitigation Instructions
InsightOps r7insight_java logging library	Versions <= 3.0.8	Upgrade r7insight_java to 3.0.9
Logentries le_java logging library	All versions: this is a deprecated component	Migrate to version 3.0.9 of r7insight_java
Logentries DataHub	Linux version <= 1.2.0.820

Windows version <= 1.2.0.820 |Linux: Install DataHub_1.2.0.822.deb using the following instructions.

Windows: Run version 1.2.0.822 in a Docker container or as a Java command per these instructions.

You can find more details here.
InsightOps DataHub | InsightOps DataHub <= 2.0 | Upgrade DataHub to version 2.0.1 using the following instructions.

No customer action required

We have confirmed the following on-premise products and product components arenot affected:

• Alcide kArt, kAdvisor, and kAudit
• AppSpider Pro
• AppSpider Enterprise
• Insight Agent
• InsightIDR Honeypots
• InsightIDR Network Sensor
• InsightIDR/InsightOps Collector & Event Sources
• InsightAppSec Scan Engine
• InsightCloudSec/DivvyCloud
• InsightConnect Orchestrator
• InsightOps non-Java logging libraries
• InsightVM Kubernetes Monitor
• InsightVM/Nexpose
• InsightVM/Nexpose Console
  • Installations of the InsightVM/Nexpose have “log4j-over-slf4j-1.7.7.jar” packaged in them. This is a different library than log4j-core and is not vulnerable to Log4Shell.
• InsightVM/Nexpose Engine
  • Installations of the InsightVM/Nexpose have “log4j-over-slf4j-1.7.7.jar” packaged in them. This is a different library than log4j-core and is not vulnerable to Log4Shell.
• IntSights virtual appliance
• Metasploit Pro
  • Metasploit Pro ships with log4j but has specific configurations applied to it that mitigate Log4Shell. A future update will contain a fully patched version of log4j.
  • Update for December 17, 2021: Metasploit Pro version 4.21.0-2021121601 now ships with v2.16 of Log4j.
• Metasploit Framework
• tCell Java Agent
• Velociraptor

Further reading and recommendations

Our Emergent Threat Response team has put together a detailed blog post about general guidance about how to mitigate and remediate Log4Shell. We will continue updating that post as we learn more about Log4Shell and new mitigation strategies and tactics.

Read More

CVE-2021-45046

 

Description

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

Notes

Author	Note
amurray	Ubuntu 18.04 LTS is not affected since the JndiLookup.class was removed in the previous update for CVE-2021-44228
ebarretto	above is also true for Ubuntu 16.04 ESM

Read More

Kronos Ransomware Outage Drives Widespread Payroll Chaos

 

Description

Kronos, the workforce management platform, has been hit with a ransomware attack that it says will leave its cloud-based services unavailable for several weeks – and it’s suggesting that customers seek other ways to get payroll and other HR tasks accomplished.

The outage has left cataclysmic issues for customers in its wake.

Kronos offers a range of solutions for employee scheduling, compensation management, payroll and hours worked, benefits administration, time-off management, talent acquisition, onboarding, and more. It counts some of the largest companies in the world as its customers, such as Tesla and Puma, along with various health, public sector and university customers; organizations like the YMCA; and smaller businesses like restaurants and retailers.

In a message to Kronos Private Cloud (KPC) customers late afternoon on Sunday, the company said that several solutions were knocked offline starting Saturday: UKG Workforce Central, UKG TeleStaff, Healthcare Extensions and Banking Scheduling Solutions.

“At this time, we still do not have an estimated restoration time, and it is likely that the issue may require at least several days to resolve,” the company said in the notice – a timeline that it expanded to likely taking several weeks in a Monday update. “We continue to recommend that our impacted customers evaluate alternative plans to process time and attendance data for payroll processing, to manage schedules, and to manage other related operations important to their organization.”

On-premise deployments are not affected, and neither are the UKG Pro, UKG Dimensions or UKG Ready offerings, it added.

“We recognize the importance of these solutions to your organization,” the company said. “We have actively mobilized all resources at our disposal to address this issue.”

Chaos for Customers

Further details over the weekend were not forthcoming, much to the chagrin of customers.

“This tells us nothing,” one comment reads on the notice page. “Is our data still there? What happened? Why the secrecy?”

Nick Tausek, security solutions architect at Swimlane, noted that the initial access vector is also unknown.

“Although Kronos Private Cloud was secured by firewalls, encrypted transmissions and multi-factor authentication, cybercriminals were still able to breach and encrypt its servers,” he said via email. “While it’s unclear exactly how the breach took place, Kronos predicts that their Private Cloud solutions will be unavailable for a number of weeks. This extended shutdown will likely present challenges for many organizations as they seek to roll out bonuses and employees look to request time off ahead of the holidays.”

And indeed, multiple customers left comments that speak to the chaos the outage is creating within their organizations, with some noting that an ongoing, extended disruption of service is unacceptable in their view.

“That simply cannot happen,” wrote Dave from the Tacoma, Wash., Fire Department, expressing disbelief that a company this large doesn’t seem to have contingency plans in place. “We must have access to rosters for today and coming days – now. Any halfway decent IT application hosting company would have disaster recovery plans for any worst-case-scenario. Running fire and police departments, this data can literally be a matter of life and death for the public and for our people. Yes, I am frustrated and angry that we don’t know what is happening.”

Another noted, “We have 50,000 employees and it’s not easy to manage without a timekeeping system. Very disappointed to say the least…This is absurd and we customers should be told what’s happening.”

Yet another: “We need to get this corrected ASAP. We don’t even know who will be working tomorrow and where. Does anyone have a good back up for if this ever happens again?”

And one resorted to dealmaking: “At this point I don’t even care for a task manager, fancy functions, callback list or picklist…Just give me a plain roster view for five days,” the person wrote. “Let me know who’s working and I’ll pick up a phone start crossing out the sick call out and making phone calls to back fill…I believe with this we can manage while you guys figure out the fix…Public safety in many counties and municipals across the U.S. is basically blind right now.”

A Ransomware Incident

Some customers floated the possibility that Kronos’ data centers are compromised by the Log4Shell vulnerability that’s wreaking havoc across the internet, but Bob Hughes, executive vice president at Kronos, clarified in a Monday update that the issue is a “ransomware incident” and that it was still assessing the scope of the damage and what impact the cyberattack had on its systems and data.

“Given that it may take up to several weeks to restore system availability, we strongly recommend that you evaluate and implement alternative business-continuity protocols related to the affected UKG solutions,” he added.

Erich Kron, security awareness advocate at KnowBe4, noted that the timing of this attack, at the close of the year while organizations are managing not only basic payroll, but also bonuses and other annual calculations that need to take place, is no coincidence.

“Ransomware gangs often time attacks to take place when organizations are short-staffed due to holidays, or when they are extremely busy, with the hope that the attack will take longer to spot and response times will be much slower,” he said via email. “In addition, the pressure to service customers during these crucial times can be very high, making it more likely that the victim will pay the ransom in an effort to get operations back up and running quickly.”

Customers again reacted with concern.

“We are blocking/disabling all ADFS and LDAP connections to UKG/Kronos Cloud until they have a better handle on what they have,” said one. “At this point they are an untrusted entity and will be treated as such. There is no good they can do us at this time.”

Several expressed worries as to the safety of their data housed in the Kronos cloud, and at least one customer has questions about the company’s backups.

“Where are the backups, can’t the backups be restored?” the person said. “Are the backups stored in the same ‘cloud/space’ as production, that doesn’t make sense?”

The situation shows that organizations must actively prepare for ransomware, Kron said.

“This attack drives home the need to not only have, but also to practice, disaster-recovery and continuity-of-operations plans that can be enacted quickly and efficiently,” he said. “The more heavily reliant organizations are on technical services, even those in the cloud, the more important it becomes to have a plan to operate without these services, even for a short time.”

He added, “Unfortunately, the Grinch has impacted Christmas for a lot of people using the KPC services. Hopefully, this does not result in a subscription to the ‘Jelly of the Month Club’ in lieu of the annual bonuses.”

There’s a sea of unstructured data on the internet relating to the latest security threats. ****REGISTER TODAY****_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This LIVE, interactive Threatpost Town Hall, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken._

Read More

Where the Latest Log4Shell Attacks Are Coming From

 

Description

Cybersecurity professionals across the world have been scrambling to shore up their systems against a critical remote code-execution (RCE) flaw (CVE-2021-44228) in the Apache Log4j tool, discovered just days ago.

Now under active exploit, the “Log4Shell” bug allows complete server takeover. Researchers have started to fill in the details on the latest Log4Shell attacks, and they reported finding at least 10 specific Linux botnets leading the charge.

First, analysts at NetLab 360 detected two waves of Log4Shell attacks on their honeypots, from the Muhstik and Mirai botnets.

Mirai Tweaked to Troll for Log4Shell Vulnerability

The analysts at Netlab 360 said this is a new variant of Mirai with a few specific innovations. First, they pointed out the code piece “table_init/table_lock_val/table_unlock_val and other Mirai-specific configuration management functions have been removed.”

Secondly, they added, “The attack_init function is also discarded, and the DDoS attack function is called directly by the command-processing function.”

Finally, they found this iteration of the Mirai botnet uses a two-level domain for its command-and-control (C2) mechanis, which the team at Netlab 360 said was “rare.”

Muhstik Variant Attacks Log4Shell

The other Linux botnet launched to take advantage of the Apache 4j Library flaw is Muhstik, a Mirai variant.

“In this captured sample, we note that the new Muhstik variant adds a backdoor module, ldm, which has the ability to add an SSH backdoor public key with the following installed backdoor public key,” Netlab 360 reported.

Once added, the public key lets a threat actor log onto the server without so much as a password, they explained.

“Muhstik takes a blunt approach to spread the payload aimlessly, knowing that there will be vulnerable machines, and in order to know who has been infected, Muhstik adopts TOR network for its reporting mechanism,” the Netlab 360 team said.

Following detection of those attacks, the Netlab 360 team found other botnets on the hunt for the Log4Shell vulnerability including: DDoS family Elknot; mining family m8220; SitesLoader; xmrig.pe; xmring.ELF; attack tool 1; attack tool 2; plus one unknown and a PE family.

Geography of Log4Shell Attacks

The majority of exploitation attempts against Log4Shell originate in Russia, according to Kaspersky researchers who found 4,275 attacks launched from Russia, by far the most of any other region. By comparison, 351 attempts were launched from China and 1,746 from the U.S.

So far, the Apache Log4j logging library exploit has spun off 60 mutations — and it only took less than a day.

This story is developing, so stay tuned to Threatpost for additional coverage.

There’s a sea of unstructured data on the internet relating to the latest security threats. REGISTER TODAY_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This_ LIVE, interactive Threatpost Town Hall_, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken.

Read More