Log4Shell flaw: Still being used for crypto mining, botnet building... and Rickrolls

Log4Shell is still a threat but it's mostly being used for crypto mining and knocking out websites.
Written by Liam Tung, Contributing Writer

Log4Shell, the critical bug in Apache's widely used Log4j project, hasn't triggered the disaster that was feared, but it's still being exploited and predominantly from cloud computers in the US. 

The Log4Shell vulnerability came to light in December and sparked concern that it would be exploited by attackers because it was relatively easy to do and because the Java application logging library is embedded in many different services.

Microsoft has observed Log4Shell being used by state-sponsored and criminal attacks but early on found it was mostly being used for coin mining and ransomware. It advised customers to "assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments."

SEE: Linux malware attacks are on the rise, and businesses aren't ready for it

The Cybersecurity and Infrastructure Security Agency warned that, while it hadn't seen any major breach happen due to the flow, attackers might be waiting to use access gained through Log4Shell until alert levels fall. Oracle, Cisco, IBM and VMware have spent the past two months releasing patches for affected software. 

Barracuda Networks, a maker of network security appliances, has now said that Log4Shell attacks are happening at consistent levels. However, it hasn't found evidence of an onslaught of attacks. 

"The majority of attacks came from IP addresses in the U.S., with half of those IP addresses being associated with AWS, Azure and other data centers. Attacks were also being sent from Japan, Germany, Netherlands, and Russia," it notes

It adds that these IP addresses are linked to scans and attempted intrusions, which mean the scans could be from researchers or attackers. 

The payloads range from trivial internet memes to the somewhat more serious category of crypto-mining malware that uses another person's hardware to solve equations that earn the attacker crypto such as Monero. 

One, for example, attempts to delivery a "relatively benign (or depending on your viewpoint, very annoying) payload" in the form of a a YouTube video that plays Rick Astley's "Never Gonna Give You Up." 

"I do wonder if anyone was actually Rick-Rolled by this one. It is, as noted earlier, a benign payload in my opinion, but one that will get you patching very quickly!" says Baracuda's Tushar Richabadas.

Other notable malware it reports being used in connection with Log4Shell include the distributed denial of service (DDoS) malware called BillGates. It's an old piece of malware that has no connection with Microsoft's co-founder and that targets Linux machines. Log4Shell has also been used to deploy Mirai DDoS malware, which is often used in conflicts between online gamers.  

Barracuda has seen also seen Log4Shell being used to deploy cypto miners Kinsing and XMRig, as well as the Muhstik DDoS malware. 

Overall, Barracuda's report suggests there is no change in the threat level from Log4Shell than was the case in January. 

Editorial standards