Cybersecurity experts believe CVE-2021-44228, a remote code execution flaw in Log4j, will take months, if not years, to address due its ubiquity and ease of exploitation.
Steve Povolny, head of advanced threat research for McAfee Enterprise and FireEye, said Log4Shell now firmly belongs in the same conversation as Shellshock, Heartbleed, and EternalBlue.
Attackers began by almost immediately leveraging the bug for illegal crypto mining, or using legitimate computing resources on the Internet to generate cryptocurrency for financial profit… Further exploitation appears to have pivoted towards theft of private information, Povolny told ZDNet.
We fully expect to see an evolution of attacks.