Some threat actors exploiting the Apache Log4j vulnerability have switched from LDAP callback URLs to RMI or even used both in a single request for maximum chances of success.
This shift is a notable development in the ongoing attack and one that defenders need to be aware of when trying to secure all potential vectors.
For now, this trend was observed by threat actors looking to hijack resources for Monero mining, but others could adopt it at any time.
From LDAP to RMI
Most attacks targeting the Log4j “Log4Shell” vulnerability have been through the LDAP (Lightweight Directory Access Protocol) service.
The switch to RMI (Remote Method Invocation) API seems counter-intuitive at first, considering that this mechanism is subject to additional checks and constraints, but that’s not always the case.
Some JVM (Java Virtual Machine) versions do not feature stringent policies, and as such, RMI can sometimes be a more effortless channel to achieving RCE (remote code execution) than LDAP.
Moreover, LDAP requests are now solidified as part of the infection chain and are more tightly monitored by defenders.
For example, many IDS/IPS tools are currently filtering requests with JNDI and LDAP, so there’s a chance that RMI may be ignored at this point.