Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Two Linux botnets already exploit Log4Shell flaw in Log4j

Immediately after the disclosure of the Log4Shell flaw in Log4j library threat actors started including the exploit code in Linux botnets. Researchers at NetLab 360 reported that their Anglerfish and Apacket honeypots were already hit by attacks attempting to trigger the Log4Shell flaw in the Log4j library. The attempts were carried out by Muhstik and […]

Log4j CVE-2021-44832

Immediately after the disclosure of the Log4Shell flaw in Log4j library threat actors started including the exploit code in Linux botnets.

Researchers at NetLab 360 reported that their Anglerfish and Apacket honeypots were already hit by attacks attempting to trigger the Log4Shell flaw in the Log4j library. The attempts were carried out by Muhstik and Mirai botnets in attacks aimed at Linux devices.

The Mirai variant behind the attacks spotted by NetLab 360 includes the following changes compared to the initial code:

  1. table_init/table_lock_val/table_unlock_val and other mirai-specific configuration management functions have been removed.
  2. The attack_init function is also discarded, and the ddos attack function is called directly by the command processing function.

The attackers used a uy top-level domain for the C2 infrastructure, which is uncommon.

The Muhstik variant used in the attacks includes a backdoor module, ldm, which adds an SSH backdoor public key to allow remote connections to the server.

After the public key is added to the ~/.ssh/authorized_keys file, the attacker can directly log into the remote server without password authentication.

Experts pointed out that Muhstik uses the TOR network for its reporting mechanism.

“Before accessing the TOR network, Muhstik queries relay.l33t-ppl.inf through some publicly available DoH services. During this process, a number of DNS requests are generated.” reads the post published by NetLab 360.

Experts could check for connections to a list of DoH service providers to determine possible infections in case they do not use DoH on their network.

The analysis of the ELF sample revealed that it supports DDoS and backdoor commands.

“Considering the huge impact of the Log4j vulnerability, we expect more botnets to support it to spread. We will keep an eye on this and will share new observations here.” concludes Netlab 360.

The report also includes IOCs for these attacks.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Log4Shell)

[adrotate banner=”5″]

[adrotate banner=”13″]