Security News > 2021 > December > Log4j attackers switch to injecting Monero miners via RMI
Some threat actors exploiting the Apache Log4j vulnerability have switched from LDAP callback URLs to RMI or even used both in a single request for maximum chances of success.
From LDAP to RMI. Most attacks targeting the Log4j "Log4Shell" vulnerability have been through the LDAP service.
The switch to RMI API seems counter-intuitive at first, considering that this mechanism is subject to additional checks and constraints, but that's not always the case.
Some JVM versions do not feature stringent policies, and as such, RMI can sometimes be a more effortless channel to achieving RCE than LDAP. Moreover, LDAP requests are now solidified as part of the infection chain and are more tightly monitored by defenders.
Many IDS/IPS tools are currently filtering requests with JNDI and LDAP, so there's a chance that RMI may be ignored at this point.
In some cases, Juniper saw both RMI and LDAP services in the same HTTP POST request.