Security News > 2022 > April > Log4Shell exploitation: Which applications may be targeted next?

Spring4Shell has dominated the information security news these last six days, but Log4Shell continues to demand attention and action from enterprise defenders as diverse vulnerable applications are being targeted in attacks in the wild.

Some attackers are popping them and deploying backdoors, reverse shells and remote monitoring tools, possibly preparing them for future attacks involving ransomware or corporate espionage.

Fortiguard Labs researchers Rotem Sde-Or and Eliran Voronovitch also recently flagged a a campaign by a threat actor they believe to be Deep Panda, a Chinese APT group, exploiting Log4Shell in VMware Horizon servers to deploy a backdoor and a novel kernel rootkit onto target machines.

"Attackers cannot afford to be caught or sent on wild goose chases. As such, the most attackable assets are determined based on where the most initial damage would likely occur," they explained their reasoning.

"Most of the widespread software are app servers or middleware - cPanel, [Apache] Tomcat, [Eclipse] Jetty, [Eclipse] JSP, Wildfly - which are not 100% confirmed to use a vulnerable version of Log4j, making them a less interesting target to an attacker. These types of services may use optional components that use Log4j, and might come in a variety of configurations which can complicate locating an exploitable mechanism, so an attacker may not want to waste his time," the researchers noted.

Jamf is a configuration automation platform that is known to be vulnerable and exploitable, and a compromised instance would allow attackers to influence any device that is being administered by it, the researchers explained.

News URL

https://www.helpnetsecurity.com/2022/04/05/log4shell-applications-targeted/