Image: Kevin Beaumont
The usage of the nasty vulnerability in the Java logging library Apache Log4j that allowed unauthenticated remote code execution could have kicked off as early as December 1.
“Earliest evidence we’ve found so far of #Log4J exploit is 2021-12-01 04:36:50 UTC,” Cloudflare CEO Matthew Prince said on Twitter.
“That suggests it was in the wild at least 9 days before publicly disclosed. However, don’t see evidence of mass exploitation until after public disclosure.”
Cisco Talos said in a blog post that it observed activity for the vulnerability known as CVE-2021-44228 from December 2, and those looking for indicators of compromise should extend their searches to at least that far back.
Thanks to the ubiquity of the impacted library, Talos said it was seeing lead time from attackers doing mass scanning to callbacks occurring, and could be due to vulnerable but non-targeted systems — such as SIEMs and log collectors — being triggered by the exploit.
It added that the Mirai botnet was starting to use the vulnerability. Researchers at Netlab 360 said they had seen the Log4j vulnerability used to create Muhstik and Mirai botnets that went after Linux devices.
Over the weekend, vendors have been rushing