Where the Latest Log4Shell Attacks Are Coming From

Analysts find at least 10 Linux botnets actively exploiting Log4Shell flaw.

Cybersecurity professionals across the world have been scrambling to shore up their systems against a critical remote code-execution (RCE) flaw (CVE-2021-44228) in the Apache Log4j tool, discovered just days ago.

Now under active exploit, the “Log4Shell” bug allows complete server takeover. Researchers have started to fill in the details on the latest Log4Shell attacks, and they reported finding at least 10 specific Linux botnets leading the charge.

First, analysts at NetLab 360 detected two waves of Log4Shell attacks on their honeypots, from the Muhstik and Mirai botnets.

Mirai Tweaked to Troll for Log4Shell Vulnerability 

The analysts at Netlab 360 said this is a new variant of Mirai with a few specific innovations. First, they pointed out the code piece “table_init/table_lock_val/table_unlock_val and other Mirai-specific configuration management functions have been removed.”

Secondly, they added, “The attack_init function is also discarded, and the DDoS attack function is called directly by the command-processing function.”

Finally, they found this iteration of the Mirai botnet uses a two-level domain for its command-and-control (C2) mechanis,, which the team at Netlab 360 said was “rare.”

Muhstik Variant Attacks Log4Shell


Read More: https://threatpost.com/log4shell-attacks-origin-botnet/176977/