Hackers have switched methods for exploiting so-called Apache Log4j vulnerabilities. Just after a security patch was developed, hackers switched to a new method. Instead of the Lightweight Directory Access Protocol (LDAP), they now use Remote Method Invocation (RMI).
LDAP is a network protocol that describes how to access certain data. RMI is an Application Programming interface to allow Java objects to communicate with each other. RMI is currently used only by hackers who want to use your computer to the cryptocurrency to mine Monero. However, others may soon follow. This is reported by researchers from the software company Juniper.
An illogical method
The switch from LDAP to RMI seems illogical for advanced users. To use RMI, as a rule, means that you first have to circumvent more security checks and restrictions. However, that is not always the case. Some versions of Java do not have all this extra security. Or it is not set correctly. In that case, RMI is an easier method to access a system remotely than LDAP.
In addition, LDAP applications are better monitored now that people are aware of the vulnerability. The Apache security patch also addressed these flaws. Hacks that use RMI have not been taken into account.
The goal remains the same
For all hackers who exploit the Log4Shell vulnerability, the ultimate goal remains the same. They want to run their code on the Log4j server. This code allows the criminals to infiltrate the system.
In the specific investigation by Juniper Labs, the cybercriminals wanted to mine Monero through the infected servers. In addition, they only focused on Linux systems. However, the researchers caution that this method is likely to expand for other purposes and operating systems.
Log4Shell last week
The serious vulnerability in Log4j came to light last Friday. The Java log tool that keeps track of which users login is exploited to run code remotely.
Last week, many systems were scanned for the occurrence of Log4j vulnerabilities. Apache has also released updates to fix them. However, these immediately showed holes in its security and even led to new exploits.
The National Cyber Security Center (NCSC) in the Netherlands is also closely following the process. For example, it already reported on Wednesday about a new Denial-of-Service (DoS) vulnerability in patch version 2.15. This has also been fixed in version 2.16, according to Apache itself.
Catch up on more articles here
Follow us on Twitter here