New Log4j attacks target SolarWinds, ZyXEL devices
Image: Possessed Photography // Unsplash
Catalin Cimpanu January 20, 2022

New Log4j attacks target SolarWinds, ZyXEL devices

New Log4j attacks target SolarWinds, ZyXEL devices

Cybercriminals looking to capitalize on the Log4Shell vulnerability are attacking devices from SolarWinds and ZyXEL that are known to have used the Log4j library inside their software, according to two reports published on Wednesday by Microsoft and Akamai.

The most urgent of these attacks are those spotted by Microsoft, which said it discovered a threat actor abusing Log4Shell in combination with a zero-day vulnerability in the SolarWinds Serv-U file-sharing server.

Tracked as CVE-2021-35247, Microsoft said it reported the issue to SolarWinds, which has released a fix on Tuesday.

Described as an input validation issue in the Serv-U web login screen, Microsoft said the attackers were using the zero-day to bypass input validation on the login process using non-standard characters and then using the Log4Shell exploit to take over Serv-U servers.

In addition to these attacks, Akamai security researcher Larry Cashdollar also reported spotting a Mirai DDoS botnet going after ZyXEL networking devices.

“It could be that Zyxel was specifically targeted since they published a blog stating they were impacted by the log4j vulnerability,” Cashdollar said in a blog post on Wednesday.

While news cycles move fast from topic to topic, the situation around the Log4Shell exploit has not changed since last month, and the vulnerability is still heavily targeted and abused by threat actors seeking to enter corporate networks.

At the time of writing, there have been reports about threat actors such as ransomware gangs, nation-state cyber-espionage groups, crypto-mining gangs, initial access brokers, and DDoS botnets, all of which have used the vulnerability in past operations.

Although the Apache Software Foundation has released patches for the Log4j library, attacks against applications that use the library are likely to continue because not all of these apps have released their own set of security updates, leaving many networks exposed to attacks and creating a fertile ground for exploitation that is bound to last for years.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.