Although the proof-of-concept code was released last Thursday, there is evidence that hackers have attacked the Log4Shell vulnerability 2 weeks ago. According to Data from Cloudflare and Cisco Talos, the first attacks were observed on December 1 and December 2.
While large-scale attack exploitation began over the weekend, the revelation meant that security teams needed to scale up their incident response investigations, with cyber inspections against them dating back to early November to be on the safe side. For now, attacks that abuse Log4Shell vulnerabilities are still tame — if the term can even be used to describe abuse of security vulnerabilities.
A large number of attacks come from professional password mining and DDoS botnets such as Mirai, Muhstik, and Kinsing, which are often the first to exploit any meaningful enterprise vulnerability before everyone else. But in a blog post over the weekend, Microsoft said it began observing the first instance of Log4Shell being used to deploy network shells and Cobalt Strike beacons (backdoors).
CISA, the NSA, and some cybersecurity companies have repeatedly warned over the past year that the combination of a network shell and a Cobalt Strike beacon is often the first tool deployed by nation-state groups and ransomware gangs in attacks, so while unconfirmed, don't be surprised if we get the first ransomware group to abuse Log4Shell before the end of today.
Now, a scan of an internet-connected system vulnerable to the Log4Shell vulnerability is absolutely through the roof. Security firm Kryptos Logic said Sunday it detected more than 10,000 different IP addresses probing the internet, 100 times the number of systems probing Log4Shell on Friday.
Not all of this traffic is bad, as there are also white hat security researchers and security companies looking for vulnerable systems, but the big picture is that the threatrs have smelled blood and IT administrators should see if their Java-based systems are vulnerable to Log4Shell attacks.
![Apple and Tesla supplier Delta Electronics were blackmailed[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)