SolarWinds and ZyXEL devices running the log4j library are being hit with attacks according to reports by Microsoft and Akamai. The issue is tracked as CVE-2021-35247 and has been combined with a zero-day in the SolarWinds Serv-U file-sharing server. According to Akamai, ZyXEL networking devices have been attacked as well. A researcher spotted a Mirai botnet targeting these vulnerable devices. According to security researcher Larry Cashdollar “It could be that Zyxel was specifically targeted since they published a blog stating they were impacted by the log4j vulnerability.” CVE-2021-35247 is an input validation vulnerability in SolarWinds Serv-U that could allow attackers to build a query given some input and send that query over the network without sanitation. Microsoft discovered attackers exploiting Serv-U servers using this vulnerability to carry out attacks against other systems with log4j vulnerabilities. SolarWinds customers should apply the updates recommended by SolarWinds to correct this vulnerability: https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35247
Analyst Notes
News of Log4j attacks seem to be flooding in and may be overwhelming, but it is important to pay attention to security news to avoid surprises. Binary Defense researchers suggest employing a strong threat-informed defense posture, with defenders proactively searching for machines running software that may include vulnerable Log4j code. Unfortunately, such simple to exploit vulnerabilities pick up popularity as time moves on and attackers have a chance to study possible attack vectors. Binary Defense offers expert threat researchers on the Threat Hunt team that stand ready to assist security teams with threats beyond Log4j, which can help to ease the burden on security teams and allow focus on other important threats.
https://therecord.media/new-log4j-attacks-target-solarwinds-zyxel-devices/
https://www.zyxel.com/us/en/support/Zyxel_security_advisory_for_Apache_Log4j_RCE_vulnerability.shtml
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35247
