#Log4J based on what I've seen, there is evidence that a worm will be developed for this in the next 24 to 48 hours.

Self propagating with the ability to stand up a self hosted server on compromised endpoints.

In addition to spraying traffic, dropping files, it will have c2c

Biggest hurdle appears to be implementing a JDK gadget to enable code execution on limited env.

That is currently being researched by several groups.

Honestly I'm kinda surprised it isn't finished yet, but I have seen at least 3 groups (Eastern euro, .ru and .cn) that are investigating options to do this.

Goals appear varied: financial gain via extortion as well as selling access to compromised hosts to RaaS groups

I'll prob burn my access to this info but what is already done is as follows:

- network scanner, random up and crawler
- host var brute force
- self uploading as a Java payload or win32 bin
- ability to lock host down (self patch?)
- subnet scan
- Http all headers brute force

There's some arm packages as well but I'm suspecting that will be Mirai or coin miner payloads that can optionally be deployed as well

Big concerns post worm release would be vendors getting patches out or even confirming vulnerability out asap:

@VMware
@cisco
@splunk
@Atlassian
@IBM
@Siemens

Update for this:
One group is currently attempting to outsource this to other contacts - I am unsure if its to finish development or for distribution.

If it is for distribution my guess would be it would be pushed to compromised hosts from another group to prevent attribution