Attackers scanned VDategames’ subnet and found an unpatched instance of Apache Log4j (CVE-2021-44228), a vulnerability the company reportedly missed despite patches being available for three years.