A collection of intelligence about Log4Shell and its exploitation activity

Related tags

Security related resources java ioc log4j mirai cybersecurity threatintel cti log4j2 cobalt-strike ttp threatintelligence cve-2021-44228 log4shell kinsing m8220 swrort muhstik khonsari kirabash sitesloader
Overview

Log4Shell-IOCs

Members of the Curated Intelligence Trust Group have compiled a list of IOC feeds and threat reports focused on the recent Log4Shell exploit targeting CVE-2021-44228 in Log4j. (Blog | Twitter | LinkedIn)

Analyst Comments:

  • 2021-12-13
    • IOCs shared by these feeds are LOW-TO-MEDIUM CONFIDENCE we strongly recommend NOT adding them to a blocklist
    • These could potentially be used for THREAT HUNTING and could be added to a WATCHLIST
    • Curated Intel members at various organisations recommend to FOCUS ON POST-EXPLOITATION ACTIVITY by threats leveraging Log4Shell (ex. threat actors, botnets)
    • IOCs include JNDI requests (LDAP, but also DNS and RMI), cryptominers, DDoS bots, as well as Meterpreter or Cobalt Strike
    • Critical IOCs to monitor also include attacks using DNS-based exfiltration of environment variables (e.g. keys or tokens), a Curated Intel member shared an example
  • 2021-12-14
  • 2021-12-15
  • 2021-12-16
  • 2021-12-17
  • 2021-12-20
    • ETAC has added MITRE ATT&CK TTPs of Threat Actors leveraging Log4Shell
    • Curated Intel members parsed ALIENVAULT OTX MENTIONS to be MISP COMPATIBLE with the help of the KPMG-Egyde CTI Team
  • 2021-12-21

Indicators of Compromise (IOCs)

Source URL
GreyNoise (1) https://gist.github.com/gnremy/c546c7911d5f876f263309d7161a7217
Malwar3Ninja's GitHub https://github.com/Malwar3Ninja/Exploitation-of-Log4j2-CVE-2021-44228/blob/main/Threatview.io-log4j2-IOC-list
Tweetfeed.live by @0xDanielLopez https://twitter.com/0xdaniellopez/status/1470029308152487940?s=21
Azure Sentinel https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv
URLhaus https://urlhaus.abuse.ch/browse/tag/log4j/
Malware Bazaar https://bazaar.abuse.ch/browse/tag/log4j/
ThreatFox https://threatfox.abuse.ch/browse/tag/log4j/
Cronup https://github.com/CronUp/Malware-IOCs/blob/main/2021-12-11_Log4Shell_Botnets
RedDrip7 https://github.com/RedDrip7/Log4Shell_CVE-2021-44228_related_attacks_IOCs
AbuseIPDB Google/Bing Dorks site:abuseipdb.com "log4j", site:abuseipdb.com "log4shell", site:abuseipdb.com "jndi"
CrowdSec https://gist.github.com/blotus/f87ed46718bfdc634c9081110d243166
Andrew Grealy, CTCI https://docs.google.com/spreadsheets/d/e/2PACX-1vT1hFu_VlZazvc_xsNvXK2GJbPBCDvhgjfCTbNHJoP6ySFu05sIN09neV73tr-oYm8lo42qI_Y0whNB/pubhtml#
Bad Packets https://twitter.com/bad_packets/status/1469225135504650240
NCSC-NL https://github.com/NCSC-NL/log4shell/tree/main/iocs
Costin Raiu, Kaspersky https://twitter.com/craiu/status/1470341085734051840?s=21
Kaspersky https://securelist.com/cve-2021-44228-vulnerability-in-apache-log4j-library/105210/
SANS Internet Storm Center https://isc.sans.edu/diary/Log4Shell+exploited+to+implant+coin+miners/28124
@cyber__sloth https://twitter.com/cyber__sloth/status/1470353289866850305?s=21
SuperDuckToes https://gist.github.com/superducktoes/9b742f7b44c71b4a0d19790228ce85d8
Nozomi Networks https://www.nozominetworks.com/blog/critical-log4shell-apache-log4j-zero-day-attack-analysis/
Miguel Jiménez https://hominido.medium.com/iocs-para-log4shell-rce-0-day-cve-2021-44228-98019dd06f35
CERT Italy https://cert-agid.gov.it/download/log4shell-iocs.txt
RISKIQ https://community.riskiq.com/article/57abbfcf/indicators
Infoblox https://blogs.infoblox.com/cyber-threat-intelligence/cyber-campaign-briefs/log4j-exploit-harvesting/
Juniper Networks (1) https://blogs.juniper.net/en-us/security/apache-log4j-vulnerability-cve-2021-44228-raises-widespread-concerns
Cyble https://blog.cyble.com/2021/12/13/log4j-rce-0-day-vulnerability-in-java-actively-exploited/

Threat Reports

Source Threat URL
@GelosSnake Kinsing https://twitter.com/GelosSnake/status/1469341429541576715
@an0n_r0 Kinsing https://twitter.com/an0n_r0/status/1469420399662350336?s=20
@zom3y3 Muhstik https://twitter.com/zom3y3/status/1469508032887414784
360 NetLab (1) Mirai, Muhstik https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/
MSTIC (1) Cobalt Strike https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/
Cronup Kinsing, Katana-Mirai, Tsunami-Muhstik https://twitter.com/1zrr4h/status/1469734728827904002?s=21
Cisco Talos Kinsing, Mirai https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html
Profero Kinsing https://medium.com/proferosec-osm/log4shell-massive-kinsing-deployment-9aea3cf1612d
CERT.ch Kinsing, Mirai, Tsunami https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/
IronNet Mirai, Cobalt Strike https://www.ironnet.com/blog/log4j-new-software-supply-chain-vulnerability-unfolding-as-this-holidays-cyber-nightmare
@CuratedIntel TellYouThePass Ransomware https://www.curatedintel.org/2021/12/tellyouthepass-ransomware-via-log4shell.html
@Laughing_Mantis Log4j Worm https://twitter.com/Laughing_Mantis/status/1470168079137067008
Lacework Kinsing, Mirai https://www.lacework.com/blog/lacework-labs-identifies-log4j-attackers/
360 NetLab (2) Muhstik, Mirai, BillGates (Elknot), XMRig, m8220, SitesLoader, Meterpreter https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/
Trend Micro Cobalt Strike, Kirabash, Swrort, Kinsing, Mirai https://www.trendmicro.com/en_us/research/21/l/patch-now-apache-log4j-vulnerability-called-log4shell-being-acti.html
BitDefender Khonsari Ransomware, Orcus RAT, XMRig, Muhstik https://businessinsights.bitdefender.com/technical-advisory-zero-day-critical-vulnerability-in-log4j2-exploited-in-the-wild
MSTIC (2) PHOSPHORUS, HAFNIUM, Initial Access Brokers https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/
Cado Security (1) Mirai, Muhstik, Kinsing https://www.cadosecurity.com/analysis-of-initial-in-the-wild-attacks-exploiting-log4shell-log4j-cve-2021-44228/
Cado Security (2) Khonsari Ransomware https://www.cadosecurity.com/analysis-of-novel-khonsari-ransomware-deployed-by-the-log4shell-vulnerability/
Valtix Kinsing, Zgrab https://valtix.com/blog/log4shell-observations/
Fastly Gafgyt https://www.fastly.com/blog/new-data-and-insights-into-log4shell-attacks-cve-2021-44228
Check Point StealthLoader https://research.checkpoint.com/2021/stealthloader-malware-leveraging-log4shell/
Juniper Networks (2) XMRig https://blogs.juniper.net/en-us/threat-research/log4j-vulnerability-attackers-shift-focus-from-ldap-to-rmi
AdvIntel Conti https://www.advintel.io/post/ransomware-advisory-log4shell-exploitation-for-initial-access-lateral-movement
@JakubKroustek NanoCore RAT https://twitter.com/JakubKroustek/status/1471621708989837316
MSTIC (3) Meterpreter, Bladabindi (njRAT), HabitsRAT, Webtoos https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/#ransomware-update
Cryptolaemus Dridex, Meterpreter https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-to-install-dridex-banking-malware/
CyberSoldiers Dridex https://github.com/CyberSoldiers/IOCs/blob/main/log4j_IoCs/Dridex_log4j
Cluster25 Dridex https://github.com/Cluster25/feed/blob/main/log4shell/dridex/ioc
FortiGuard Mirai-based "Worm" https://www.fortiguard.com/threat-signal-report/4346/mirai-malware-that-allegedly-propagates-using-log4shell-spotted-in-the-wild

Payload Examples

Source URL
GreyNoise (2) https://gist.github.com/nathanqthai/01808c569903f41a52e7e7b575caa890
Cloudflare https://blog.cloudflare.com/actual-cve-2021-44228-payloads-captured-in-the-wild/
yt0ng https://gist.github.com/yt0ng/8a87f4328c8c6cde327406ef11e68726
eromang https://github.com/eromang/researches/tree/main/CVE-2021-44228
VX-Underground https://samples.vx-underground.org/samples/Families/Log4J%20Malware/
Malware-Traffic-Analysis (PCAP) https://www.malware-traffic-analysis.net/2021/12/14/index.html
rwincey https://github.com/rwincey/CVE-2021-44228-Log4j-Payloads

Threat Profiling

Threat Type Profile: Malpedia Profile: MITRE ATT&CK Activity
Dridex Banking Trojan Dridex (Malware Family) (fraunhofer.de) Didex, Software S0384 Command and Control, Tactic TA0011
Cobalt Strike Attack tool usage Cobalt Strike (Malware Family) (fraunhofer.de) Cobalt Strike, Software S0154 Command and Control, Tactic TA0011
Meterpreter Attack tool usage Meterpreter (Malware Family) (fraunhofer.de) N/A Command and Control, Tactic TA0011
Orcus RAT Attack tool usage Orcus RAT (Malware Family) (fraunhofer.de) N/A Remote Access Software, Technique T1219
NanoCore RAT Attack tool usage NanoCore RAT (Malware Family) (fraunhofer.de) NanoCore, Software S0336 Remote Access Software, Technique T1219
njRAT / Bladabindi Attack tool usage njRAT (Malware Family) (fraunhofer.de) njRAT, Software S0385 Remote Access Software, Technique T1219
HabitsRAT Attack tool usage HabitsRAT (Malware Family) (fraunhofer.de) N/A Remote Access Software, Technique T1219
BillGates / Elknot Botnet expansion (DDoS) BillGates (Malware Family) (fraunhofer.de) N/A Acquire Infrastructure: Botnet, Sub-technique T1583.005
Bashlite (aka Gafgyt) Botnet expansion (DDoS) Bashlite (Malware Family) (fraunhofer.de) N/A Acquire Infrastructure: Botnet, Sub-technique T1583.005
Mirai (AKA Katana) Botnet expansion (DDoS, miner) Mirai (Malware Family) (fraunhofer.de) N/A Acquire Infrastructure: Botnet, Sub-technique T1583.005
Muhstik (AKA Tsunami) Botnet expansion (DDoS, miner) Tsunami (Malware Family) (fraunhofer.de) N/A Resource Hijacking, Technique T1496
Kinsing Botnet expansion (miner) Kinsing (Malware Family) (fraunhofer.de) Kinsing, Software S0599 Resource Hijacking, Technique T1496
m8220 Botnet expansion (miner) N/A N/A Resource Hijacking, Technique T1496
Swrort Downloader usage (stager) Swrort Stager (Malware Family) (fraunhofer.de) N/A Ingress Tool Transfer, Technique T1105
SitesLoader Downloader usage (stager) N/A N/A Ingress Tool Transfer, Technique T1105
Kirabash Infostealer usage N/A N/A OS Credential Dumping: /etc/passwd and /etc/shadow, Sub-technique T1003.008
XMRig Mining tool usage N/A N/A Resource Hijacking, Technique T1496
Zgrab Network scanner tool usage N/A N/A Network Service Scanning, Technique T1046
TellYouThePass Ransomware Ransomware usage N/A N/A Data Encrypted for Impact, Technique T1486
Khonsari Ransomware Ransomware usage N/A N/A Data Encrypted for Impact, Technique T1486
Conti Ransomware Ransomware usage Conti (Malware Family) (fraunhofer.de) Conti, Software S0575 Data Encrypted for Impact, Technique T1486

Threat Groups

Grouping Actor Mentioned Alias Other Alias EternalLiberty Threat Report Note
State actor China HAFNIUM N/A MSTIC (2) Attacking infrastructure to extend their typical targeting. In these attacks, HAFNIUM-associated systems were observed using a DNS service typically associated with testing activity to fingerprint systems.
State actor Iran PHOSPHORUS APT35, TEMP.Beanie, TA 453, NewsBeef, CharmingKitten, G0003, CobaltIllusion, TG-2889, Timberworm, C-Major, Group 41, Tarh Andishan, Magic Hound, Newscaster MSTIC (2) Iranian actor that has been deploying ransomware, acquiring and making modifications of the Log4j exploit.
Organized Cybercrime Russia Wizard Spider Trickbot Gang, FIN12, GOLD BLACKBURN, Grim Spider AdvIntel Wizard Spider is the developer of the Conti Ransomware-as-a-Service (RaaS) operation which has a high number of affiliates, and a Conti affiliate has leveraged Log4Shell in Log4j2 in the wild
Organized Cybercrime Russia EvilCorp Indrik Spider, GOLD DRAKE Cryptolaemus EvilCorp are the developers of the Dridex Trojan, which began life as a banking malware but has since shifted to support the delivery of ransomware, which has included BitPaymer, DoppelPaymer, Grief, and WastedLocker, among others. Dridex is now being dropped following the exploitation of vulnerable Log4j instances
You might also like...
A honeypot for the Log4Shell vulnerability (CVE-2021-44228)

Log4Pot A honeypot for the Log4Shell vulnerability (CVE-2021-44228). License: GPLv3.0 Features Listen on various ports for Log4Shell exploitation. Det

Thomas Patzke 79 Dec 27, 2022
An automated, reliable scanner for the Log4Shell (CVE-2021-44228) vulnerability.
An automated, reliable scanner for the Log4Shell (CVE-2021-44228) vulnerability.

Log4JHunt An automated, reliable scanner for the Log4Shell CVE-2021-44228 vulnerability. Video demo: Usage Here the help usage: $ python3 log4jhunt.py

RedHunt Labs 39 Nov 21, 2022
Log4Shell Proof of Concept (CVE-2021-44228)
Log4Shell Proof of Concept (CVE-2021-44228)

CVE-2021-44228 Log4Shell Proof of Concept (CVE-2021-44228) Make sure to use Java 8 JDK. Java 8 Download Images Credits Casey Dunham - Java Reverse She

Kr0ff 3 Jul 23, 2022
Deobfuscate Log4Shell payloads with ease
Deobfuscate Log4Shell payloads with ease

Ox4Shell Deobfuscate Log4Shell payloads with ease. Description Since the release

Oxeye 137 Jan 2, 2023
A simple Log4Shell Scan with python
A simple Log4Shell Scan with python

🐞 Log4Scan 🔧 Log4Shell 简单的主动和被动扫描脚本 Log4scan 针对header头和fuzz参数的主动批量扫描,用于大批量黑盒检测

nul1 6 Aug 4, 2022
An open-source post-exploitation framework for students, researchers and developers.
An open-source post-exploitation framework for students, researchers and developers.

Questions? Join the Discord support server Disclaimer: This project should be used for authorized testing or educational purposes only. BYOB is an ope

dvm 8.1k Dec 31, 2022
Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python

Pupy Installation Installation instructions are on the wiki, in addition to all other documentation. For maximum compatibility, it is recommended to u

null 7.4k Jan 4, 2023
A windows post exploitation tool that contains a lot of features for information gathering and more.
A windows post exploitation tool that contains a lot of features for information gathering and more.

Crowbar - A windows post exploitation tool Status - ✔️ This project is now considered finished. Any updates from now on will most likely be new script

null 29 Nov 20, 2022
Chrome Post-Exploitation is a client-server Chrome exploit to remotely allow an attacker access to Chrome passwords, downloads, history, and more.
Chrome Post-Exploitation is a client-server Chrome exploit to remotely allow an attacker access to Chrome passwords, downloads, history, and more.

ChromePE [Linux/Windows] Chrome Post-Exploitation is a client-server Chrome exploit to remotely allow an attacker access to Chrome passwords, download

Finn Lancaster 3 Oct 5, 2022
Comments
  • adding ironnet blog

    adding ironnet blog

    We have numerous observations of this threat activity within our network as well as our partners and will be updating the blog in the PR throughout this week with these observations once we get through incident response functions.

    opened by peterydzynski 2
  • Securonix Log4Shell IoC's and TTP's

    Securonix Log4Shell IoC's and TTP's

    Added Securonix Autonomous Threat Sweep gathered and vetted Log4Shell IoC's and TTP's as feed reference. Please reach out with any additional questions

    opened by schehreghani 0
Owner
Curated Intel
Curated Intel
GitHub
Vulnerability Exploitation Code Collection Repository

Introduction expbox is an exploit code collection repository List CVE-2021-41349 Exchange XSS PoC <= Exchange 2013 update 23 <= Exchange 2016 update 2

0x0021h 263 Feb 14, 2022
Log4j exploit catcher, detect Log4Shell exploits and try to get payloads.

log4j_catcher Log4j exploit catcher, detect Log4Shell exploits and try to get payloads. This is a basic python server that listen on a port and logs i

EntropyQueen 17 Dec 20, 2021
Find vulnerable Log4j2 versions on disk and also inside Java Archive Files (Log4Shell CVE-2021-44228)

log4j-finder A Python3 script to scan the filesystem to find Log4j2 that is vulnerable to Log4Shell (CVE-2021-44228) It scans recursively both on disk

Fox-IT 431 Dec 22, 2022
A Burp Pro extension that adds log4shell checks to Burp Scanner

scan4log4shell A Burp Pro extension that adds log4shell checks to Burp Scanner, written by Daniel Crowley of IBM X-Force Red. Installation To install

X-Force Red 26 Mar 15, 2022
A small Minecraft server to help players detect vulnerability to the Log4Shell exploit 🐚

log4check A small Minecraft server to help players detect vulnerability to the Log4Shell exploit ?? Tested to work between Minecraft versions 1.12.2 a

Evan J. Markowitz 4 Dec 23, 2021
A Docker based LDAP RCE exploit demo for CVE-2021-44228 Log4Shell

log4j-poc An LDAP RCE exploit for CVE-2021-44228 Log4Shell Description This demo Tomcat 8 server has a vulnerable app deployed on it and is also vulne

null 60 Dec 10, 2022
Log4Shell RCE Exploit - fully independent exploit does not require any 3rd party binaries.

Log4Shell RCE Exploit fully independent exploit does not require any 3rd party binaries. The exploit spraying the payload to all possible logged HTTP

null 258 Jan 2, 2023
Python3 script for scanning CVE-2021-44228 (Log4shell) vulnerable machines.

Log4j_checker.py (CVE-2021-44228) Description This Python3 script tries to look for servers vulnerable to CVE-2021-44228, also known as Log4Shell, a v

lfama 8 Feb 27, 2022
POC for detecting the Log4Shell (Log4J RCE) vulnerability.

log4shell-poc-py POC for detecting the Log4Shell (Log4J RCE) vulnerability. Run on a system with python3 python3 log4shell-poc.py <pathToTargetFile> <

BCC Risk Advisory 2 Dec 22, 2021
POC for detecting the Log4Shell (Log4J RCE) vulnerability

Interactsh An OOB interaction gathering server and client library Features • Usage • Interactsh Client • Interactsh Server • Interactsh Integration •

ProjectDiscovery 2.1k Jan 8, 2023