Log4Shell
Log4Shell (CVE-2021-44228)
In early December, a critical vulnerability known as Log4Shell was disclosed, affecting the Java Log4j library.This vulnerability is being actively exploited and in case of successful exploitation allows attackers to gain control of the server through remote code execution (RCE) attacks. It has been identified that activity has focused on installing cryptocurrency mining and more recently installing Cobalt Strike for credential theft, lateral movement, data extraction from compromised systems and in cases of Ransomware.
The Apache Software Foundation published the updates and mitigation measures in its security statement issued on December 10th [1].
Since Log4j is an open source Java library used globally in a wide variety of applications and services, and given that the attack vector is relatively simple to exploit, it is strongly recommended to upgrade to the latest Log4j and/or apply recommended mitigations. [3] [4]
Since the disclosure of the vulnerability, it has been observed that several malicious actors are actively searching the Internet for vulnerable systems and attempting to automatically exploit the vulnerability. Some data suggests that more than 10,000 attacks attempting to exploit this vulnerability have already been identified.
It should be noted that this Log4j vulnerability (CVE-2021-44228) is being used to attack Linux and Windows systems.
Working Group
CERT.PT is collaborating with a number of entities, with the aim of gathering and making available information that helps minimise the impact of the Log4Shell (CVE-2021-44228) vulnerability.CERT.PT publicly thanks the multiple entities (public and private) that have decided to collaborate in this Working Group in order to share information for the good of the Cyberspace of national interest.
Information to be shared
Indicators of Compromise:The following lists will be updated over the coming weeks. Each file consists of the complete list at the respective date.
List of IPs identified exploiting/testing the Log4Shell vulnerability and List of IPs identified distributing the payload to effect the attack:
- Download - current version of 06/01/2022
- Download - 30/12/2021 2nd version
- Download - 30/12/2021 1st version
- Download - 27/12/2021 version
- Download - 22/12/2021 version
1) These IPs often belong to servers, with other legitimate services, which have been compromised by attackers, and it is up to each entity to block (or not) the respective IPs.
If you identify information that you consider useful, please share it to: cert@cert.pt
Log4j
What is it and where is it?Log4j is an open source logging library used globally in a wide variety of applications and services within Java-based software.
Forms of mitigation:
It is recommended to upgrade to the latest version of log4j[1].
Additional information:
Webinar streamed by CERT.PT
Log4j Introduction
Log4j Demo
Other information:
- Scanning:
- It should be noted that when using the scanner mentioned below, it will check for dependencies that use log4j.
[8] https://github.com/logpresso/CVE-2021-44228-Scanner
o (--fix) Using the --fix option, the scanner itself will eliminate the vulnerable class (watch the video published on YouTube on CERT.PT channel [9])
- It should be noted that when using the scanner mentioned below, it will check for dependencies that use log4j.
URLs of interest
[1] https://logging.apache.org/log4j/2.x/
[2] https://logging.apache.org/log4j/2.x/download.html
[3] https://github.com/NCSC-NL/log4shell
[4] https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
[5] https://github.com/cisagov/log4j-affected-db
[6] https://github.com/fullhunt/log4j-scan
[7] https://github.com/hillu/local-log4j-vuln-scanner
[9] https://dyn.cncs.gov.pt/pt/alerta-detalhe/art/135608/alerta-de-vulnerabilidades-log4j-2
If you need to contact CERT.PT, you can do it by e-mail: cert@cert.pt .
Last updated on 01-08-2024