A collection of intelligence about Log4Shell and its exploitation activity.
Members of the Curated Intelligence Trust Group have compiled a list of IOC feeds and threat reports focused on the recent Log4Shell exploit targeting CVE-2021-44228 in Log4j. (Blog | Twitter | LinkedIn)
LOW-TO-MEDIUM CONFIDENCE
we strongly recommend NOT
adding them to a blocklistTHREAT HUNTING
and could be added to a WATCHLIST
FOCUS ON POST-EXPLOITATION ACTIVITY
by threats leveraging Log4Shell (ex. threat actors, botnets)MEDIUM CONFIDENCE FEEDS
to be MISP COMPATIBLE
with the help of the KPMG-Egyde CTI Team
VETTED IOCs
with the help of the Equinix Threat Analysis Center (ETAC)
ALIENVAULT OTX MENTIONS
to be MISP COMPATIBLE
with the help of the KPMG-Egyde CTI Team
VULNERABLE PRODUCT LISTS
to be CSV+XLSX COMPATIBLE
with an automated workflow, pulling from NCSC-NL + CISA + SwitHak
FALSE-POSITIVE FILTERING
for threat hunting feed outputs, using selected MISP warning lists, primarily to remove false-positives of large DNS resolvers (among others)Indicators of Compromise (IOCs)
Threat Reports
Payload Examples
Threat Profiling
Threat Groups
Grouping | Actor | Mentioned Alias | Other Alias EternalLiberty | Threat Report | Note |
---|---|---|---|---|---|
State actor | China | HAFNIUM | N/A | MSTIC (2) | Attacking infrastructure to extend their typical targeting. In these attacks, HAFNIUM-associated systems were observed using a DNS service typically associated with testing activity to fingerprint systems. |
State actor | Iran | PHOSPHORUS | APT35, TEMP.Beanie, TA 453, NewsBeef, CharmingKitten, G0003, CobaltIllusion, TG-2889, Timberworm, C-Major, Group 41, Tarh Andishan, Magic Hound, Newscaster | MSTIC (2) | Iranian actor that has been deploying ransomware, acquiring and making modifications of the Log4j exploit. |
Organized Cybercrime | Russia | Wizard Spider | Trickbot Gang, FIN12, GOLD BLACKBURN, Grim Spider | AdvIntel | Wizard Spider is the developer of the Conti Ransomware-as-a-Service (RaaS) operation which has a high number of affiliates, and a Conti affiliate has leveraged Log4Shell in Log4j2 in the wild |
Organized Cybercrime | Russia | EvilCorp | Indrik Spider, GOLD DRAKE | Cryptolaemus | EvilCorp are the developers of the Dridex Trojan, which began life as a banking malware but has since shifted to support the delivery of ransomware, which has included BitPaymer, DoppelPaymer, Grief, and WastedLocker, among others. Dridex is now being dropped following the exploitation of vulnerable Log4j instances |
State actor | China | Aquatic Panda | N/A | CrowdStrike | AQUATIC PANDA is a China-based targeted intrusion adversary with a dual mission of intelligence collection and industrial espionage. It has likely operated since at least May 2020. AQUATIC PANDA operations have primarily focused on entities in the telecommunications, technology and government sectors. AQUATIC PANDA relies heavily on Cobalt Strike, and its toolset includes the unique Cobalt Strike downloader tracked as FishMaster. AQUATIC PANDA has also been observed delivering njRAT payloads to targets. |
To be determined | China | DEV-0401 | N/A | MSTIC (4) | Attackers started exploiting the CVE-2021-44228 vulnerability in internet-facing systems running VMware Horizon. An investigation shows that successful intrusions in these campaigns led to the deployment of the NightSky ransomware. These attacks are performed by a China-based ransomware operator that MSTIC is tracking as DEV-0401. DEV-0401 has previously deployed multiple ransomware families including LockFile, AtomSilo, and Rook, and has similarly exploited Internet-facing systems running Confluence (CVE-2021-26084) and on-premises Exchange servers (CVE-2021-34473). |
Organized Cybercrime | Russia | Mummy Spider | TA542, MealyBug, GoldCrestwood | SentinelOne | Naturally, the Emotet crew has been taking advantage of Log4j as well. For example, vulnerable servers were quickly compromised and used for staging and payload hosting within the greater Emotet network. |
Organized Cybercrime | Russia | Prophet Spider | UNC961 | BlackBerry | The Initial Access Broker (IAB) group Prophet Spider has been exploiting the Log4j vulnerability in the Apache Tomcat component of VMware Horizon |