CVE-2021-44228

Vulnerability Profile Updated 2 days ago
Download STIX
Preview STIX
CVE-2021-44228, also known as Log4Shell, is a critical vulnerability in the Apache Log4j software library that has been widely exploited since its discovery. This flaw in software design or implementation allows for remote code execution, making it a prime target for malicious actors. Despite multiple attempts, Advanced Persistent Threat (APT) actors were unsuccessful in exploiting this vulnerability in the ServiceDesk system. However, the threat group GOLD MELODY, referred to as UNC961 in some reports, was observed exploiting the Log4Shell vulnerability to access a MobileIron Core server. The ransomware group TellYouThePass, active since 2019, has also been reported to use known vulnerabilities like CVE-2021-44228 and the Apache ActiveMQ Server RCE bug tracked as CVE-2023-46604 for their attacks. Three years after its discovery, CVE-2021-44228 remains one of the most used exploits, according to cloud security provider Cato Networks. In fact, it accounted for 74% of exploit attempts against educational institutions, highlighting its persistent threat. Notably, Apache OFBiz was one of the first products to have a public exploit for Log4Shell, indicating its continued relevance to both defenders and attackers. Last month, "Apache Log4j Remote Code Execution (CVE-2021-44228)" was among the most exploited vulnerabilities, impacting 46% of organizations globally. The Lazarus North Korean threat actor group has also been exploiting the Log4Shell vulnerability to introduce new malware families crafted in the rarely utilized D programming language.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Log4Shell
11
Log4Shell, a critical vulnerability in the logging feature of the Java programming language, also known as Log4j, was publicly disclosed on December 9th. This software flaw affected millions of devices and applications globally, including those in Estonia. The vulnerability, officially designated as
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Vulnerability
Log4j
Exploit
Remote Code ...
RCE (Remote ...
Apt
Operation Bl...
Ransomware
exploited
Malware
Apache
Ofbiz
Mobileiron C...
Linux
China
Apache Activ...
CISA
State Sponso...
Mandiant
Zero Day
Traversal
Education
flaw
Loader
Cobalt Strike
Github
Crowdstrike
exploitation
Papercut
Microsoft
Confluence
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
RookUnspecified
1
Rook is a malicious software (malware) linked to several ransomware activities, including LockFile, AtomSilo, Night Sky, and Pandora. These activities are associated with the deployment of HUI Loader, which has been used in loading Cobalt Strike Beacon. A CTU analysis revealed that these five ransom
Cobalt Strike BeaconUnspecified
1
Cobalt Strike Beacon is a form of malware that has been linked to significant ransomware activity. It is loaded by HUI Loader through various files such as mpc.tmp, dlp.ini, vmtools.ini, and an encrypted version via vm.cfg. This malicious software can infiltrate systems and enable backdoor functiona
LockfileUnspecified
1
LockFile is a type of malicious software, or malware, that has been linked to ransomware activity. This harmful program can infiltrate your system via suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold your data for ransom. Analysis of the PlugX
AtomsiloUnspecified
1
AtomSilo is a type of malware that has been linked to several other ransomware families including LockFile, Rook, Night Sky, and Pandora. This connection was revealed through the analysis of Cobalt Strike Beacon samples loaded by HUI Loader. CTU analysis suggests that these five ransomware families
Night SkyUnspecified
1
Night Sky is a type of malware that has been linked to various ransomware activities, including LockFile, AtomSilo, Rook, and Pandora. HUI Loader samples that load Cobalt Strike Beacon have been found to be associated with these ransomware activities. Analysis of the Cobalt Strike Beacon samples loa
KEYPLUGUnspecified
1
Keyplug is a modular backdoor malware written in C++, capable of supporting multiple network protocols for command and control (C2) traffic. This includes HTTP, TCP, KCP over UDP, and WSS. It was heavily used by APT41, also known as RedGolf, Winnti, Wicked Panda, Bronze Atlas, and Barium, a Chinese
NineratUnspecified
1
NineRAT is a malware strain developed by the Lazarus group, and it was first used in Operation Blacksmith in March 2022 against a South American agricultural organization. The malware was initially built around May 2022 and was later observed being utilized in September against a European manufactur
keyplug.linuxUnspecified
1
Keyplug.linux is a malicious software (malware) that has been utilized by APT41, a highly adaptable and resourceful threat actor. This malware is known for its capacity to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the user's kno
Pandora RansomwareUnspecified
1
Pandora ransomware is a type of malware that has been connected to several other malicious software strains, including AtomSilo, Night Sky, and Rook. Researchers from CTU identified code overlap between the updated HUI Loader samples and Pandora ransomware, suggesting a common origin or shared devel
LockbitUnspecified
1
LockBit is a significant malware operation, first surfacing in September 2019 and becoming one of the most active ransomware groups by 2022. Operating under a Ransomware-as-a-Service (RaaS) model, LockBit recruited affiliates to execute attacks using its tools and infrastructure. From its first obse
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT41Unspecified
2
APT41, also known as Winnti, Wicked Panda, and Wicked Spider, among other names, is a threat actor suspected to originate from China. With potential ties to the Chinese government, APT41 has been involved in complex cyber espionage operations since at least 2012, targeting organizations in at least
AlphvUnspecified
1
AlphV, also known as BlackCat, is a significant threat actor in the cybersecurity landscape. In 2023, they were responsible for approximately 9.7% of total leak site posts, second only to other prominent ransomware groups. They notably stole 5TB of data from Morrison Community Hospital, and it's est
Unc3886Unspecified
1
UNC3886 is a threat actor with suspected links to Beijing, China, that has been active in the cyber-espionage landscape. A threat actor refers to any human entity behind the execution of actions with malicious intent, which can range from an individual hacker to a private company or even part of a g
Lazarus GroupUnspecified
1
The Lazarus Group, a notorious threat actor attributed to North Korea, has been linked to numerous high-profile cyberattacks worldwide. This group is known for its sophisticated techniques and exploits, including the largest decentralized finance exploit in history, the Ronin exploit of March 2022,
PhosphorusUnspecified
1
Phosphorus, also known as APT35 or Charming Kitten, is a notorious Iranian cyberespionage group linked to the Islamic Revolutionary Guard Corps (IRGC). This threat actor has been involved in a series of malicious activities, employing novel tactics and tools. A significant discovery was made by the
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2021-44207Unspecified
2
CVE-2021-44207 is a significant software vulnerability that was exploited by APT41, a prolific Chinese state-sponsored espionage group known for targeting both public and private sector organizations. This flaw in the USAHerds web application's design or implementation mirrors a previously reported
ProxyshellUnspecified
2
ProxyShell is a chain of three vulnerabilities (tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) that affect Microsoft Exchange email servers. These vulnerabilities allow unauthenticated attackers to gain administrator access and execute remote code on unpatched servers. Discovered in
CVE-2021-26084Unspecified
1
CVE-2021-26084 is a critical vulnerability related to Atlassian's Confluence software. The flaw in the software design or implementation was first exploited as a zero-day, before its public disclosure in June 2022. It allowed remote attackers to execute code on a Confluence Server via injection atta
CVE-2021-34473Unspecified
1
CVE-2021-34473 is a significant software vulnerability that was discovered in Microsoft Exchange Server. This flaw, along with two others (CVE-2021-31207 and CVE-2021-34523), forms a chain of vulnerabilities known as ProxyShell. These vulnerabilities can be exploited together by remote attackers to
CVE-2019-19781Unspecified
1
CVE-2019-19781, also known as the Citrix Directory Traversal Bug, is a software vulnerability that lies in the design or implementation of the software. This flaw allows an attacker to potentially gain unauthorized access to sensitive data or even execute arbitrary code on the compromised system. De
CVE-2021-35464Unspecified
1
None
CVE-2017-7504Unspecified
1
CVE-2017-7504 is a significant software vulnerability identified in the JBoss MQ Java Message Service (JMS). This flaw, rooted in software design and implementation, allows for deserialization attacks when exploited on an internet-exposed server. The vulnerability has been abused by malicious actors
CVE-2021-22941Unspecified
1
CVE-2021-22941 is a significant software vulnerability identified in Citrix ShareFile, which allows for remote code execution (RCE). This flaw was exploited by the threat actor group known as GOLD MELODY, also referred to as PROPHET SPIDER. The group has been linked to various attacks exploiting sec
CVE-2021-22205Unspecified
1
CVE-2021-22205 is a significant vulnerability in GitLab, a flaw in software design or implementation that allows for remote code execution. This vulnerability has been assigned the highest severity score (CVSS score: 10.0) due to its potential impact. The bug, which is now two years old, continues t
CVE-2020-14750Unspecified
1
None
CVE-2020-14882Unspecified
1
None
CVE-2022-41328Unspecified
1
CVE-2022-41328 is a significant software vulnerability discovered in Fortinet's FortiOS. It was heavily targeted by China-nexus intrusion sets, particularly UNC3886, who exploited the vulnerability to deploy custom malware families on Fortinet and VMware systems. This exploitation occurred in Septem
CVE-2023-2868Unspecified
1
CVE-2023-2868 is a significant software vulnerability that was identified in the Barracuda Email Security Gateway (ESG) appliances. This flaw, specifically a remote command injection vulnerability, was disclosed by Barracuda on May 30th, 2023. The vulnerability had been exploited as early as October
CVE-2023-46604Unspecified
1
CVE-2023-46604 is a critical vulnerability identified in Apache ActiveMQ, specifically affecting versions prior to 5.15.16, 5.16.7, 5.17.6, and 5.18.3. This flaw, which lies within the Java OpenWire protocol marshaller, allows for Remote Code Execution (RCE) and has been assigned a maximum severity
CVE-2024-4577Unspecified
1
None
Proxylogon Cve-2021-26855Unspecified
1
None
ProxynotshellUnspecified
1
ProxyNotShell is a software vulnerability, specifically a flaw in the design or implementation of Microsoft Exchange Server. It was first identified and exploited through CVE-2022-41082, as reported by Palo Alto Networks' Unit 42. The ProxyNotShell exploit method leveraged an AutoDiscover endpoint t
CVE-2023-28771Unspecified
1
CVE-2023-28771 is a software vulnerability, specifically a command injection flaw, in Zyxel ZyWALL firewalls. The vulnerability was detected by FortiGuard Labs in June 2023 when it was being exploited by several Distributed Denial of Service (DDoS) botnets. It's worth noting that this vulnerability
CVE-2022-1388Unspecified
1
CVE-2022-1388 is a critical vulnerability identified in the F5 BIG-IP iControl REST interface, which allows for an authentication bypass. This flaw in software design or implementation enables unauthorized users to gain access and control over the system without needing to authenticate their identit
CVE-2022-22954Unspecified
1
CVE-2022-22954 is a significant software vulnerability that affects VMware's Workspace One Access and Identity Manager. This flaw in the software design or implementation allows for remote code execution, providing an attacker with the ability to execute arbitrary commands on the affected system. Ov
CVE-2022-24990Unspecified
1
None
CVE-2021-20038Unspecified
1
None
CVE-2022-22965Unspecified
1
None
Source Document References
Information about the CVE-2021-44228 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
10 months ago
Why Your Vulnerability Report Titles Suck, and What to Do About It
Securityaffairs
9 months ago
Nation-state actors exploit Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus, CISA warns
CERT-EU
a year ago
North Korean ransomware attacks on healthcare fund govt operations
CSO Online
a year ago
Top 10 open source software risks for 2023
CERT-EU
a year ago
Log4j, GitHub Repositories, and Attack Surfaces
BankInfoSecurity
6 months ago
Lazarus Exploits Log4Shell to Deploy Telegram-Based Malware
CERT-EU
6 months ago
Above 30% Apps at Risk with Vulnerable Log4j Versions
Malwarebytes
10 months ago
2022's most routinely exploited vulnerabilities—history repeats
CERT-EU
a year ago
April 2023’s Most Wanted Malware: Qbot Launches Substantial Malspam Campaign and Mirai Makes its Return - Check Point Blog
MITRE
a year ago
APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit - Check Point Research
CERT-EU
9 months ago
Protecting Your Software Supply Chain: Understanding Typosquatting and Dependency Confusion Attacks
DARKReading
6 months ago
Lazarus Group Is Still Juicing Log4Shell, Using RATs Written in 'D'
CERT-EU
8 months ago
NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations | CISA
CERT-EU
5 months ago
December 2023's Most Wanted Malware : The Resurgence of Qbot and FakeUpdates – Global Security Mag Online
InfoSecurity-magazine
a year ago
CVEs Surge By 25% in 2022 to Another Record High
InfoSecurity-magazine
a month ago
Log4J Still Among Top Exploited Vulnerabilities, Cato Finds
CERT-EU
a year ago
And the winner is: Qbot | ZDNet.de
Trend Micro
a year ago
Protect Your Network with Zero-Day Threat Protection
CERT-EU
10 months ago
The Most Used Malware In H1 2023
CISA
a year ago
Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors | CISA