CVE-2021-44228

Vulnerability updated 23 days ago (2024-11-29T14:34:05.520Z)
Download STIX
Preview STIX
CVE-2021-44228, also known as the Log4Shell vulnerability, is a significant flaw in Apache's Log4j software. Disclosed in December 2021, it quickly became one of the most severe bugs due to its widespread usage and potential for exploitation. Various Advanced Persistent Threat (APT) actors attempted to exploit this vulnerability in systems such as ServiceDesk, but were unsuccessful. However, other groups like GOLD MELODY (UNC961) successfully exploited this vulnerability to access servers like MobileIron Core. The Log4Shell vulnerability has been used by various threat groups, including APT40, which is known for rapidly exploiting newly public vulnerabilities in widely-used software. In addition to Log4J, they have targeted software like Atlassian Confluence and Microsoft Exchange. Another group, TellYouThePass, a ransomware group active since 2019, has also exploited this vulnerability along with others in open-source web development languages. Despite being known for several years, CVE-2021-44228 remains a common exploit attempt, especially against educational institutions where it accounts for 74% of attempts. LockBit, a threat group, was responsible for 30% of ransomware incidents targeting the education sector using this exploit. The vulnerability continues to be of interest to both defenders and attackers, highlighting the need for continued vigilance and prompt patching of known vulnerabilities.
Description last updated: 2024-08-14T09:06:03.754Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Log4Shell is a possible alias for CVE-2021-44228. Log4Shell is a significant software vulnerability (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105) that exists in the Log4j Java-based logging utility. It was exploited by various Advanced Persistent Threat (APT) actors, including LockBit affiliates and GOLD MELODY (UNC961), to gain unauthorized
11
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Log4j
Vulnerability
Exploit
Remote Code ...
Exploits
RCE (Remote ...
Apt
exploited
Ransomware
Confluence
Operation Bl...
Malware
Apache
Ofbiz
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The APT40 Threat Actor is associated with CVE-2021-44228. APT40, a threat actor attributed to China, is a cyber espionage group that primarily targets countries of strategic importance to the Belt and Road Initiative. The group is known for its use of a variety of attack vectors, notably spear-phishing emails posing as individuals likely to be of interest Unspecified
2
The APT41 Threat Actor is associated with CVE-2021-44228. APT41, also known as Winnti, is a threat actor suspected to be originating from China, with its activities dating back to as early as 2012. It has targeted organizations in at least 14 countries and has been associated with the use of at least 46 different code families and tools. The group's activiUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2021-34473 Vulnerability is associated with CVE-2021-44228. CVE-2021-34473 is a significant software vulnerability that was discovered in Microsoft Exchange Server. This flaw, along with two others (CVE-2021-31207 and CVE-2021-34523), forms a chain of vulnerabilities known as ProxyShell. These vulnerabilities can be exploited together by remote attackers to Unspecified
3
The CVE-2021-26084 Vulnerability is associated with CVE-2021-44228. CVE-2021-26084 is a critical vulnerability related to Atlassian's Confluence software. The flaw in the software design or implementation was first exploited as a zero-day, before its public disclosure in June 2022. It allowed remote attackers to execute code on a Confluence Server via injection attaUnspecified
3
The vulnerability CVE-2021-34523 is associated with CVE-2021-44228. Unspecified
2
The CVE-2021-44207 Vulnerability is associated with CVE-2021-44228. CVE-2021-44207 is a significant software vulnerability that was exploited by APT41, a prolific Chinese state-sponsored espionage group known for targeting both public and private sector organizations. This flaw in the USAHerds web application's design or implementation mirrors a previously reported Unspecified
2
The Proxyshell Vulnerability is associated with CVE-2021-44228. ProxyShell is a vulnerability that affects Microsoft Exchange email servers, posing a significant risk to organizations worldwide. This flaw in software design or implementation allows attackers to exploit the system and gain unauthorized access. Since early 2021, Iranian government-sponsored APT acUnspecified
2
The CVE-2021-31207 Vulnerability is associated with CVE-2021-44228. CVE-2021-31207 is a significant software vulnerability that has been exploited by APT40, a group known for rapidly taking advantage of newly public vulnerabilities in widely used software. This particular vulnerability affects Atlassian Confluence and Microsoft Exchange, among other platforms, and aUnspecified
2
Source Document References
Information about the CVE-2021-44228 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CISA
a month ago
BankInfoSecurity
2 months ago
CERT-EU
a year ago
DARKReading
5 months ago
CISA
5 months ago
Securityaffairs
5 months ago
CISA
5 months ago
Securityaffairs
6 months ago
DARKReading
6 months ago
InfoSecurity-magazine
7 months ago
DARKReading
9 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
BankInfoSecurity
a year ago
Securityaffairs
a year ago
CERT-EU
a year ago
CERT-EU
a year ago