Log4Shell

Vulnerability updated 4 days ago (2024-11-29T14:28:31.887Z)
Download STIX
Preview STIX
Log4Shell is a significant software vulnerability (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105) that exists in the Log4j Java-based logging utility. It was exploited by various Advanced Persistent Threat (APT) actors, including LockBit affiliates and GOLD MELODY (UNC961), to gain unauthorized access to victims' systems. The exploitation of this flaw allows malicious actors to execute arbitrary code on the targeted systems, leading to potential data breaches or system disruptions. Notably, the Log4Shell vulnerability was leveraged for initial access to organizations' VMware Horizon servers and MobileIron Core servers. The exploitation of Log4Shell became particularly prominent around December 15, 2021, when StealthLoader malware began leveraging it. This event highlighted the persistent risk associated with the vulnerability, which was exacerbated by infrequent remediation efforts. In fact, despite the widespread knowledge and publicity surrounding the vulnerability, as many as 13% of Log4j downloads remained vulnerable three years after the initial exposure of Log4Shell, demonstrating the persistence of this security issue. To mitigate the risks associated with Log4Shell and other Log4j-related vulnerabilities, cybersecurity advisories have been issued, such as joint CSA: Mitigating Log4Shell and Other Log4j-Related Vulnerabilities. Despite these efforts, malicious cyber actors continue to exploit Log4Shell, especially in unpatched VMware Horizon systems. Thus, organizations are strongly advised to promptly apply patches and follow best practices to protect their systems against this ongoing threat.
Description last updated: 2024-11-15T15:57:18.747Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
CVE-2021-44228 is a possible alias for Log4Shell. CVE-2021-44228, also known as the Log4Shell vulnerability, is a significant flaw in Apache's Log4j software. Disclosed in December 2021, it quickly became one of the most severe bugs due to its widespread usage and potential for exploitation. Various Advanced Persistent Threat (APT) actors attempted
11
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Vulnerability
Log4j
Exploit
Apache
exploitation
Remote Code ...
Exploits
Ransomware
Malware
Confluence
exploited
Source
flaw
Operation Bl...
Cisco
RCE (Remote ...
Moveit
Lateral Move...
Manageengine
Botnet
Apt
Ofbiz
Chrome
Secureworks
Linux
Phishing
bugs
Implant
Reconnaissance
Payload
Iran
Zero Day
Apache Struts
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Earlyrat Malware is associated with Log4Shell. EarlyRat is a previously undocumented malware discovered by Kaspersky researchers in June. The North Korea-linked Advanced Persistent Threat (APT) group Andariel used EarlyRat in attacks exploiting the Log4j Log4Shell vulnerability last year. The malware was first noticed in one of the Log4j cases, Unspecified
2
The Kinsing Malware is associated with Log4Shell. Kinsing is a malicious software, or malware, that has been recently observed exploiting vulnerabilities in systems. It operates by infiltrating computers or devices, often undetected, through suspicious downloads, emails, or websites. Once inside, Kinsing can wreak havoc by stealing personal informaUnspecified
2
The Conti Malware is associated with Log4Shell. Conti is a type of malware, specifically ransomware, which is designed to infiltrate and damage computer systems. This malicious software can enter systems through various methods such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personahas used
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Andariel Threat Actor is associated with Log4Shell. Andariel, a threat actor controlled by North Korea's military intelligence agency, the Reconnaissance General Bureau, has been actively conducting cyber espionage and ransomware operations. The group funds its activities through ransomware attacks primarily targeting U.S. healthcare entities. In somUnspecified
4
The Lazarus Group Threat Actor is associated with Log4Shell. The Lazarus Group, a notorious threat actor attributed to North Korea, is renowned for its malicious activities aimed at furthering the country's objectives. This group has been implicated in several high-profile cyber-attacks, including an attack in Spain known as Operation DreamJob. The exploitatiUnspecified
4
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The Proxyshell Vulnerability is associated with Log4Shell. ProxyShell is a vulnerability that affects Microsoft Exchange email servers, posing a significant risk to organizations worldwide. This flaw in software design or implementation allows attackers to exploit the system and gain unauthorized access. Since early 2021, Iranian government-sponsored APT acUnspecified
5
The Follina Vulnerability is associated with Log4Shell. Follina (CVE-2022-30190) is a software vulnerability that was discovered and exploited in the first half of 2022. It was weaponized by TA413, a malicious entity known for its cyber attacks, shortly after its discovery and publication. The vulnerability was used to target the Sophos Firewall product,Unspecified
3
The CVE-2022-30190 Vulnerability is associated with Log4Shell. CVE-2022-30190, also known as the "Follina" vulnerability, is a high-risk software flaw in the Microsoft Support Diagnostic Tool that allows for remote code execution. This 0-day vulnerability was disclosed in May 2022 and has since been exploited by threat actors, including TA413, who weaponized itUnspecified
3
The vulnerability CVE-2021-45046 is associated with Log4Shell. is / was
2
The vulnerability CVE-2021-34523 is associated with Log4Shell. Unspecified
2
The CVE-2021-26084 Vulnerability is associated with Log4Shell. CVE-2021-26084 is a critical vulnerability related to Atlassian's Confluence software. The flaw in the software design or implementation was first exploited as a zero-day, before its public disclosure in June 2022. It allowed remote attackers to execute code on a Confluence Server via injection attaUnspecified
2
The CVE-2022-22954 Vulnerability is associated with Log4Shell. CVE-2022-22954 is a significant software vulnerability that affects VMware's Workspace One Access and Identity Manager. This flaw in the software design or implementation allows for remote code execution, providing an attacker with the ability to execute arbitrary commands on the affected system. OvUnspecified
2
The CVE-2022-1388 Vulnerability is associated with Log4Shell. CVE-2022-1388 is a significant software vulnerability identified in the F5 BIG-IP system, specifically in the iControl REST interface. This flaw allows unauthorized bypass of the authentication process, providing potential attackers with unauthorized access to the system. Initial access is typicallyUnspecified
2
The CVE-2022-26134 Vulnerability is associated with Log4Shell. CVE-2022-26134 is a critical software vulnerability that was discovered in Atlassian Confluence Server and Data Center. This flaw, which allows for remote code execution (RCE), was publicly disclosed by Atlassian in June 2022. The Cybersecurity and Infrastructure Security Agency (CISA) recognized thUnspecified
2
The CVE-2021-34473 Vulnerability is associated with Log4Shell. CVE-2021-34473 is a significant software vulnerability that was discovered in Microsoft Exchange Server. This flaw, along with two others (CVE-2021-31207 and CVE-2021-34523), forms a chain of vulnerabilities known as ProxyShell. These vulnerabilities can be exploited together by remote attackers to Unspecified
2
The CVE-2018-13379 Vulnerability is associated with Log4Shell. CVE-2018-13379 is a critical vulnerability that affects FortiOS and Fortiguard, presenting a flaw in their software design or implementation. This specific vulnerability, which can expose sensitive credentials, has been frequently exploited, making the top 15 most routinely exploited list in both 20Unspecified
2
The CVE-2021-31207 Vulnerability is associated with Log4Shell. CVE-2021-31207 is a significant software vulnerability that has been exploited by APT40, a group known for rapidly taking advantage of newly public vulnerabilities in widely used software. This particular vulnerability affects Atlassian Confluence and Microsoft Exchange, among other platforms, and aUnspecified
2
The vulnerability CVE-2021-40539 is associated with Log4Shell. Unspecified
2
The vulnerability CVE-2022-22960 is associated with Log4Shell. Unspecified
2
The CVE-2017-5638 Vulnerability is associated with Log4Shell. CVE-2017-5638 is a significant vulnerability found in Apache Struts, a widely used open-source framework for developing Java web applications. This flaw in software design or implementation allowed attackers to remotely execute commands on the server running the vulnerable application, leading to poUnspecified
2
Source Document References
Information about the Log4Shell Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Checkpoint
13 days ago
CISA
18 days ago
Checkpoint
22 days ago
Checkpoint
a month ago
BankInfoSecurity
a month ago
Checkpoint
a month ago
Checkpoint
a month ago
Checkpoint
2 months ago
InfoSecurity-magazine
2 months ago
Checkpoint
2 months ago
Checkpoint
2 months ago
BankInfoSecurity
2 months ago
Checkpoint
2 months ago
Checkpoint
3 months ago
Checkpoint
3 months ago
Checkpoint
3 months ago
Checkpoint
3 months ago
Checkpoint
3 months ago
Checkpoint
4 months ago
Checkpoint
4 months ago