Log4Shell

Vulnerability updated 7 days ago (2024-10-21T09:01:15.009Z)

Download STIX

Preview STIX

Log4Shell, officially known as CVE-2021-44228, is a serious software vulnerability in the Apache Log4j logging library. It emerged as a significant threat to internet-facing systems when it was discovered that LockBit affiliates and other Advanced Persistent Threat (APT) actors could exploit this flaw for initial access to victims' systems. In addition to Log4Shell, these malicious actors were also observed exploiting vulnerabilities in Fortinet, Microsoft Exchange, and VMware Horizon. Notably, the Log4Shell vulnerability was exploited to gain initial access to organizations' VMware Horizon servers and MobileIron Core servers. On December 15, 2021, StealthLoader malware was found leveraging the Log4Shell vulnerability, marking a significant escalation in the exploitation of this flaw. The risk associated with Log4Shell has proven persistent, with approximately 13% of Log4j downloads remaining vulnerable three years after the exposure of Log4Shell. This continued vulnerability underscores the ongoing threat posed by Log4Shell and the need for robust mitigation strategies. For additional information and guidance on mitigating Log4Shell and other Log4j-related vulnerabilities, reference has been made to joint Cybersecurity Advisory AA21-356A. Despite the discovery of other software flaws, none have yet reached the level of Log4Shell or Heartbleed in terms of potential impact. Overall, Log4Shell represents a critical cybersecurity concern that demands ongoing attention and proactive defense measures.

Description last updated: 2024-10-21T08:35:16.991Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
CVE-2021-44228 is a possible alias for Log4Shell. CVE-2021-44228, also known as the Log4Shell vulnerability, is a significant flaw in Apache's Log4j software. Disclosed in December 2021, it quickly became one of the most severe bugs due to its widespread usage and potential for exploitation. Various Advanced Persistent Threat (APT) actors attempted	11

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Vulnerability

Log4j

Exploit

Apache

exploitation

Remote Code ...

Exploits

Ransomware

Malware

Confluence

exploited

Source

flaw

Operation Bl...

Cisco

RCE (Remote ...

Moveit

Lateral Move...

Manageengine

Botnet

Apt

Ofbiz

Chrome

Secureworks

Linux

Phishing

bugs

Implant

Reconnaissance

Payload

Iran

Zero Day

Apache Struts

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Earlyrat Malware is associated with Log4Shell. EarlyRat is a previously undocumented malware discovered by Kaspersky researchers in June. The North Korea-linked Advanced Persistent Threat (APT) group Andariel used EarlyRat in attacks exploiting the Log4j Log4Shell vulnerability last year. The malware was first noticed in one of the Log4j cases,	Unspecified	2
The Kinsing Malware is associated with Log4Shell. Kinsing is a malicious software, or malware, that has been recently observed exploiting vulnerabilities in systems. It operates by infiltrating computers or devices, often undetected, through suspicious downloads, emails, or websites. Once inside, Kinsing can wreak havoc by stealing personal informa	Unspecified	2
The Conti Malware is associated with Log4Shell. Conti is a notorious type of malware, specifically ransomware, that infiltrates computer systems to steal data and disrupt operations. The malicious software often spreads through suspicious downloads, emails, or websites, and once inside, it can hold data hostage for ransom. The Conti ransomware op	has used	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Andariel Threat Actor is associated with Log4Shell. Andariel, also known as Jumpy Pisces, is a threat actor group primarily associated with cyberespionage and ransomware activities. The group has been linked to North Korea's Reconnaissance General Bureau and other APT groups such as Kimsuky and Onyx Sleet. Andariel has been noted for its aggressive t	Unspecified	4
The Lazarus Group Threat Actor is associated with Log4Shell. The Lazarus Group, also known as Hidden Cobra and Guardians of Peace, is a notorious threat actor attributed to North Korea. Their activities date back several years, with significant exploits including the "FASTCash" ATM cash-out scheme warned about by the US-CERT in October 2018. More recently, th	Unspecified	4

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The Proxyshell Vulnerability is associated with Log4Shell. ProxyShell is a critical vulnerability affecting Microsoft Exchange email servers. It is a software design and implementation flaw that allows attackers to gain unauthorized access to the affected systems. The exploit chain for ProxyShell includes CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.	Unspecified	5
The Follina Vulnerability is associated with Log4Shell. Follina (CVE-2022-30190) is a software vulnerability that was discovered and exploited in the first half of 2022. It was weaponized by TA413, a malicious entity known for its cyber attacks, shortly after its discovery and publication. The vulnerability was used to target the Sophos Firewall product,	Unspecified	3
The CVE-2022-30190 Vulnerability is associated with Log4Shell. CVE-2022-30190, also known as the "Follina" vulnerability, is a high-risk software flaw in the Microsoft Support Diagnostic Tool that allows for remote code execution. This 0-day vulnerability was disclosed in May 2022 and has since been exploited by threat actors, including TA413, who weaponized it	Unspecified	3
The vulnerability CVE-2021-45046 is associated with Log4Shell.	is / was	2
The vulnerability CVE-2021-34523 is associated with Log4Shell.	Unspecified	2
The CVE-2021-26084 Vulnerability is associated with Log4Shell. CVE-2021-26084 is a critical vulnerability related to Atlassian's Confluence software. The flaw in the software design or implementation was first exploited as a zero-day, before its public disclosure in June 2022. It allowed remote attackers to execute code on a Confluence Server via injection atta	Unspecified	2
The CVE-2022-22954 Vulnerability is associated with Log4Shell. CVE-2022-22954 is a significant software vulnerability that affects VMware's Workspace One Access and Identity Manager. This flaw in the software design or implementation allows for remote code execution, providing an attacker with the ability to execute arbitrary commands on the affected system. Ov	Unspecified	2
The CVE-2022-1388 Vulnerability is associated with Log4Shell. CVE-2022-1388 is a significant software vulnerability identified in the F5 BIG-IP system, specifically in the iControl REST interface. This flaw allows unauthorized bypass of the authentication process, providing potential attackers with unauthorized access to the system. Initial access is typically	Unspecified	2
The CVE-2022-26134 Vulnerability is associated with Log4Shell. CVE-2022-26134 is a critical software vulnerability that was discovered in Atlassian Confluence Server and Data Center. This flaw, which allows for remote code execution (RCE), was publicly disclosed by Atlassian in June 2022. The Cybersecurity and Infrastructure Security Agency (CISA) recognized th	Unspecified	2
The CVE-2021-34473 Vulnerability is associated with Log4Shell. CVE-2021-34473 is a significant software vulnerability that was discovered in Microsoft Exchange Server. This flaw, along with two others (CVE-2021-31207 and CVE-2021-34523), forms a chain of vulnerabilities known as ProxyShell. These vulnerabilities can be exploited together by remote attackers to	Unspecified	2
The CVE-2018-13379 Vulnerability is associated with Log4Shell. CVE-2018-13379 is a critical vulnerability that affects FortiOS and Fortiguard, presenting a flaw in their software design or implementation. This specific vulnerability, which can expose sensitive credentials, has been frequently exploited, making the top 15 most routinely exploited list in both 20	Unspecified	2
The CVE-2021-31207 Vulnerability is associated with Log4Shell. CVE-2021-31207 is a significant software vulnerability that has been exploited by APT40, a group known for rapidly taking advantage of newly public vulnerabilities in widely used software. This particular vulnerability affects Atlassian Confluence and Microsoft Exchange, among other platforms, and a	Unspecified	2
The vulnerability CVE-2021-40539 is associated with Log4Shell.	Unspecified	2
The vulnerability CVE-2022-22960 is associated with Log4Shell.	Unspecified	2
The CVE-2017-5638 Vulnerability is associated with Log4Shell. CVE-2017-5638 is a significant vulnerability found in Apache Struts, a widely used open-source framework for developing Java web applications. This flaw in software design or implementation allowed attackers to remotely execute commands on the server running the vulnerable application, leading to po	Unspecified	2

Source Document References

Information about the Log4Shell Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Checkpoint	5 days ago	21st October – Threat Intelligence Report - Check Point Research
Checkpoint	13 days ago	14th October – Threat Intelligence Report - Check Point Research
InfoSecurity-magazine	16 days ago	Sonatype Reports 156% Increase in OSS Malicious Packages
Checkpoint	20 days ago	7th October– Threat Intelligence Report - Check Point Research
Checkpoint	a month ago	30th September – Threat Intelligence Report - Check Point Research
BankInfoSecurity	a month ago	Linux Distros Patching Printer Hijacking Flaw
Checkpoint	a month ago	23rd September – Threat Intelligence Report - Check Point Research
Checkpoint	a month ago	16th September – Threat Intelligence Report - Check Point Research
Checkpoint	2 months ago	9th September – Threat Intelligence Report - Check Point Research
Checkpoint	2 months ago	2nd September – Threat Intelligence Report - Check Point Research
Checkpoint	2 months ago	26th August – Threat Intelligence Report - Check Point Research
Checkpoint	2 months ago	19th August – Threat Intelligence Report - Check Point Research
Checkpoint	2 months ago	12th August – Threat Intelligence Report - Check Point Research
Checkpoint	3 months ago	5th August – Threat Intelligence Report - Check Point Research
CERT-EU	10 months ago	A Log4Shell Malware Campaign in the DNS Spotlight
DARKReading	3 months ago	Feds Warn of North Korean Cyberattacks on US Critical Infrastructure
Checkpoint	3 months ago	29th July – Threat Intelligence Report - Check Point Research
Flashpoint	3 months ago	COURT DOC: North Korean Government Hacker Charged for Involvement in Ransomware Attacks Targeting U.S. Hospitals and Health Care Providers
CISA	3 months ago	North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs \| CISA
Checkpoint	3 months ago	22nd July – Threat Intelligence Report - Check Point Research