SecureWorks : Log4j Threat Hunting Advice

Log4j Threat Hunting Advice Secureworks has published a list of observed malicious IP addresses on our public github repository in efforts to help organizations identify potential exploit of the Log4j vulnerability.Wednesday, December 22, 2021By: Nash Borges and Paul DiOrio

Since the initial news broke around the Log4j remote code execution vulnerabilities CVE-2021-44228 (also known as Log4Shell), CVE-2021-45046, and CVE-2021-45105, the Secureworks ® team has been helping our customers determine whether they were vulnerable, how they were being scanned, and finally whether a threat actor had successfully exploited these vulnerabilities. In a recent blog "Log4Shell: Easy to Launch the Attack but Hard to Stick the Landing?" our Secureworks Counter Threat Unit™ (CTU ™) shared their insights stating that while the Log4j vulnerability remains a serious threat, evidence initially showed that it was non-trivial to successfully exploit, and the full impact of this vulnerability had yet to be seen.

But as these vulnerabilities continue to inspire attackers, we are seeing more signs exploitation attempts, some of which have been successful. For example, Secureworks Taegis™ XDR observed exploitation attempts including encoded commands to download malicious initial access scripts, jumpstart crypto-miners, exfiltrate credentials found on the target, record confirmed vulnerable status for later exploitation, or include carefully crafted data to initiate remote shells. While the bulk of the activity is coming from mass scanning looking for any vulnerable systems accessible on the internet, some of it has been more targeted and even includes the use of compromised websites to host malicious content for remote code execution.

To aid in the collective defense of all our networks, and in the spirit of responding to emergencies as a global security community, we are releasing IP addresses that exhibit malicious characteristics beyond the normal scanning and research traffic. Furthermore, we have decoded the commands embedded in "Command/Base64" JNDI parameters to aid in understanding follow-on stages of the exploit attempts and support the development of process watchlists and domain name sinkholes. As you or your partners conduct threat hunts, you should keep an eye out for these suspicious IP addresses and other indications of scanning and attempted remote code execution. While their presence alone does not indicate a successful exploitation, it does warrant taking a deeper look.

Our security teams delivering Taegis ManagedXDR are continually evaluating how and when to alert on activities associated with these IPs, but in most cases, we have not seen these attempts successfully achieve remote code execution. Therefore, we have made the decision not to trigger an alert automatically in Taegis based on these IPs, but instead to leverage them as part of our active threat hunting operations looking for any successful exploitation.

We have released this data on our public github repository and will continue to aid the global effort in understanding, detecting, and disrupting active exploitation of the log4j vulnerabilities.

For more information about this vulnerability, visit our FAQ.

If you have an incident and need urgent assistance, contact the Secureworks Incident Response team.

If you have other questions on how we can help, contact us.