Members of the Curated Intelligence Trust Group have compiled a list of IOC feeds and threat reports focused on the recent Log4Shell exploit targeting CVE-2021-44228 in Log4j. (Blog | Twitter | LinkedIn)
- 2021-12-13
- IOCs shared by these feeds are
LOW-TO-MEDIUM CONFIDENCE
we strongly recommendNOT
adding them to a blocklist - These could potentially be used for
THREAT HUNTING
and could be added to aWATCHLIST
- Curated Intel members at various organisations recommend to
FOCUS ON POST-EXPLOITATION ACTIVITY
by threats leveraging Log4Shell (ex. threat actors, botnets) - IOCs include JNDI requests (LDAP, but also DNS and RMI), cryptominers, DDoS bots, as well as Meterpreter or Cobalt Strike
- Critical IOCs to monitor also include attacks using DNS-based exfiltration of environment variables (e.g. keys or tokens), a Curated Intel member shared an example
- IOCs shared by these feeds are
- 2021-12-14
- Curated Intel members profiled active exploitation threats
- 2021-12-15
- Curated Intel members parsed
MEDIUM CONFIDENCE FEEDS
to beMISP COMPATIBLE
with the help of the KPMG-Egyde CTI Team - Curated Intel members profiled active threat groups (nation states and organized crime)
- Curated Intel members parsed
- 2021-12-16
- Curated Intel members confirmed the previously unnamed "New Ransomware" is actually "TellYouThePass Ransomware", mostly targeting Chinese infrastructure
- 2021-12-17
- Curated Intel members parsed
VETTED IOCs
with the help of the Equinix Threat Analysis Center (ETAC) - ETAC has also shared a diagram of threat actors, malware, and botnets, leveraging Log4Shell in the wild
- Curated Intel members parsed
- 2021-12-20
- ETAC has added MITRE ATT&CK TTPs of Threat Actors leveraging Log4Shell
- Curated Intel members parsed
ALIENVAULT OTX MENTIONS
to beMISP COMPATIBLE
with the help of the KPMG-Egyde CTI Team
- 2021-12-21
- Curated Intel members parsed
VULNERABLE PRODUCT LISTS
to beCSV+XLSX COMPATIBLE
with an automated workflow, pulling from NCSC-NL + CISA + SwitHak
- Curated Intel members parsed
- 2021-12-22
- Curated Intel members added very basic
FALSE-POSITIVE FILTERING
for threat hunting feed outputs, using selected MISP warning lists, primarily to remove false-positives of large DNS resolvers (among others)
- Curated Intel members added very basic
- 2021-12-29
- Added Securonix Autonomous Threat Sweep vetted IoC's and TTP's
- 2022-01-10
- Updated MSTIC (4) report now tracks a China-based double-extortion ransomware operator, DEV-0401, who deployed NightSky ransomware via VMWare Horizon initial access
- 2022-01-11
- SentinelOne shared their analysis of cybercrime actors leveraging Log4j one month since disclosure, with new info on the Emotet botnet using Log4j for payload hosting
- 2022-03-03
- Threat hunting feeds updated by KPMG-Egyde CTI
Grouping | Actor | Mentioned Alias | Other Alias EternalLiberty | Threat Report | Note |
---|---|---|---|---|---|
State actor | China | HAFNIUM | N/A | MSTIC (2) | Attacking infrastructure to extend their typical targeting. In these attacks, HAFNIUM-associated systems were observed using a DNS service typically associated with testing activity to fingerprint systems. |
State actor | Iran | PHOSPHORUS | APT35, TEMP.Beanie, TA 453, NewsBeef, CharmingKitten, G0003, CobaltIllusion, TG-2889, Timberworm, C-Major, Group 41, Tarh Andishan, Magic Hound, Newscaster | MSTIC (2) | Iranian actor that has been deploying ransomware, acquiring and making modifications of the Log4j exploit. |
Organized Cybercrime | Russia | Wizard Spider | Trickbot Gang, FIN12, GOLD BLACKBURN, Grim Spider | AdvIntel | Wizard Spider is the developer of the Conti Ransomware-as-a-Service (RaaS) operation which has a high number of affiliates, and a Conti affiliate has leveraged Log4Shell in Log4j2 in the wild |
Organized Cybercrime | Russia | EvilCorp | Indrik Spider, GOLD DRAKE | Cryptolaemus | EvilCorp are the developers of the Dridex Trojan, which began life as a banking malware but has since shifted to support the delivery of ransomware, which has included BitPaymer, DoppelPaymer, Grief, and WastedLocker, among others. Dridex is now being dropped following the exploitation of vulnerable Log4j instances |
State actor | China | Aquatic Panda | N/A | CrowdStrike | AQUATIC PANDA is a China-based targeted intrusion adversary with a dual mission of intelligence collection and industrial espionage. It has likely operated since at least May 2020. AQUATIC PANDA operations have primarily focused on entities in the telecommunications, technology and government sectors. AQUATIC PANDA relies heavily on Cobalt Strike, and its toolset includes the unique Cobalt Strike downloader tracked as FishMaster. AQUATIC PANDA has also been observed delivering njRAT payloads to targets. |
To be determined | China | DEV-0401 | N/A | MSTIC (4) | Attackers started exploiting the CVE-2021-44228 vulnerability in internet-facing systems running VMware Horizon. An investigation shows that successful intrusions in these campaigns led to the deployment of the NightSky ransomware. These attacks are performed by a China-based ransomware operator that MSTIC is tracking as DEV-0401. DEV-0401 has previously deployed multiple ransomware families including LockFile, AtomSilo, and Rook, and has similarly exploited Internet-facing systems running Confluence (CVE-2021-26084) and on-premises Exchange servers (CVE-2021-34473). |
Organized Cybercrime | Russia | Mummy Spider | TA542, MealyBug, GoldCrestwood | SentinelOne | Naturally, the Emotet crew has been taking advantage of Log4j as well. For example, vulnerable servers were quickly compromised and used for staging and payload hosting within the greater Emotet network. |
Organized Cybercrime | Russia | Prophet Spider | UNC961 | BlackBerry | The Initial Access Broker (IAB) group Prophet Spider has been exploiting the Log4j vulnerability in the Apache Tomcat component of VMware Horizon |