Analysis of Initial In The Wild Attacks Exploiting Log4Shell/Log4J/CVE-2021-44228 - Cado Security | Cloud Investigation
Tags
Common Information
| Type | Value |
|---|---|
| UUID | e090b63d-4b0f-4cdf-96a1-b0d09b8fb33f |
| Fingerprint | 4f1ec4d297fb324 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Dec. 13, 2021, 11:50 a.m. |
| Added to db | Sept. 26, 2022, 9:34 a.m. |
| Last updated | Nov. 17, 2024, 6:53 p.m. |
| Headline | Analysis of Initial In The Wild Attacks Exploiting Log4Shell/Log4J/CVE-2021-44228 |
| Title | Analysis of Initial In The Wild Attacks Exploiting Log4Shell/Log4J/CVE-2021-44228 - Cado Security | Cloud Investigation |
| Detected Hints/Tags/Attributes | 68/2/60 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | CVE | 397 | cve-2021-44228 |
|
| Details | Domain | 7 | binaryedge.io |
|
| Details | Domain | 6 | interactsh.com |
|
| Details | Domain | 1 | c6v09ky2vtc000092300gdpor3hyyyyyb.interactsh.com |
|
| Details | Domain | 9 | lh.sh |
|
| Details | Domain | 3 | nazi.uy |
|
| Details | Domain | 6 | ex.sh |
|
| Details | Domain | 11 | www.lacework.com |
|
| Details | Domain | 38 | blog.netlab.360.com |
|
| Details | Domain | 1373 | twitter.com |
|
| Details | Domain | 29 | urlhaus.abuse.ch |
|
| Details | Domain | 23 | logging.apache.org |
|
| Details | Domain | 110 | www.reddit.com |
|
| Details | Domain | 18 | www.cadosecurity.com |
|
| Details | File | 1 | sourcefileexploit.java |
|
| Details | File | 4 | rmi.obj |
|
| Details | File | 6 | id_ed25519.pub |
|
| Details | File | 64 | security.html |
|
| Details | sha256 | 1 | 4d040caffa28e6a0fdc0d274547cf1c7983996fc33e51b0b2c511544f030d71b |
|
| Details | sha256 | 6 | 6e25ad03103a1a972b78c642bac09060fa79c460011dc5748cbb433cc459938b |
|
| Details | sha256 | 6 | 3a377e5baf2c7095db1d7577339e4eb847ded2bfec1c176251e8b8b0b76d393f |
|
| Details | sha256 | 4 | 929c3017e6391b92b2fbce654cf7f8b0d3d222f96b5b20385059b584975a298b |
|
| Details | sha256 | 6 | 705a22f0266c382c846ee37b8cd544db1ff19980b8a627a4a4f01c1161a71cb0 |
|
| Details | IPv4 | 1 | 47.75.82.85 |
|
| Details | IPv4 | 1 | 45.146.164.160 |
|
| Details | IPv4 | 1 | 96.234.173.145 |
|
| Details | IPv4 | 1 | 154.21.28.76 |
|
| Details | IPv4 | 1 | 47.106.202.101 |
|
| Details | IPv4 | 6 | 45.137.21.9 |
|
| Details | IPv4 | 1 | 89.188.76.250 |
|
| Details | IPv4 | 11 | 62.210.130.250 |
|
| Details | IPv4 | 3 | 45.130.229.168 |
|
| Details | IPv4 | 3 | 18.228.7.109 |
|
| Details | IPv4 | 2 | 159.89.182.117 |
|
| Details | IPv4 | 10 | 45.155.205.233 |
|
| Details | IPv4 | 4 | 45.137.155.55 |
|
| Details | IPv4 | 1 | 93.189.42.8 |
|
| Details | Url | 3 | http://62.210.130.250/lh.sh |
|
| Details | Url | 3 | http://62.210.130.250/web/admin/x86 |
|
| Details | Url | 2 | http://18.228.7.109/.log/log |
|
| Details | Url | 2 | http://18.228.7.109/.log/pty3 |
|
| Details | Url | 2 | http://18.228.7.109/.log/pty4 |
|
| Details | Url | 2 | http://18.228.7.109/.log/pty2 |
|
| Details | Url | 2 | http://18.228.7.109/.log/pty1 |
|
| Details | Url | 2 | http://18.228.7.109/.log/pty5 |
|
| Details | Url | 2 | http://159.89.182.117/wp-content/themes/twentyseventeen/ldm |
|
| Details | Url | 2 | http://45.137.155.55/ex.sh |
|
| Details | Url | 1 | http://93.189.42.8/kinsing |
|
| Details | Url | 1 | http://93.189.42.8/lh.sh |
|
| Details | Url | 1 | https://research.nccgroup.com/2021/12/12/log4shell-reconnaissance-and-post-exploitation-network-detection |
|
| Details | Url | 1 | https://www.lacework.com/blog/lacework-labs-identifies-log4j-attackers |
|
| Details | Url | 4 | https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets |
|
| Details | Url | 1 | https://twitter.com/bad_packets/status/1469225135504650240 |
|
| Details | Url | 1 | https://urlhaus.abuse.ch/browse/tag/log4j |
|
| Details | Url | 15 | https://logging.apache.org/log4j/2.x/security.html |
|
| Details | Url | 2 | https://www.reddit.com/r/blueteamsec/comments/rd38z9/log4j_0day_being_exploited |
|
| Details | Url | 6 | https://www.cadosecurity.com |
|
| Details | Yara rule | 1 | rule Linux_Kinsing_Malware {
meta:
description = "Detects Kinsing Malware"
author = " [email protected] "
date = "2021-12-11"
license = "Apache License 2.0"
hash1 = "6e25ad03103a1a972b78c642bac09060fa79c460011dc5748cbb433cc459938b"
strings:
$a1 = "main.goKrongo"
$a2 = "main.taskWithScanWorker"
$a3 = "main.runTaskWithHttp"
$a5 = "main.getMinerPid"
$a6 = "main.sendResult"
$a7 = "main.minerRunningCheck"
condition:
uint16(0) == 0x457f and 4 of them
} |
|
| Details | Yara rule | 1 | rule Cryptomining_Malware_Xmrig {
meta:
description = "Detects Xmrig Cryptominer"
author = " [email protected] "
date = "2021-12-11"
license = "Apache License 2.0"
strings:
$ = "password for mining server" ascii wide nocase
$ = "threads count to initialize RandomX dataset" ascii wide nocase
$ = "display this help and exit" ascii wide nocase
$ = "maximum CPU threads count (in percentage) hint for autoconfig" ascii wide nocase
$ = "enable CUDA mining backend" ascii wide nocase
$ = "cryptonight" ascii wide nocase
condition:
5 of them
} |
|
| Details | Yara rule | 1 | rule Mining_Worm_August_2020 {
meta:
description = "Detects Mining Worm"
author = " [email protected] "
date = "2020-08-16"
license = "Apache License 2.0"
hash1 = "3a377e5baf2c7095db1d7577339e4eb847ded2bfec1c176251e8b8b0b76d393f"
hash2 = "929c3017e6391b92b2fbce654cf7f8b0d3d222f96b5b20385059b584975a298b"
hash3 = "705a22f0266c382c846ee37b8cd544db1ff19980b8a627a4a4f01c1161a71cb0"
strings:
$a = "echo $LOCKFILE | base64 -d > $tmpxmrigfile" ascii wide
$b = "/root/.tmp/xmrig config=/root/.tmp/" ascii wide
$c = "if [ -s /usr/bin/curl ]; then" ascii wide
$d = "echo found: /root/.aws/credentials'" ascii wide
$e = "function KILLMININGSERVICES(){" ascii wide
$g = "touch /root/.ssh/authorized_keys 2>/dev/null 1>/dev/null" ascii wide
$h = "rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service" ascii wide
$i = " [email protected] /root/.ssh/id_ed25519.pub" ascii wide
condition:
filesize < 500KB and any of them
} |