Skip to main content

Arctic Wolf Releases Open Source Log4Shell Detection Script

After successful deployment to Arctic Wolf’s customer community of more than 2,300 organizations worldwide, today we are making “Log4Shell Deep Scan” publicly available on GitHub. Log4Shell Deep Scan enables detection of both CVE-2021-45046 and CVE-2021-44228 within nested JAR files, as well as WAR and EAR files. 

Download Log4Shell Deep Scan.

Watch the Log4Shell Deep Scan walkthrough (scroll to bottom) 

This script—provided for both Windows and macOS/Linux devices—will conduct a deep scan of a host’s filesystem to identify Java applications and libraries with vulnerable Log4j code. When it identifies the existence of impacted Log4j code, the script will flag it and output its location within the host’s filesystem. 

Arctic Wolf customers are seeing discoveries of applications and systems that were not known to be affected and which other tooling would not have identified. 

For the most up-to-date information, please see the included readme.txt on GitHub. We also encourage those in the security community to fork Log4Shell Deep Scan for their own use cases. 

Please note that no information is collected by or sent to Arctic Wolf. 

Why Use Log4Shell Deep Scan? 

Identifying all vulnerable instances of Log4j within an organization is an ongoing concern for IT and security teams this week. The upgrade of the latest CVE-2021-45046 to critical means that it will necessitate another round of scanning and patching across a large estate of systems and assets.  

Log4Shell Deep Scan should be used as a complement to, not a replacement for, existing network-based vulnerability scanning solutions that organizations should already have in place. We recommend organizations run this tool on your most critical cyber assets that are publicly exposed, as well as those behind your perimeter.   

By exposing which applications are affected and where each vulnerability exists, IT and security teams can then conduct rapid prioritization and targeted remediation of this vulnerability.  

Multiple threat actors continue to actively exploit the Log4j/Log4Shell vulnerabilities 

Arctic Wolf has observed a large amount of scanning activity related to these vulnerabilities. We are also seeing widespread attacks occurring frequently where threat actors are attempting to deliver crypto miner malware. Ransomware threat actors have also now started to actively use Log4Shell as an entry vector and are actively exploiting it to deliver their attacks. 

We are tracking multiple reported nation-state threat actor activity groups originating from China, Iran, North Korea, and Turkey exploiting the Log4J vulnerability. These threat actors usually act much earlier because of pre-knowledge of a zero day, or later after broad knowledge has been gained but a long tail of identified vulnerable systems remains in key targets of interest. Once the noise has settled is when activities in these areas tend to pick up so continuous vigilance is key.  

What’s next for Log4Shell? 

A week and a half into dealing with Log4Shell, the situation is still developing. We know this event will have a very long tail, and our security and R&D teams are anticipating this and developing additional detections based on the emerging tradecraft (e.g., TTPs) we foresee adversaries using. This includes being able to analyze anticipated evasions and variations of attack delivery methods.  

Sophisticated threat actors will likely take advantage of the widespread scanning and commodity attacks going on right now to fly in under the radar and compromise high-value targets. We also expect to see more ransomware operators taking advantage of this vulnerability in targeted attacks. 

If you want to learn more about the impacts of Log4Shell, you can view Arctic Wolf’s webinar  to quickly get up to speed on the latest findings regarding these vulnerabilities.