Skip to main content

Log4Shell in the Field – A Brief Analysis Through January 2022

This is a follow-up to our previous blog posts covering the Log4j vulnerability and the Deep Scan tool we made available to help identify vulnerable systems. 

As we close the first month of 2022, we looked into the activity related to the Log4Shell vulnerability CVE-2021-44228 observed across our 2,300+ customers. 

Many of you will empathize with the struggle to find all instances of the vulnerable Log4j component, especially at the scale that comes with having a large customer base. It’s from this necessity of scale that we were able to focus on providing the Deep Scan tool to the community (available on GitHub).

This inspection capability was key in making sure our Concierge Security® Team delivered tailored intelligence and remediation guidance to allow customers to mitigate risk by blocking known bad IP destinations and domains, as well as taking measures to lock down and isolate at-risk systems before compromise. 

Close to 100% of the post-compromise behaviors chained to Log4Shell have been limited thus far to two distinct activities: an attempted installation of the XMrig cryptocurrency miner, and Night Sky ransomware campaigns associated with the AQUATIC PANDA threat actor—with several attacks attempting to deploy Night Sky via Cobalt Strike. 

RCE pointing to Cobalt Strike with Night Sky and XMrig beneath that

Initial Log4j Mass Scan 

Like everyone else in the world, we initially saw a ton of traffic from opportunistic scanning. 

After quickly tuning our correlation and analysis systems, as well as deploying additional detections, we got a much better perspective of activity. We identified and triaged 29,338 unique incidents of adversarial scanning for CVE-2021-44228 through to January 25, 2022, all of which were focused on just 807 of our customers. 

L4J scanning traffic over time

After the initial hype around this vulnerability died down it became clear that there are traditional defensive steps that can be taken to mitigate the risk of exploitation. So, it should come as no surprise that less than 2.5% of our customer base experienced anything more than the initial scan. This is thanks to defense-in-depth and layered security controls, not having vulnerable systems and applications available to the internet, and being able to patch in advance of their infrastructure being attacked. 

First Stage: Pre-Compromise Successful RCE 

The high probability of exploitation meant keeping a close eye on detection activity associated with CVE-2021-44228. The sheer scale of the scanning traffic was annoying (in terms of our SOC ticketing and triage) but benign up until December 23, which is when we began to detect instances of successful RCE (remote code execution).

To date, we have observed RCE within 252 unique incidents. This affected 70 of our customers, with almost half of these incidents occurring within 96 hours (about 4 days) of the first successful RCE. 

In some instances, customers had invested in one of the many third-party EDR systems, which were able to detect and alert on the post compromise malware drop, but we did not observe any endpoint security tool prevent the first stage RCE attempts. 

Customers that had deployed the optional Arctic Wolf agent alongside their existing tooling benefited from high fidelity, correlated detections of exploitation and reconnaissance attempts, and were defended by near real-time containment. This highlights that while preventing incidents whenever possible is a boon, efforts to block as much as possible should not mask nor hinder the importance of detection and response, and the criticality of using data observation from beyond the endpoint vendor’s ecosystem. 

Post Compromise: Cobalt Strike Activity 

Cobalt Strike is sold as an "adversary simulation and red team emulation” tool, and is intended to be used by security teams and penetration testers to execute realistic cyberattacks and help simulate an adversary's post-exploitation actions. 

Over time, this toolset has grown popular thanks to the integration of other popular tools like Mimikatz and Metasploit, with the threat actor community using it to launch actual cyberattacks. 

A small number of successful first-stage Log4j RCE incidents led to Cobalt Strike beaconing within 21 of our customers' networks. Five of these instances were able to make successful C2 (Command and Control) connections and attempt to deploy Night Sky ransomware payload. 

Post Compromise: Night Sky Ransomware Activity 

Night Sky is the name of a ransomware campaign first discovered on January 1st, 2022, by the MalwareHunterTeam

According to Microsoft, Night Sky ransomware campaigns are performed by a China-based threat actor known as DEV-0401, a group also known as AQUATIC PANDA. DEV-0401 has deployed multiple ransomware families in the past, including LockFile, AtomSilo, and Rook. Security researchers believe Night Sky ransomware is a fork of the Rook ransomware. 

Arctic Wolf detects the Night Sky payload and associated activity through observations based on attempted PowerShell use, IoC related to HTTP URIs, and IoCs related to outbound communication. 

We detected Night Sky IoCs in the network of eight customers, of which only one customer experienced an attempt at persistence and data exfiltration. In this case, the adversary created a new user account with which it attempted to use the MEGA client as an exfiltration path—a tactic that has been previously observed by the threat actors FIN7 and Hafnium. The exfiltration attempt was prevented by network and device containment policies and no data was sent over the wire. 

Additionally, another customer had previously deployed GPO controls to limit the privileges available to PowerShell which prevented this stage of malware retrieval and execution. 

Post Compromise: XMrig Crypto Mining Activity 

Although many popular security controls mark crypto mining applications like XMrig as PUA (Potentially Unwanted Application) rather than classify them as malicious, any detection of mining in an enterprise must always be treated with high severity. The presence of an unauthorized miner indicates with high fidelity that an adversary (whether insider threat or external actor) has been able to deploy unauthorized applications in your environment, which is a much higher severity threat than something described as a simple annoyance related to a PUA. 

We detected 21 unique incidents related to Log4j exploitation, where the adversary attempted to deploy the XMrig cryptocurrency miner at 12 customers. Only one instance of these attempts showed confirmed signs of the coin miner briefly trying to submit proof-of-work computations. 

Conclusions From This Analysis 

While the speed of detection, triage, and response to an incident is critical, strong security practices (and a little luck) will always play a key role in being able to mitigate new threats and risks before your infrastructure is compromised. 

A defense-in-depth approach can, and will, steer organizations forward on their security journey. It builds continuous improvement in the security posture over time, even as the traditional “corporate network behind a firewall” defense strategy gives way to remote working and cloud infrastructure. 

It is especially important to recognize that defense-in-depth is not solved purely by technology. Within a successful defense-in-depth approach to security operations is a core of human capabilities—you cannot AI your way to the end of a security incident.  

Technology as the heading with event network data pointing to observe, orient, decide, and act

It is the human element that must take the observations, context, and narrative generated by the security operations platform, triage and verify the activities that took place, and provide remediation guidance.  This makes it paramount for SOC staff to have absolute confidence in the data they receive and the visibility they have, so they can arrive at conclusions faster. A faster path to confidence means the actions they take have the best chance of preventing damage and loss. 

Observed IOCs 

Observed activity 

IOC 

Loc. 

3rd Party Threat Intel verdicts 

Scanning & successful RCE 

193[.]32[.]23[.]62 

NL 

Malicious destination link 

Night Sky C2 

207[.]148[.]122[.]171 

SG 

Active scanning on many ports link 

207[.]148[.]117[.]157 

SG 

No current warnings or advisories. 

Cobalt Strike C2 

45[.]136[.]230[.]230 

NL 

1 VTcommunity note for CS server. 

185[.]112[.]83[.]116 

RU 

Malicious / Questionable destination 

XMrig Crypto-Miner 

72[.]46[.]52[.]135 

US 

Malicious / Questionable destination 

141[.]85[.]161[.]18 

RO 

Malicious / Questionable destination 

-Written by Ian McShane and Ross Phillips

Arctic Wolf Can Help

This remains an evolving threat, and as evident by the continued exploitation many companies lack the team or resources to act quickly and mitigate their risk. Arctic Wolf’s Concierge Security Team works side by side with customers, 24x7, to hunt for activity and deploy new detections—always advancing security operations while our customers focus on implementing the Log4j patches and updates. 

For More: 

1. Request a demo 

2. Learn more about Arctic Wolf 

3. Read the Comprehensive Guide to Security Operations 

About the Author

Ian McShane has over 20 years experience in cybersecurity and operational IT. As a former Gartner analyst, Ian has advised the largest and fastest growing technology companies in the world as well as tens of thousands of organizations world-wide. He is well known as a trusted advisor and popular commentator in our industry, and prior to joining Arctic Wolf Ian has spent time at Symantec, Gartner, Endgame, Elastic, and CrowdStrike.

Profile Photo of Ian McShane