The Log4j2 Zero-Day vulnerability lit up the internet like an overachieving neighbor decorating their house for Christmas. Only days within its discovery, CVE-2021-44228 catapulted to the top of the CVE board, scoring the dreaded 10/10 CVSS rating. 

Apache Log4j2 is an open-source logging framework integrated into many Java-based applications on end-user systems and servers. It is widely used by leading software manufacturers, including Apple, Cisco, Cloudflare, ElasticSearch, Steam, Tesla, and Twitter.

The Java logging library Apache Log4j2 vulnerability (also called Log4Shell or LogJamlabelled, and tracked as CVE-2021-44228), threatens to enable Remote Code Execution (RCE). This would allow unauthorized actors to execute arbitrary code, leak sensitive data, or execute malicious software on compromised systems, running the risk of complete system takeover.

Cybersixgill constantly monitors vulnerabilities and the dark web interactions regarding them, predicting the likelihood of each  vulnerability based on threat actor’s intent. This is done autonomously in real-time – meaning so have been  tracking this vulnerability and it’s rapid escalation since the moment it was discovered. Here’s the play-by-play:

Dec 10

The new Zero-Day vulnerability is uncovered by “p0rz9”, a Chinese security researcher. Shortly after, a known threat actor quickly publishes a Proof-of-Concept (PoC) for the CVE-2021-44228 vulnerability on their hacking website, providing detailed explanations and tips for a better exploitation of the vulnerability.

As discussions surrounding the vulnerability began to mount, the Cybersixgill’s Dynamic Vulnerability Exploit (DVE) Score for CVE-2021-44228 escalated from “None” to “Low”

Dec 11

CVE-2021-44228 generates significant interest on the underground.

The administrator of a popular Chinese cybercriminal blog shares a post discussing the vulnerability, including screenshots of the technical steps as well as GitHub repositories related to the vulnerability exploit.

A reply on a Reddit forum provides additional information about multiple underground hosts exploiting the Apache Log4j2 vulnerability, many of them being TOR exit nodes.

In a Discord instant messaging channel, a user shares several techniques that can be implemented to bypass words blocking patches related to the vulnerability exploit, including a GitHub repository in which an attacker can find all the information needed to bypass security filters related to the vulnerability fixing.

Another threat actor publishes a GitHub repository related to the CVE-2021-44228 vulnerability on a well known underground forum, as well as a Youtube link for a visual step-to-step tutorial about the Remote Code Execution (RCE) involved in the CVE-2021-44228 vulnerability.

As the vulnerability garnered more and more attention – both on the cybercriminal underground and on clear web sources – the Cybersixgill’s Dynamic Vulnerability Exploit (DVE) Score for CVE-2021-44228 swiftly surged from “Low” to “Critical”. 

Dec 12

By Sunday, the Apache Avalanche was well and truly underway, with the CVE trending on both surface and underground platforms, including Twitter, Reddit, GitHub, Telegram and multiple other closed underground forums.

As mentions of the CVE were increasingly detected in items with ransomware-related keywords, the DVE Score rating climbed from 9.49 to 9.99.

Eventually, in the early hours of Monday morning, the DVE Score reflected a final score of 10/10.

Conclusion

Following the digital sphere’s media blitz about the flaw, Apache, AWS, Microsoft as well as others released updates in order to patch the vulnerability. But, due to the rising interest in the vulnerability on underground channels, it is unlikely that attempts to exploit will dwindle in the near future – with attempted exploits taking place on over 31.5% of corporate networks globally (according to checkpoint). 

As the dust settles, so does the realization that today’s organizations need to use whatever tool in their arsenal to obliterate any threat – long before it turns into an incident. They must leverage technologies that monitor the discourse, analyze and understand the context, and alert in the case a threat is even remotely relevant to assets such as networks, people, places, and platforms – sometimes even before a vulnerability gets a CVSS rating. Only by embracing automated real-time intelligence, vulnerability management, fraud, incident response, and threat hunting teams can you truly stay ahead of the threat curve.

How can Cybersixgill help you identify the cybersecurity vulnerabilities that present the most short-term threat to your company or organization? Get a personalized demo to find out.