Log4j Chatter: What Threat Actors Are Sharing About the Log4Shell Vulnerability
Now a week since the Apache Log4j disclosure, organizations are feverishly attempting to identify and patch all potential vulnerabilities to their systems and infrastructure. In the meantime, threat actors across various illicit communities are actively discussing ways to exploit and further monetize this vulnerability.
Below, we break down the most significant chatter amongst threat actor groups, with a particular focus on deep and dark web forums XSS, Raid, and RAMP.
The chatter on XSS
Flashpoint analysts identified a thread on the top-tier Russian-language hacking forum XSS (CVE-2021-44228 Apache log4j RCE) in which threat actors are actively discussing Log4Shell-related activity, including:
- Information sharing on proof-of-concept (PoC) exploits for Log4Shell
- Contributing to mapping out the Log4Shell attack surface
- Providing information on how to scan for systems vulnerable to Log4Shell
- Web application firewall (WAF) evasion payloads
- Sharing information on how to bypass Cloudflare protections to deliver a Log4Shell exploit payload
- Sharing updates on patch releases for Log4Shell
Log4j and GitHub: How threat actors weaponize open-source code repos
The majority of the information shared in the Log4Shell-related XSS thread identified by Flashpoint is derived from GitHub repositories. GitHub is actively removing repositories containing PoC exploits for Log4Shell. Threat actors on XSS are aware of this and in response, are posting cloned GitHub repositories containing Log4Shell PoC exploits before GitHub has the opportunity to remove them.
Cloned repositories which have since been removed from GitHub but archived on XSS will likely be used as a knowledge base from which threat actors will build on in the future.
This activity demonstrates a clear intersection between GitHub and cybercriminal communities and how GitHub repositories remain a primary resource for threat actors, even amid GitHub’s attempts to remove repositories containing malicious artifacts.
Threat actors on the English-language illicit community, Raid Forums, are actively involved in propagating the following information related to Log4Shell:
- New plugins for popular vulnerability scanning tools tailored toward identifying systems vulnerable to Log4Shell
- Custom tools designed to scan for systems vulnerable to Log4Shell
- PoC exploits for Log4Shell
Raid admins are aware that chatter about Log4j would likely bring increased attention to the forum by law enforcement and press. As a result, Raid Forums admins are consistently removing threads containing information related to Log4Shell. However, similar to GitHub, threat actors on Raid are quickly downloading shared PoC exploits and tools before admins have the opportunity to remove them.
On December 11, within the general chat box of the ransomware forum RAMP, several threat actors said they had not heard from the ransomware group “LockBit” for a while. One individual stated that LockBit is working on Log4j but did not provide details about the type of work the ransomware collective is allegedly conducting.
Notably, LockBit’s spokesperson on RAMP often openly criticizes RAMP admins of, referring to the forum as a “cop forum.” While the aforementioned comment could be a joke, Flashpoint continues to actively monitor RAMP for any further information.
See Flashpoint’s Vulnerability Management Solutions in Action
Flashpoint’s enriched CVE data cross-references data from MITRE & NVD with threat-actor chatter in illicit online communities such as deep & dark web forums and chat services, as well as paste sites and open-source technical data. Visibility into these sources allows vulnerability management teams to identify which CVEs have active and proof-of-concept exploits and which are most likely to be exploited in the future. By combining their internal data with these insights, teams are able to prioritize mitigation measures more effectively based on risk.
To learn more, sign up for a free trial today.