{"id":7366,"date":"2022-01-03T15:47:20","date_gmt":"2022-01-03T23:47:20","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=7366"},"modified":"2022-01-03T15:47:20","modified_gmt":"2022-01-03T23:47:20","slug":"an-initial-look-at-log4shell-trends","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/security\/an-initial-look-at-log4shell-trends\/","title":{"rendered":"An Initial Look at Log4Shell Trends"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">While much of the world was celebrating holidays over the last week or more, much of the world\u2019s security industry was busy defending against and investigating log4shell attacks based on the recently disclosed vulnerability in the Apache library log4j. As we collectively move from responding to threats from actors who were quick to take advantage of the weakness we can begin reflecting on what happened. It will be some time before thorough analyses are complete and widely available, but some clear patterns have emerged. Like the rest of the intelligence community, Infoblox is analyzing the timeline of events from many perspectives and thus far our findings are consistent with the community as a whole. In this blog, we\u2019ll discuss some of the early results as well as explain some of the policy decisions we made in our response to the attacks to protect our customer base.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">As described in our earlier <\/span><a href=\"https:\/\/blogs.infoblox.com\/cyber-threat-intelligence\/cyber-campaign-briefs\/log4j-exploit-harvesting\/\"><span style=\"font-weight: 400;\">Cyber Campaign Brief<\/span><\/a><span style=\"font-weight: 400;\">, we realized that failed log4shell attacks often generated invalid DNS queries. By creating an analytic to look for and parse these queries, we were able to identify attacker infrastructure. The invalid queries proved to be\u00a0 a valuable mechanism for identifying a wide range of attacks. While these particular queries were invalid, successful attempts to exploit the log4j vulnerability were visible as resolved queries.\u00a0 As a result, we were able to both validate trends reported by other security vendors, but also identify attacks that were more targeted in nature. A sampling of the most common domains we have observed related to this vulnerability are seen in the figure below.\u00a0<\/span><\/p>\n<table>\n<tbody>\n<tr>\n<td><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-7367\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/log4j-1.png\" alt=\"\" width=\"1468\" height=\"748\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/log4j-1.png 1468w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/log4j-1-300x153.png 300w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/log4j-1-1024x522.png 1024w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/log4j-1-768x391.png 768w\" sizes=\"auto, (max-width: 1468px) 100vw, 1468px\" \/><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">A selection of some of the most common domain names seen associated to log4shell activity.<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"font-weight: 400;\">Our retrospective analysis confirms a number of conclusions reported by other intelligence groups:\u00a0<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">We see no widespread attempts to exploit the vulnerability prior to December 9th,\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Cryptomining actors were quick to use the vulnerability with several actors launching attacks within a few hours of the disclosure,\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">In particular, Team TNT coin miner, m8220 mining bot, and the Mushtik mining bot were active before many security teams were able to respond,\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Security researchers and red teams jumped on the news quickly and a dramatic rise in vulnerability testing suites and scanners coincided with the initial mining attacks,\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Attackers leveraged Tor heavily and services such as to2web[.]su, onion[.]ly, and onion[.]ws to transmit traffic between the Internet and Tor, and<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Twitter users quickly produced and distributed proof-of-concept attacks against various applications, making it easy for attackers and defenders alike to scan for vulnerable endpoints,\u00a0<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">In addition, we noted that several of the crypto-mining bots had either reduced or no activity for several hours on the 9th, including a period that appears prior to the disclosure. This may indicate that they had early word through illegal channels and reduced operations to update their software for a log4shell attack. Even when the log4j vulnerability is exploited to create a call back to the attacker infrastructure, the system will not be compromised if it is not susceptible to the malware that is downloaded. At this point, we are able to identify trends in attacks and susceptibility of systems to the log4j exploit, but the industry does not have a full grasp on the impact.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">While the log4j library isn\u2019t commonplace knowledge, and even developers may be unaware of its use in their systems, the evidence of possible attack surfaces is clear.\u00a0 The exploit of Minecraft servers via the chat system was widely reported on.\u00b9<\/span><span style=\"font-weight: 400;\"> Websites were widely targeted. As shown in the images below by the strings that include \u201c{jndi\u201d, we observed targeting of everything from cryptocurrency exchanges to crisis center websites. But the vulnerability exists in many other applications which utilize the log4j library under the hood; the National Security Agency\u2019s Cyber Security Director noted that even the reverse engineering software GHIDRA was initially susceptible to the exploit.\u00b2<\/span><\/p>\n<table>\n<tbody>\n<tr>\n<td><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-7368\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/log4j-2.png\" alt=\"\" width=\"1600\" height=\"468\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/log4j-2.png 1600w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/log4j-2-300x88.png 300w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/log4j-2-1024x300.png 1024w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/log4j-2-768x225.png 768w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/log4j-2-1536x449.png 1536w\" sizes=\"auto, (max-width: 1600px) 100vw, 1600px\" \/><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Figure. Targeting of Cryptocurrency exchanges in the US.\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<table>\n<tbody>\n<tr>\n<td><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-7369\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/log4j-3.png\" alt=\"\" width=\"1600\" height=\"720\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/log4j-3.png 1600w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/log4j-3-300x135.png 300w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/log4j-3-1024x461.png 1024w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/log4j-3-768x346.png 768w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/log4j-3-1536x691.png 1536w\" sizes=\"auto, (max-width: 1600px) 100vw, 1600px\" \/><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Figure. Log4shell targeting of a rape crisis center website.\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"font-weight: 400;\">This event may be best remembered for the sheer volume of vulnerability scanners and dns trackers used. While red teams sought to test their networks, security vendors, researchers, and attackers alike leveraged the same software to identify exploitable systems. In these cases, in response to the exploit, the vulnerable system sends a DNS request to the scanner domain, which then records the IP address of the system. Some of the exploit strings additionally try to do an LDAP lookup on the host and username of the device. This allows the domain owner to obtain a list of vulnerable IP addresses, and possibly host information, for tracking and possibly later attacks. Individuals obtained free subdomains from a variety of web services, including interact[.]sh, dnslog[.]cn, canarytokens[.]org, and xn--9tr[.]com. While some vendors, like Huntress and\u00a0 Kryptos Logic, used clearly identifiable domain names, allowing them to be easily eliminated as bad actors, others used suspicious domains that forced analysts to spend significant time investigating the activity; psc4fuel[.]com is one such example. While dnslog[.]cn has a history of use for vulnerability testing, its use surged after the announcement. We also saw a large number of scans made through domains obtained via xn--9tr[.]com, also known as dig[.]pm, as subdomains of 1433[.]eu[.]org, dns3[.]cf, and others. The widespread use of the same infrastructure by both attackers and defenders hinders analysis and can make early intelligence faulty.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">At Infoblox, we chose an aggressive approach log4shell activity and have classified all related domains and IP addresses as malware for the time being. This allows us to ensure that all customers have the most comprehensive set of indicators in their firewall policies at a time of massive scale attacks. We include known vulnerability scanners and security vendors in this list for a few reasons. First, we do not want customer vulnerabilities disclosed to be used by third parties, whether their intentions are malicious or not. Second, the reuse of software by both good and bad actors, forces us to be particularly cautious. Our customers who use these services for their red teams are able to set custom allow lists for their own networks without impacting others. Customers with security events triggered by queries to vulnerability scanners and DNS tracking services should identify the source; these queries do not imply a compromise and could be due to a number of different causes. Prolonged and numerous unexpected queries to such domains, however, could indicate a vulnerable system within their network.\u00a0<\/span><\/p>\n<p>Endnotes<\/p>\n<p>\u00b9<a href=\"https:\/\/www.sportskeeda.com\/minecraft\/minecraft-log4j-exploit-everything-known-far\">https:\/\/www.sportskeeda.com\/minecraft\/minecraft-log4j-exploit-everything-known-far<\/a><\/p>\n<p>\u00b2<a href=\"https:\/\/twitter.com\/NSA_CSDirector\/status\/1469305071116636167\">https:\/\/twitter.com\/NSA_CSDirector\/status\/1469305071116636167<\/a><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>While much of the world was celebrating holidays over the last week or more, much of the world\u2019s security industry was busy defending against and investigating log4shell attacks based on the recently disclosed vulnerability in the Apache library log4j. As we collectively move from responding to threats from actors who were quick to take advantage [&hellip;]<\/p>\n","protected":false},"author":338,"featured_media":3087,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[2],"tags":[620,614,621,622],"class_list":{"0":"post-7366","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-security","8":"tag-log4shell","9":"tag-log4j","10":"tag-apache-library","11":"tag-dns-queries","12":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>An Initial Look at Log4Shell Trends<\/title>\n<meta name=\"description\" content=\"An Initial Look at Log4Shell Trends. While much of the world was celebrating holidays over the last week or more, much of the world\u2019s security industry was busy defending against and investigating log4shell attacks based on the recently disclosed vulnerability in the Apache library log4j. As we collectively move from responding to threats from actors who were quick to take advantage of the weakness we can begin reflecting on what happened. It will be some time before thorough analyses are complete and widely available, but some clear patterns have emerged. Like the rest of the intelligence community, Infoblox is analyzing the timeline of events from many perspectives and thus far our findings are consistent with the community as a whole. In this blog, we\u2019ll discuss some of the early results as well as explain some of the policy decisions we made in our response to the attacks to protect our customer base.\u00a0\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/security\/an-initial-look-at-log4shell-trends\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"An Initial Look at Log4Shell Trends\" \/>\n<meta property=\"og:description\" content=\"An Initial Look at Log4Shell Trends. While much of the world was celebrating holidays over the last week or more, much of the world\u2019s security industry was busy defending against and investigating log4shell attacks based on the recently disclosed vulnerability in the Apache library log4j. As we collectively move from responding to threats from actors who were quick to take advantage of the weakness we can begin reflecting on what happened. It will be some time before thorough analyses are complete and widely available, but some clear patterns have emerged. Like the rest of the intelligence community, Infoblox is analyzing the timeline of events from many perspectives and thus far our findings are consistent with the community as a whole. In this blog, we\u2019ll discuss some of the early results as well as explain some of the policy decisions we made in our response to the attacks to protect our customer base.\u00a0\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/security\/an-initial-look-at-log4shell-trends\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-01-03T23:47:20+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/Security-Methodologies.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"660\" \/>\n\t<meta property=\"og:image:height\" content=\"454\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Ren\u00e9e Burton\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ren\u00e9e Burton\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/an-initial-look-at-log4shell-trends\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/an-initial-look-at-log4shell-trends\\\/\"},\"author\":{\"name\":\"Ren\u00e9e Burton\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/d18b8543afa21fac6c03151b6f31f981\"},\"headline\":\"An Initial Look at Log4Shell Trends\",\"datePublished\":\"2022-01-03T23:47:20+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/an-initial-look-at-log4shell-trends\\\/\"},\"wordCount\":1120,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/an-initial-look-at-log4shell-trends\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/Security-Methodologies.jpg\",\"keywords\":[\"log4shell\",\"Log4j\",\"apache library\",\"DNS queries\"],\"articleSection\":[\"Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/an-initial-look-at-log4shell-trends\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/an-initial-look-at-log4shell-trends\\\/\",\"name\":\"An Initial Look at Log4Shell Trends\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/an-initial-look-at-log4shell-trends\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/an-initial-look-at-log4shell-trends\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/Security-Methodologies.jpg\",\"datePublished\":\"2022-01-03T23:47:20+00:00\",\"description\":\"An Initial Look at Log4Shell Trends. While much of the world was celebrating holidays over the last week or more, much of the world\u2019s security industry was busy defending against and investigating log4shell attacks based on the recently disclosed vulnerability in the Apache library log4j. As we collectively move from responding to threats from actors who were quick to take advantage of the weakness we can begin reflecting on what happened. It will be some time before thorough analyses are complete and widely available, but some clear patterns have emerged. Like the rest of the intelligence community, Infoblox is analyzing the timeline of events from many perspectives and thus far our findings are consistent with the community as a whole. In this blog, we\u2019ll discuss some of the early results as well as explain some of the policy decisions we made in our response to the attacks to protect our customer base.\u00a0\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/an-initial-look-at-log4shell-trends\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/an-initial-look-at-log4shell-trends\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/an-initial-look-at-log4shell-trends\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/Security-Methodologies.jpg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/Security-Methodologies.jpg\",\"width\":660,\"height\":454},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/an-initial-look-at-log4shell-trends\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Security\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/security\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"An Initial Look at Log4Shell Trends\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/d18b8543afa21fac6c03151b6f31f981\",\"name\":\"Ren\u00e9e Burton\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_338_1592324402-96x96.jpg\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_338_1592324402-96x96.jpg\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_338_1592324402-96x96.jpg\",\"caption\":\"Ren\u00e9e Burton\"},\"description\":\"Dr. Burton is the Vice President of Threat Intel for Infoblox. She is a subject matter expert in DNS-based threats and leads the algorithm development and research in DNS intelligence.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/renee-burton\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"An Initial Look at Log4Shell Trends","description":"An Initial Look at Log4Shell Trends. While much of the world was celebrating holidays over the last week or more, much of the world\u2019s security industry was busy defending against and investigating log4shell attacks based on the recently disclosed vulnerability in the Apache library log4j. As we collectively move from responding to threats from actors who were quick to take advantage of the weakness we can begin reflecting on what happened. It will be some time before thorough analyses are complete and widely available, but some clear patterns have emerged. Like the rest of the intelligence community, Infoblox is analyzing the timeline of events from many perspectives and thus far our findings are consistent with the community as a whole. In this blog, we\u2019ll discuss some of the early results as well as explain some of the policy decisions we made in our response to the attacks to protect our customer base.\u00a0","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/security\/an-initial-look-at-log4shell-trends\/","og_locale":"en_US","og_type":"article","og_title":"An Initial Look at Log4Shell Trends","og_description":"An Initial Look at Log4Shell Trends. While much of the world was celebrating holidays over the last week or more, much of the world\u2019s security industry was busy defending against and investigating log4shell attacks based on the recently disclosed vulnerability in the Apache library log4j. As we collectively move from responding to threats from actors who were quick to take advantage of the weakness we can begin reflecting on what happened. It will be some time before thorough analyses are complete and widely available, but some clear patterns have emerged. Like the rest of the intelligence community, Infoblox is analyzing the timeline of events from many perspectives and thus far our findings are consistent with the community as a whole. In this blog, we\u2019ll discuss some of the early results as well as explain some of the policy decisions we made in our response to the attacks to protect our customer base.\u00a0","og_url":"https:\/\/www.infoblox.com\/blog\/security\/an-initial-look-at-log4shell-trends\/","og_site_name":"Infoblox Blog","article_published_time":"2022-01-03T23:47:20+00:00","og_image":[{"width":660,"height":454,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/Security-Methodologies.jpg","type":"image\/jpeg"}],"author":"Ren\u00e9e Burton","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Ren\u00e9e Burton","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/security\/an-initial-look-at-log4shell-trends\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/an-initial-look-at-log4shell-trends\/"},"author":{"name":"Ren\u00e9e Burton","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/d18b8543afa21fac6c03151b6f31f981"},"headline":"An Initial Look at Log4Shell Trends","datePublished":"2022-01-03T23:47:20+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/an-initial-look-at-log4shell-trends\/"},"wordCount":1120,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/an-initial-look-at-log4shell-trends\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/Security-Methodologies.jpg","keywords":["log4shell","Log4j","apache library","DNS queries"],"articleSection":["Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/security\/an-initial-look-at-log4shell-trends\/","url":"https:\/\/www.infoblox.com\/blog\/security\/an-initial-look-at-log4shell-trends\/","name":"An Initial Look at Log4Shell Trends","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/an-initial-look-at-log4shell-trends\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/an-initial-look-at-log4shell-trends\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/Security-Methodologies.jpg","datePublished":"2022-01-03T23:47:20+00:00","description":"An Initial Look at Log4Shell Trends. While much of the world was celebrating holidays over the last week or more, much of the world\u2019s security industry was busy defending against and investigating log4shell attacks based on the recently disclosed vulnerability in the Apache library log4j. As we collectively move from responding to threats from actors who were quick to take advantage of the weakness we can begin reflecting on what happened. It will be some time before thorough analyses are complete and widely available, but some clear patterns have emerged. Like the rest of the intelligence community, Infoblox is analyzing the timeline of events from many perspectives and thus far our findings are consistent with the community as a whole. In this blog, we\u2019ll discuss some of the early results as well as explain some of the policy decisions we made in our response to the attacks to protect our customer base.\u00a0","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/an-initial-look-at-log4shell-trends\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/security\/an-initial-look-at-log4shell-trends\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/security\/an-initial-look-at-log4shell-trends\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/Security-Methodologies.jpg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/Security-Methodologies.jpg","width":660,"height":454},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/security\/an-initial-look-at-log4shell-trends\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Security","item":"https:\/\/www.infoblox.com\/blog\/category\/security\/"},{"@type":"ListItem","position":3,"name":"An Initial Look at Log4Shell Trends"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/d18b8543afa21fac6c03151b6f31f981","name":"Ren\u00e9e Burton","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_338_1592324402-96x96.jpg","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_338_1592324402-96x96.jpg","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_338_1592324402-96x96.jpg","caption":"Ren\u00e9e Burton"},"description":"Dr. Burton is the Vice President of Threat Intel for Infoblox. She is a subject matter expert in DNS-based threats and leads the algorithm development and research in DNS intelligence.","url":"https:\/\/www.infoblox.com\/blog\/author\/renee-burton\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/7366","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/338"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=7366"}],"version-history":[{"count":2,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/7366\/revisions"}],"predecessor-version":[{"id":7371,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/7366\/revisions\/7371"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/3087"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=7366"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=7366"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=7366"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}