Detection of Systems that are affected by LOG4J Vulnerability via DNSEye

With a single query, you can identify the systems affected by the Apache LOG4J Security Vulnerability, which is reported in the DNSEye.

‍

Did you hear about LOG4J Vulnerability?

Attackers can take advantage of the opportunity to remotely execute commands/scripts on targeted computers by exploiting the LOG4J vulnerability, and this approach does not necessitate any special skills, exacerbating the problem. The attackers could install malicious software on the target system, execute payloads, steal valuable data, or severely damage the system.

In this case, how can DNSEye help?

‍

1) Detecting Infected Devices Affected by the LOG4J Vulnerability

A rigorous DNS traffic analysis is required to determine the systems/devices vulnerable by the LOG4J vulnerability. The DNSEye stores and analyzes all DNS queries for up to 1 year. As a result, if you have any infected devices in your network, you may identify which specific devices are infected and affected as a result of LOG4J’s CVE-2021–44228 numeric vulnerability, whether it is affected now or in the past.

We have prepared a sample domain list for you, which contains DNS queries requested by systems impacted by the LOG4J vulnerability:

dnslog[.]cn
canarytokens[.]com
log4shell[.]tools
bingsearchlib[.]com
kryptoslogic-cve-2021–44228[.]com
binaryedge[.]io
interactsh[.]com
interact[.]sh
burpcollaborator[.]com
eg0[.]ru
leakix[.]net
psc4fuel[.]com

‍

2) Identification and Risk Warning of Firstly Visited Domains

DNSEye captures the overall DNS traffic of the system and all of the domains that the system established a connection with during the learning process in chronologic order. If there is any vulnerability exploited, in this situation the domains that are firstly requested by your servers will be inspected as ‘Firstly Visited’ and these traffic anomalies will be forwarded to the SIEM solution. During this transmission, Cyber X-Ray (Roksit’s Database) will transfer all domain data to the SIEM solution in chronological sequence. As a result, SOC teams will be able to do more precise detections in a much shorter time period.

‍

3) Determine whether the Security Assets are sufficient to protect against malicious activity caused by the LOG4J Vulnerability

Thanks to the Security Gap feature, DNSEye analyzes whether current security assets are capable of detecting and preventing connection attempts of the systems affected by the LOG4J vulnerability. You can see your security assets’ capabilities and performance in terms of preventing and detecting attacks caused by LOG4J Vulnerability exploitations, as well as providing effective protection to your system.

‍

4) Active and Sustainable Protection against LOG4J Vulnerability

Roksit DNSDome users are under constant protection against any possible attack that may arise from LOG4J Vulnerability since these domains are actively blocked. You may also update the LOG4J Framework version to the current version to provide protection from this security vulnerability.

Furthermore, if the Roksit Positive Security Model is being used, security will be maintained at the highest level against any potential exploitations, attacks originating from LOG4J, and similar vulnerabilities. The reason the positive security model provides the highest level of protection is that any domain request (even if it does not exist in the database) will be inspected and classified after taking into account 850 criteria, thanks to Roksit’s advanced AI technology. Any unknown domain request will be blocked until it is classified, ensuring the prevention of attacks and malicious connections that originate from newly identified and expected to be discovered vulnerabilities in the future.

‍

Users that integrate a DNS and Security Gap solution into their current EDR solution can detect the specific applications that send queries to these suspicious domains. In other words, the files, executables, and applications that are infected as a result of the LOG4J vulnerability can be directly identified.