After following TrustedSec’s Log4j Detection and Response Playbook, an organization was concerned that they might have attackers in their network, as the Log4j vulnerability had been pervasive in their environment. While many attacks are possible with a compromised application, the Log4j vulnerability allows remote code execution without validating the entity’s authentication. Once the vulnerability became public, attackers quickly moved to exploit this ubiquitous code, as it exposes nearly every server to ransomware groups and cryptocurrency miners on the Internet.
Because many organizations struggle to understand whether a breach is actively in progress or has happened at some point in the past, TrustedSec first searches for evidence of a compromise. The Log4j Threat Hunting exploration included network, endpoint, and cloud infrastructure, investigating anomalies that may have taken place.