Detection of systems infected with the Log4j vulnerability via DNSEye
With a single query, DNSEye provides a detailed report identifying the systems affected by the Apache Log4j security vulnerability.
Have you heard about the Log4j Vulnerability?
Attackers can take advantage of the slightest opportunity to remotely execute commands/scripts on targeted computers by exploiting the LOG4J vulnerability. What makes this problem even worse is that this approach does not require any special skills. Attackers could install malicious software on the target system, execute payloads, steal valuable data, or severely damage the system.
How can DNSEye help you?
1) Detecting devices infected with the Log4j vulnerability
A rigorous DNS traffic analysis is required to determine the systems/devices vulnerable to the Log4j vulnerability. DNSEye stores and analyses all DNS queries for up to 1 year, making it possible to identify devices infected with the CVE-2021–44228 remote code vulnerability in Apache Log4j in your network regardless of the time they have been infected.
Below is a sample domain list containing DNS queries requested by systems impacted by the Log4j vulnerability:
dnslog[.]cn
canarytokens[.]com
log4shell[.]tools
bingsearchlib[.]com
kryptoslogic-cve-2021–44228[.]com
binaryedge[.]io
interactsh[.]com
interact[.]sh
burpcollaborator[.]com
eg0[.]ru
leakix[.]net
psc4fuel[.]com
2) Identifying and issuing risk warnings against first-visited domains
During its learning phase, DNSEye will store the overall DNS traffic of the system and all the domains connected to in chronological order. In case a vulnerability is identified, the domains requested for the first time by your servers will be categorised and examined under “First-Visited” and these traffic anomalies will be forwarded to the SIEM solution. During this transmission, Cyber X-Ray (DNSSense’s database) will transfer all domain data to the SIEM solution in chronological order. As a result, SOC teams will be able to detect vulnerabilities more precisely in a much shorter time frame.
3) Determining the adequacy of security assets against malicious activity caused by the Log4j vulnerability
By virtue of its “Security Gap” feature, DNSEye analyses whether current security assets are capable of detecting and preventing connection attempts by systems infected with the Log4j vulnerability. You can see your security assets’ capabilities and performance in terms of preventing and detecting attacks caused by this vulnerability and add effective protection to your system.
4) Enjoying active and sustainable protection against the Log4j vulnerability
Users of DNSDome can have peace of mind knowing that they are constantly protected against any possible attacks that may arise from the Log4j vulnerability, given that these domains are actively blocked. They may also consider updating the Log4j Framework to the latest version that provides protection against this security vulnerability.
Furthermore, DNSSense’s “Positive Security Model” maintains security at the highest level against any potential exploitations, Log4j-related attacks, and similar vulnerabilities. The reason behind such ironclad security lies in DNSSense’s advanced AI algorithm, inspecting and classifying all domain requests (even those that do not exist in its database) by taking over 850 criteria into account. Any unknown domain request will be blocked until it is classified, ensuring the prevention of attacks and malicious connections that originate from newly identified vulnerabilities and those anticipated in the future.
Users that integrate a DNS solution with the “Security Gap” feature into their current EDR solution can detect the specific applications that send queries to suspicious domains. In other words, the files, executables, and applications that are infected as a result of the Log4j vulnerability can be directly identified.