With a single query, you can identify the systems affected by the Apache LOG4J Security Vulnerability, which is reported in the DNSEye.
Attackers can take advantage of the opportunity to remotely execute commands/scripts on targeted computers by exploiting the LOG4J vulnerability, and this approach does not necessitate any special skills, exacerbating the problem. The attackers could install malicious software on the target system, execute payloads, steal valuable data, or severely damage the system.
A rigorous DNS traffic analysis is required to determine the systems/devices vulnerable by the LOG4J vulnerability. The DNSEye stores and analyzes all DNS queries for up to 1 year. As a result, if you have any infected devices in your network, you may identify which specific devices are infected and affected as a result of LOG4J’s CVE-2021–44228 numeric vulnerability, whether it is affected now or in the past.
We have prepared a sample domain list for you, which contains DNS queries requested by systems impacted by the LOG4J vulnerability:
DNSEye captures the overall DNS traffic of the system and all of the domains that the system established a connection with during the learning process in chronologic order. If there is any vulnerability exploited, in this situation the domains that are firstly requested by your servers will be inspected as ‘Firstly Visited’ and these traffic anomalies will be forwarded to the SIEM solution. During this transmission, Cyber X-Ray (DNSSense’s Database) will transfer all domain data to the SIEM solution in chronological sequence. As a result, SOC teams will be able to do more precise detections in a much shorter time period.
Thanks to the Security Gap feature, DNSEye analyzes whether current security assets are capable of detecting and preventing connection attempts of the systems affected by the LOG4J vulnerability. You can see your security assets’ capabilities and performance in terms of preventing and detecting attacks caused by LOG4J Vulnerability exploitations, as well as providing effective protection to your system.
DNSSense DNSDome users are under constant protection against any possible attack that may arise from LOG4J Vulnerability since these domains are actively blocked. You may also update the LOG4J Framework version to the current version to provide protection from this security vulnerability.
Furthermore, if the DNSSense Positive Security Model is being used, security will be maintained at the highest level against any potential exploitations, attacks originating from LOG4J, and similar vulnerabilities. The reason the positive security model provides the highest level of protection is that any domain request (even if it does not exist in the database) will be inspected and classified after taking into account 850 criteria, thanks to DNSSense’s advanced AI technology. Any unknown domain request will be blocked until it is classified, ensuring the prevention of attacks and malicious connections that originate from newly identified and expected to be discovered vulnerabilities in the future.
Users that integrate a DNS and Security Gap solution into their current EDR solution can detect the specific applications that send queries to these suspicious domains. In other words, the files, executables, and applications that are infected as a result of the LOG4J vulnerability can be directly identified.
DNS security threats are among the most common types of cyber threats that occur today. DNS security should therefore, be an integral part of an organization's security plan.