Log4j Malware: Bad Domain

This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.

Finding description

Malware is detected by examining VPC Flow Logs and Cloud DNS logs for connections to known command and control domains and IP addresses.

Step 1: Review finding details

  1. Open the Log4j Malware: Bad Domain finding, as directed in Reviewing findings. The details panel for the finding opens to the Summary tab.

  2. On the Summary tab, review the information in the following sections:

    • What was detected, especially the following fields:
      • Indicator domain: the domain that triggered the finding.
    • Affected resource, especially the following fields:
      • Resource full name: the full resource name of the affected Compute Engine instance.
      • Project full name: the full resource name of the project that contains the finding.
    • Related links, especially the following fields:
      • Cloud Logging URI: link to Logging entries.
      • MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
      • Related findings: links to any related findings.
      • VirusTotal indicator: link to the VirusTotal analysis page.
      • Flow Analyzer: link to the Flow Analyzer feature of Network Intelligence Center. This field displays only when VPC Flow Logs is enabled.

    1. Click the JSON tab and note the following field:

      • evidence:
      • sourceLogId:
        • projectID: the ID of the project in which the issue was detected.
      • properties:
      • InstanceDetails: the resource address for the Compute Engine instance.

Step 2: Review permissions and settings

  1. In the Google Cloud console, go to the Dashboard page.

    Go to the Dashboard

  2. Select the project that is specified in the Project full name row on the Summary tab.

  3. Navigate to the Resources card and click Compute Engine.

  4. Click the VM instance that matches the name and zone in Resource full name. Review instance details, including network and access settings.

  5. In the navigation pane, click VPC Network, then click Firewall. Remove or disable overly permissive firewall rules.

Step 3: Check logs

  1. On the Summary tab of the finding details panel, click the Cloud Logging URI link to open the Logs Explorer.

  2. On the page that loads, find VPC Flow Logs related to the IP address in Source IP by using the following filter:

    • logName="projects/projectId/logs/compute.googleapis.com%2Fvpc_flows" AND (jsonPayload.connection.src_ip="SOURCE_IP" OR jsonPayload.connection.dest_ip="destIP")

      Replace the following:

      • PROJECT_ID with select the project listed in projectId.
      • SOURCE_IP with the IP address listed on the Source IP row in the Summary tab of the finding details.

Step 4: Check Flow Analyzer

You must enable VPC Flow Logs to perform the following process.

  1. Ensure that you have upgraded your log bucket to use Log Analytics. For instructions, see Upgrade a bucket to use Log Analytics. There is no additional cost to upgrade.

  2. In the Google Cloud console, go to the Flow Analyzer page:

    Go to Flow Analyzer

    You can also access Flow Analyzer through the Flow Analyzer URL link in the Related Links section on the Summary tab of the Finding details pane.

  3. To further investigate information pertaining to the Event Threat Detection finding, use the time range picker in the action bar to change the time period. The time period should reflect when the finding was first reported. For example, if the finding was reported within the last 2 hours, you might set the time period to Last 6 hours. This ensures the time period in Flow Analyzer includes the time when the finding was reported.

  4. Filter Flow Analyzer to display the appropriate results for the IP address associated with the malicious IP finding:

    1. From the Filter menu in the Source row of the Query section, select IP.

    2. In the Value field, enter the IP address associated with the finding and click Run New Query.

      If Flow Analyzer doesn't display any results for the IP address, clear the filter from the Source row, and run the query again with the same filter in the Destination row.

  5. Analyze the results. For additional information about a specific flow, click Details in the All data flows table to open the Flow details pane.

Step 5: Research attack and response methods

  1. Review MITRE ATT&CK framework entries for this finding type: Dynamic Resolution and Command and Control.
  2. Review related findings by clicking the link on the Related findings on the Related findings row in the Summary tab of the finding details. Related findings are the same finding type and the same instance and network.
  3. Check flagged URLs and domains on VirusTotal by clicking the link in VirusTotal indicator. VirusTotal is an Alphabet-owned service that provides context on potentially malicious files, URLs, domains, and IP addresses.
  4. To develop a response plan, combine your investigation results with MITRE research.

Step 6: Implement your response

The following response plan might be appropriate for this finding, but might also impact operations. Carefully evaluate the information you gather in your investigation to determine the best way to resolve findings.

  • Contact the owner of the project containing malware.
  • Investigate the potentially compromised instance and remove any discovered malware. To assist with detection and removal, use an endpoint detection and response solution.
  • To track activity and vulnerabilities that allowed the insertion of malware, check audit logs and syslogs associated with the compromised instance.
  • If necessary, stop the compromised instance and replace it with a new instance.
  • Block the malicious IP addresses by updating firewall rules or by using Cloud Armor. You can enable Cloud Armor on the Security Command Center Integrated Services page. Depending on data volume, Cloud Armor costs can be significant. See the Cloud Armor pricing guide for more information.
  • To control access and use of VM images, use Shielded VM and Trusted Images IAM policy.

What's next