• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Search
Search
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Security
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Security for Chromebook
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella and Cisco Secure Access Packages
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
      • Cisco Umbrella for Government Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Your SSE journey with Cisco
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
      • Umbrella and Duo Layered Protection
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
        • – FTC Safeguards Rule Compliance 2023
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
      • Cybersecurity Webinars
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is DNS Security
      • What is a Secure Web Gateway
      • What is a Cloud Access Security Broker (CASB)
      • What is Security Service Edge (SSE)
      • What is Secure Access Service Edge (SASE)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Free Trial Quick Start Guide
      • Free Trial Help and Tips
  • Trends & Threats
    • Market Trends
      • Generative AI Cybersecurity Risks and Rewards
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Clearing search keywords
Security

Protecting Against the Apache Log4j Vulnerability With Cisco Umbrella

Author avatar of JT ClayJT Clay
Updated — February 28, 2023 • 6 minute read
View blog >

On December 9, 2021, the Apache Log4j vulnerability – which affects the popular Apache Foundation Log4j library – was disclosed to the public over Twitter. In the days following the event, IT and SecOps teams scrambled to patch these vulnerabilities. But log4j is a popular piece of code, which means that patching takes time. That’s why, in this blog, we highlight the ways that Cisco Umbrella can protect uses against attacks leveraging this vulnerability while IT teams patch their infrastructure.

Understanding the Need for Defense

The Apache Log4j vulnerability – tracked as CVE-2021-444228 – received a CVSS severity score of a maximum 10.0. It’s widely believed to be an easy exploit, and the additional vulnerabilities found prompted the release of CVE-2021-45046 and CVE-2021-4104.

Cisco Talos first released updated Snort rules on December 10, 2021. As of the writing of this post, the relevant cumulative list of Snort SIDs is:

  • 58722-58744
  • 58751
  • 58784-58790
  • 58795 300055-300058

Cisco Secure customers should continue to check for Snort rule updates out of band via automatic or manual updates as needed. Checking for new Snort SRU/LSP updates at least daily is recommended.

Detecting and Blocking Threats With Cisco Umbrella

Cisco Umbrella Secure Internet Gateway (SIG) is a cloud-delivered security service that blocks users from connecting malicious domains, IPs, and URLs. It protects networks against threat-related activities associated with the Apache Log4j vulnerability in multiple ways, including by:

  • Protecting users both on and off the corporate network
  • Leveraging the log4j-related rules in cloud-delivered firewall with Snort IPS to detect malicious activity associated with this vulnerability

Additionally, security teams may update the Cisco Umbrella dashboard to provide attribution for the currently known and future IoCs related to the Apache Log4j exploit within Umbrella’s threat reporting.

Want to know what further steps you can take to mitigate the risk of compromise in your organization using Cisco Umbrella? Here’s where you can start:

Use DNS-Layer Security to Block Certain Threats Early

Cisco Umbrella DNS-layer security blocks any requests initiated by malicious domains known to be associated with the Apache Log4j vulnerability. By forwarding your external DNS traffic to Cisco Umbrella, your team can utilize faster, more reliable, and more secure connectivity.

Because DNS is the first step in most internet connections, Cisco Umbrella serves as a first line of defense against many cyber threats. Using Umbrella, your team can:

  • See all internet traffic across users
  • Block attacks earlier, before they reach endpoints or your organization’s network
  • Contain malware that is already in your network by blocking callbacks to attacker infrastructure
  • Easily enforce web filtering using 80+ content categories
  • Manage and block cloud applications
  • Gain context for faster investigations

In short, Cisco Umbrella DNS-layer security allows administrators to block known malware, DNS tunneling, and even newly seen domains.

What does this have to do with the Apache Log4j vulnerability? As of publication, the following related domains have been flagged as malicious by Cisco Talos and are blocked by Cisco Umbrella:

  • x41[.]me
  • m3[.]wtf
  • cuminside[.]club
  • abrahackbugs[.]xyz
  • pwn[.]af
  • rce[.]ee
  • psc4fuel[.]com
  • rs3c1[.]com
  • leakix[.]net
  • dnslog[.]cn
  • requestbin[.]net

As seen in the figure below, a quick query against the Umbrella Investigate API will show them as malicious or risky.

A gif that shows the Umbrella investigate API highlighting the risky domains associated with the Apache Log4j vulnerability.

Cisco Umbrella has many security controls that can be implemented on DNS requests, including those that block requests associated with malware, DNS tunneling, newly seen domains, and more.

Use Cloud-Delivered Firewall and IPS to Prevent Vulnerability Exploits

Cisco Umbrella cloud-delivered firewall layers 3, 4, and 7 (application visibility and control) now include intrusion prevention system (IPS), a powerful added layer of protection that examines network traffic and prevents vulnerability exploits. Cisco Umbrella IPS uses the latest Snort 3 technology, as well as signature-based detection from Cisco Talos (which features 40,000+ signatures). With IPS, your team can create firewall policies that analyze traffic from requests originating in your organization. You can also automate actions to catch and drop dangerous packets before they reach their target.

In the weeks immediately following the announcement of the Apache Log4j vulnerability, Cisco Talos created and updated Snort signatures for the detection and blocking of related malicious traffic. Cisco Umbrella IPS immediately received and enforced protection related to those updates. In the image below, you can see these signatures’ presence in the IPS Signature List under Policy Components:

A gif showing the IPS signature lists from Cisco Talos and Snort that are included in Cisco Umbrella.

Utilize Cisco Umbrella Secure Web Gateway on All Web Traffic

Cisco Umbrella Secure Web Gateway (SWG) provides more control, transparency, and protection for web traffic. The SWG functionality provides cloud-native full proxy capabilities to improve performance and reduce risk. It efficiently logs, inspects, and controls web traffic at the URL level.

Cisco Umbrella SWG can block the IPs listed in the threat feeds it consumes. Your team can securely test what is blocked or not within the Umbrella SWG by utilizing the web policy tester available at the top, right-hand side of the Web Policies dashboard (as seen in the figure below).

An image showing the Cisco Umbrella Web Policy Tester interface.

For example, if you can test Cisco Umbrella against one of the log4j IOC IPs listed by Cisco Talos, like 210.141.105[.]67, and one of their listed IOC URLs, like hxxp[:]//18.288.7[.]109/.l/pty1. When we do this, we can see that Cisco Umbrella effectively blocks HTTP communications, protecting networks from exploitation.

Leverage Threat Intel Provided by Umbrella Investigate

Of course, Cisco Umbrella does more than provide enforcement based on Cisco Talos intel. This cybersecurity solution also provides users with access to that information via the Umbrella Investigate console and API. This allows for better, faster triage.

Umbrella Investigate is designed to:

  • Be a single, correlated source with the most complete view of the relationships between (and the evolution of) domains, IPs, autonomous systems (ASNs), and file hashes
  • Add the security context a team needs to help uncover and predict threats
  • Provide rich intelligence and visibility that enables analysts to better prioritize their incidents and speed up investigations
  • Be integrated with existing security data in a SIEM tool

One of the biggest differentiators that sets Umbrella Investigate apart is the fact that it brings together many pieces of information automatically. Without the correlated intelligence of Umbrella Investigate, organizations would need to gather this information from other sources. Not only is this time-consuming, but it only shows one piece of the puzzle. Security teams would have to figure out correlations and connections manually.

When it comes to log4j, the Umbrella Investigate console can help teams examine domains associated with threat actors exploiting the vulnerability. For example, Full DNS View shows the categories associated with the domain zupertech[.]com and provides a full timeline of associated DNS activity:

An image showing Umbrella Investigate Smart Search functionality.
An image showing the DNS timeline functionality of Umbrella Investigate Smart Search.

Not only does Umbrella Investigate have information on domain security and history, but it also has information on malicious file samples associated with the domain.

Use Cisco Umbrella and SecureX to Perform Threat Hunting

While Cisco Umbrella combines robust threat intelligence with the ability to block threats at the DNS or IP layers, what can security teams do if a new threat is announced? Is there a way to see if anything in the organization has been compromised? Well, actually, there is.

When used in tandem with SecureX, Umbrella Investigate API can scan articles in search of the IoCs. Teams can then take those IoCs and cross-reference them against Umbrella Reporting API to see if any device in the environment has had traffic that matches any of the IoCs. This can all be accomplished by leveraging the SecureX Orchestrator capabilities in the platform.

When Cisco Umbrella data is integrated into SecureX, teams can:

  • Reduce research and response times with workflows and playbooks that execute at machine speed
  • Eliminate repetitive tasks and reduce MTTR to increase productivity and focus on mission-critical projects
  • Leverage automation that scales indefinitely and never takes a day off, delivering the same SLA around the clock

Below, we can see an example of workflow automation in SecureX Orchestrator that periodically runs a playbook for querying a blog or feed. As you can see, building the workflow is intuitive:

An image showing workflow automation functionality of the SecureX Orchestrator.

In the following image, you can see some Threat Response Casebooks created with the observables found:

A gif showing a Threat Response Casebook created with the observables found.

Ready to Strengthen Your Response to the Apache Log4j Vulnerability?

Request a demo of Cisco Umbrella today to learn how this solution can fit into your cybersecurity stack. Or, start a free trial to experience the threat hunting and remediation capabilities of Umbrella.

See security in action

Let one of our experts show you how Cisco Umbrella can simplify your security and protect your users everywhere.

Schedule a demo

Note: The steps and information above show how Cisco Umbrella can provide enhanced visibility into unusual or suspicious activity. The examples are not meant to be all-encompassing for the Apache Log4j vulnerability, as additional attack vectors have recently been identified and will continue to be identified in the coming days. Readers should use the examples above to examine their own environment based on up-to-date threat intelligence.

While information regarding the attack techniques is still evolving, the most common vectors involve a vulnerable server accessing a malicious LDAP server to be full exploited. With this in mind, these are steps that the Cisco Umbrella network and security administrators can take to verify activity and mitigate attacks on their systems.

Use DNS-layer security to block certain threats early...Cisco Umbrella DNS-layer security blocks any requests initiated by malicious domains known to be associated with the Apache Log4j vulnerability.

Post this quote

Additional Resources

  • Schedule a personalized demo
  • On-demand Webinar: Threat Spotlight Series

Suggested Blogs

  • Cisco Umbrella Delivered Better Cybersecurity and 231% ROI February 21, 2023 2 minute read
  • Cisco Listed as a Representative Vendor in Gartner® Market Guide for Single-Vendor SASE January 26, 2023 3 minute read
  • How to Evaluate SSE Vendors: Questions to Ask, Pitfalls to Avoid June 23, 2022 5 minute read

Share this blog

FacebookTweetLinkedIn
Subscribe to the Cisco Umbrella blog Subscribe

Follow Us

Facebook X LinkedIn Youtube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2025 Cisco Umbrella