gcat_threathorizons_full_feb2022.pdf (2 MB)

Google Cloud Threat Horizons described sustained Internet-wide scanning and exploitation attempts against vulnerable Apache Log4j instances after the December 2021 disclosure. Observed payload delivery heavily targeted ports 80 and 443 while using LDAP listeners commonly on TCP 389 and 1389, with actors refining obfuscated jndi:ldap-style strings to evade parsing. Google reported that defenders used cloud telemetry, Cloud Armor, Cloud IDS, Security Command Center, Event/Container Threat Detection, Chronicle, and image scanning to identify exposure and validate mitigations. The report is broad cloud threat intelligence rather than DPRK-specific, so the summary should be treated as general context unless another source links the activity to a North Korean actor.