Priority: Critical
Executive Summary:
ITC Secure is continuing to monitor for any alerts that could indicate an incident related to the recent Log4J vulnerability. ITC have carried out threat hunting across the available log sources we ingest into Sentinel for signs of initial compromise and reviewed endpoint activity for suspicious process executions which would be seen following any initial compromise. ITC will continue to carry out these threat hunting activities and will escalate any findings.
We are conscious that we may not have coverage of all log sources within your estate and at the time of preparing this report, have provided further details and information on IOCs that your internal Network and Security Teams can use to assist further investigation.
Specific guidance that has been published by Microsoft can be found here.
Further Guidance at the time of preparing this report:
IOCs:
While user agent strings are available from different log sources, to detect CVE-2021-44228, IIS server logs should be reviewed for evidence of the below user agents:
“jndi:ldap”
“Basic/Command/Base64”
If the above user agent strings are found within the IIS logs it is not indicative that a compromise has occurred, but it does indicate that someone has attempted to exploit the server. If the server was vulnerable to CVE-2021-44228 it may have succeeded. Please reach out to the ITC SOC should you find any reference to these user agent strings with the targeted server so that we can provide further investigation.
Hashes:
These hashes have been identified as being involved in the recent Log4j attacks. If you have the means to search for hashes through anti-virus or similar, consider searching for evidence of these hashes within your environment. If found, contact ITC SOC for further investigation. If you can block the hashes, consider doing so but understand that attackers will be regularly changing their payloads to avoid detection through these IOCs.
8933820cf2769f6e7f1a711e188f551c3d5d3843c52167a34ab8d6eabb0a63ef
6e25ad03103a1a972b78c642bac09060fa79c460011dc5748cbb433cc459938b
c38c21120d8c17688f9aeb2af5bdafb6b75e1d2673b025b720e50232f888808a
3f6120ca0ff7cf6389ce392d4018a5e40b131a083b071187bf54c900e2edad26
776c341504769aa67af7efc5acc66c338dab5684a8579134d3f23165c7abcc00
8052f5cc4dfa9a8b4f67280a746acbc099319b9391e3b495a27d08fb5f08db81
2b794cc70cb33c9b3ae7384157ecb78b54aaddc72f4f9cf90b4a4ce4e6cf8984
0e574fd30e806fe4298b3cbccb8d1089454f42f52892f87554325cb352646049
19370ef36f43904a57a667839727c09c50d5e94df43b9cfb3183ba766c4eae3d
2a4e636c4077b493868ea696db3be864126d1066cdc95131f522a4c9f5fb3fec
2b794cc70cb33c9b3ae7384157ecb78b54aaddc72f4f9cf90b4a4ce4e6cf8984
39db1c54c3cc6ae73a09dd0a9e727873c84217e8f3f00e357785fba710f98129
5c46098887e488d91f42c6d9b93b17b2736c9f4cb5a4a1e476c87c0d310a3f28
6370939d4ff51b934b7a2674ee7307ed06111ab3b896a8847d16107558f58e5b
63d43e5b292b806e857470e53412310ad7103432ba3390ecd4f74e432530a8a9
6a8965a0f897539cc06fefe65d1a4c5fa450d002d1a9d5d69d2b48f697ee5c05
715f1f821d028e165bfa750d73505f1a6136184999411300cc88c18ebfa6e8f7
776c341504769aa67af7efc5acc66c338dab5684a8579134d3f23165c7abcc00
8052f5cc4dfa9a8b4f67280a746acbc099319b9391e3b495a27d08fb5f08db81
a3f72a73e146834b43dab8833e0a9cfee6d08843a4c23fdf425295e53517afce
b3a6fe5bc3883fd26c682bb6271a700b8a6fe006ad8df6c09cc87530fcd3a778
b55ddbaee7abf1c73570d6543dd108df0580b08f730de299579570c23b3078c0
c154d739cab62e958944bb4ac5ebad6e965a0442a3f1c1d99d56137e3efa8e40
c38f0f809a1d8c50aafc2f13185df1441345f83f6eb4ef9c48270b9bd90c6799
e20806791aeae93ec120e728f892a8850f624ce2052205ddb3f104bbbfae7f80
fe98548300025a46de1e06b94252af601a215b985dad31353596af3c1813efb0
Domains:
ITC has carried out and will continue to carry out threat hunting using the below domains which have been identified as being involved with CVE-2021-44228. Due to the nature of this attack, domains that host malicious payloads will change frequently to avoid detection or due to takedowns.
x41[.]me
m3[.]wtf
cuminside[.]club
abrahackbugs[.]xyz
pwn[.]af
rce[.]ee
psc4fuel[.]com
rs3c1[.]com
leakix[.]net
IPs:
ITC has carried out and will continue to threat hunt using the below IP addresses against firewall logs where available.
109.237.96[.]124
185.100.87[.]202
213.164.204[.]146
185.220.101[.]146
171.25.193[.]20
178.17.171[.]102
45.155.205[.]233
171.25.193[.]25
171.25.193[.]77
171.25.193[.]78
185.220.100[.]242
IPs Continued:
185.220.101[.]39
18.27.197[.]252
89.234.182[.]139
104.244.79[.]6
164.52.212[.]196
193.196.53[.]232
121.5.113[.]11
178.176.202[.]121
178.176.203[.]190
197.246.171[.]83
42.192.11[.]41
45.130.229[.]168
18.228.7[.]109
45.33.47[.]240
80.78.254[.]57
176.32.33[.]14
137.184.61[.]190
45.33.47[.]240
80.78.254[.]57
205.185.115[.]217
176.32.33[.]14
104.244.74[.]57
104.244.76[.]170
107.189.12[.]135
116.24.67[.]213
134.122.34[.]28
137.184.102[.]82
122.161.50[.]23
137.184.106[.]119
142.93.34[.]250
143.198.32[.]72
143.198.45[.]117
147.182.167[.]165
147.182.169[.]254
147.182.219[.]9
151.115.60[.]113
159.65.155[.]208
159.65.58[.]66
164.90.199[.]216
167.99.164[.]201
167.99.172[.]213
167.99.172[.]58
178.62.79[.]49
181.214.39[.]2
185.220.101[.]134
185.220.101[.]138
185.220.101[.]141
185.220.101[.]143
185.220.101[.]144
185.220.101[.]145
185.220.101[.]147
185.220.101[.]149
185.220.101[.]154
IPs Continued:
185.220.101[.]156
185.220.101[.]157
185.220.101[.]158
185.220.101[.]160
185.220.101[.]161
185.220.101[.]163
185.220.101[.]171
185.220.101[.]172
185.220.101[.]175
185.220.101[.]177
185.220.101[.]180
185.220.101[.]181
185.220.101[.]182
185.220.101[.]185
185.220.101[.]186
185.220.101[.]189
185.220.101[.]191
193.189.100[.]203
194.48.199[.]78
195.19.192[.]26
195.254.135[.]76
195.54.160[.]149
23.129.64[.]131
185.38.175[.]132
188.166.122[.]43
188.166.48[.]55
188.166.92[.]228
23.129.64[.]146
23.129.64[.]148
45.153.160[.]131
46.182.21[.]248
54.173.99[.]121
62.102.148[.]69
62.76.41[.]46
68.183.198[.]247
68.183.44[.]143
72.223.168[.]73
81.17.18[.]60
92.63.197[.]53
164.52.53[.]163
164.52.53[.]163
185.220.100[.]240
198.98.60[.]19
86.109.208[.]194
41.203.140[.]114
49.7.224[.]217
195.251.41[.]139
189.188.33[.]125