Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Visibility and response across your entire Microsoft security ecosystem.
XDR with Machine Learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert threat hunting, original research, and proactive threat intelligence.
TRU is foundational to our MDR service. No add-ons or additional costs required.
Stop ransomware attacks before they disrupt your business.
Detect and respond to zero-day exploits.
Protect against third-party and supply chain risk.
Adopt a risk-based approach to cybersecurity.
Protect your most sensitive data.
Meet cybersecurity regulatory compliance mandates.
Eliminate misconfigurations and policy violations.
Prevent business disruption by outsourcing MDR.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and mediating threats to prevent lateral spread.
Enhance investigation and threat detection across multi-cloud or hybrid environments.
Remediate critical misconfigurations, security vulnerabilities and policy violations across cloud and containerized environments.
Detect malicious insider and identity-based behavior leveraging machine learning models.
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company's mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
We believe a multi-signal approach is paramount to protecting your complete attack surface. See why eSentire MDR means multi-signal telemetry and complete response.
See how our 24/7 SOC Cyber Analysts and Elite Threat Hunters stop even the most advanced cyberattacks before they disrupt your business.
Choose the right mix of Managed Detection and Response, Exposure Management, and Incident Response services to strengthen your cyber resilience.
Try our interactive tools including the MITRE ATT&CK Tool, the SOC Pricing Calculator, the Cybersecurity Maturity Assessment, and our MDR ROI Calculator.
Read the latest security advisories, blogs, reports, industry publications and webinars published by eSentire's Threat Response Unit (TRU).
See why 2000+ organizations count on eSentire to build resilience and prevent business disruption.
On December 9th, Apache confirmed a critical zero-day vulnerability impacting the Log4j Java-based logging library that is being tracked as CVE-2021-44228. Known as Log4Shell or LogJam, CVE-2021-44228 is an unauthenticated remote-code execution vulnerability in versions 2.0-beta9 through 2.12.1 and 2.13.0 through 2.14.1.
The underlying issue resides in how Log4j handles user-supplied data when using the Java Naming and Directory Interface (JNDI). According to Apache, “An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.”
The prevalence of Log4j across many open-source and commercial applications, ease of exploitation, and potential attack surface makes this one of the most severe vulnerabilities in some time with a CVSS score of 10.0.
As of December 15th, eSentire has observed over 140,000 exploit events across our network telemetry. Attacks are increasing, peaking at over 40,000 events on December 14th.
Figure 1 Network Exploit Events Since December 11th
Observed exploit attempts consist of opportunistic attacks against publicly facing systems as attackers rush to compromise exposed systems before fixes or mitigations are in place.
Initial observations comprised of attackers inserting strings to trigger the remote code execution (RCE) into various fields within the HTTP headers. This method is the quickest and most scalable way of widely exploiting many hosts, given HTTP is a common internet-facing protocol and there is a high-probability that these strings will be logged and processed by Log4j, thus triggering the exploit.
Figure 2 Log4j Exploit Attempt (Source: eSentire MDR for Network Detection Event)
Attacks were quick to evolve over the weekend. By Sunday, exploits with obfuscated strings were observed. The goal is to bypass filtering by Web Application Firewalls (WAFs) while still achieving the desired result. Fortunately, the security community has been quick to identify these obfuscation methods and update detections accordingly.
Figure 3 Log4j Exploit Attempt (Source: eSentire MDR for Network Detection Event)
Figure 4 Remote Java Class Retrieval from Successful Exploitation (Source: eSentire MDR for Network Detection Event)
JNDI protocols leveraged in observed exploit attempts include LDAP (and LDAPS), DNS, RMI and IIOP. As of December 16th, LDAP made up 60% of non-obfuscated exploit attempts, far more than other protocols. Exploit attempts to evade filtering through obfuscation are increasing, with 49% of events involving obfuscated strings on December 15th, compared to 24% on December 13th.
Figure 5 Exploit Protocols in Observed Network Events
These initial exploitation methods are unlikely to be the last. We still do not know the full scope of the attack surface, and security practitioners continue to find avenues for exploitation. Ensuring applications are patched will continue to be a priority in the coming weeks.
Multiple botnets including Mirai, Muhstik and coinminers have been observed. As is common with other web-facing vulnerabilities, the initial round of exploitation involves coinminer deployment. Coinminers are a rapid and scalable means to monetize compromised hardware with little effort. Concerningly, access brokers, ransomware, and APTs have also jumped into the fray.
Cobalt Strike Deployment
On December 14th, eSentire security teams responded to the successful exploitation of CVE-2021-44228 leading to attempted Cobalt Strike deployment on a customer’s web server. Analysis of endpoint telemetry showed PowerShell spawning with an encoded command for executing shellcode containing a Cobalt Strike payload which would call home to IP 152.136.226[.]175.
Figure 6 Log4j Exploitation Leading to Cobalt Strike Deployment
Pivoting on this IP, our cyber analysts identified matching exploit strings in application logs for the server:
Figure 7 Log Capture Of Log4j Exploitation
The above exploit strings are artifacts associated with this JNDI Exploit Kit (or a similar variant). The tool is used to generate JNDI links for connecting back to the attacker’s server where commands/payloads can be executed.
Figure 8 JNDI Exploit Kit Payloads
Artifacts of this tools can be seen in other exploit attempts:
Figure 9 JNDI Exploit Executing Encoded Commands
Figure 10 Decoded Commands
The Basic/Command option can be used to execute arbitrary encoded commands on the system once a successful JDNI callback is achieved, offering attackers flexibility in follow-on actions.
eSentire released an updated advisory on this topic on December 13th.
This issue remains dynamic as organizations and vendors grapple with the scope of Log4j use and ongoing exploitation. We have provided two sets of recommendations below: (1) how your team can conduct further investigate possible exploitation; and (2) how you can mitigate the vulnerability.
While Apache has released security updates, the fix is not as simple as applying a single patch across the enterprise. We recommend the following:
As of December 18th, Apache has released Log4j 2.17.0 to address a denial of service vulnerability in previous versions.
View Now →During this critical patch window, ongoing monitoring efforts will be essential. eSentire’s Managed Vulnerability Scanning service has enabled plugins for CVE-2021-44228 and will enable checks for vulnerable software as it becomes available. Our teams have also observed artifacts of Log4j exploitation across network, logs, and endpoint. Notably, endpoint telemetry has proven to be valuable in identifying and scoping exploit activity (see Notes for Defenders below).
Figure 11 Endpoint Process View of Log4j Exploitation
Log4j remains an evolving situation, so beyond following the current recommendations to mitigate the vulnerability, it’s critical to stay updated with ongoing updates on exploit methods and adapt quickly.
If you’re not currently engaged with a Managed Detection and Response provider, we highly recommend you partner with us for security services in order to disrupt threats before they impact your business.
Want to learn more? Connect with an eSentire Security Specialist.