ESET software claims g2comm.exe (Gotomypc) is attempting a log4j exploitation

I got a report from my system's ESET endpoint security software today:

NEW NOTIFICATION

Firewall event detected and blocked by Eset

An Event Log notification has occurred with the following parameters:

Category: Firewall detection
Monitored static group: All
Attempt was made to reach 67.217.69.93 on port 80 by a machine at (internal address) and blocked
1 per minute were noticed
Firewall detection . Event is one of {Security vulnerability exploitation}

The official detection was cited as JAVA/Exploit.CVE-2021-44228 . The destination given up there is an IP address in LogMeIn's block. The program ESET claims made this exploitation attempt is C:\Program Files (x86)\GoToMyPC\g2comm.exe. Prior to this, one of our other security/IPS systems claimed that other machines also attempted Log4j exploitations against several IP addresses. All of the target IPs were LogMeIn addresses. Is there something in the Gotomypc agent that causes security systems to believe that a log4j attack is being made?

Find more posts tagged with

Comments

AshC

@J.1 Thanks, we continue to investigate.

AshC

@J.1 Can you tell us what ESET product / version you're using there?

J.1

Happened again, several seconds ago. Please let us know why Gotomypc appears to be triggering Log4j detectors even though it's supposed to no longer use that code. Thank you.

J.1

Firewall event detected and blocked by Eset

An Event Log notification has occurred with the following parameters:

Category: Firewall detection
Monitored static group: All
Attempt was made to reach 68.64.26.45 on port 80 by a machine at (internal address) and blocked
1 per minute were noticed
Firewall detection . Event is one of {Security vulnerability exploitation}

Once again, the target is a LogMeIn IP, and ESET says the detection is JAVA/Exploit.CVE-2021-44228, with the guilty process being C:\Program Files (x86)\GoToMyPC\g2comm.exe.

J.1

It happened again over the weekend.

NEW NOTIFICATION

Firewall event detected and blocked by Eset

An Event Log notification has occurred with the following parameters:

Category: Firewall detection
Monitored static group: All
Attempt was made to reach 216.115.214.177 on port 80 by a machine at (different internal address than last time) and blocked
1 per minute were noticed
Firewall detection . Event is one of {Security vulnerability exploitation}

216.115.214.177 is a Logmein/Goto address. According to our ESET records, the process making this attempt was once again C:\Program Files (x86)\GoToMyPC\g2comm.exe and the specific exploitation was JAVA/Exploit.CVE-2021-44228.

AshC

Thanks @J.1

We will try to investigate this further and let the Community know our findings.

Quick Links

Join the conversation!

If you found this discussion useful, why not register/sign-in? It only takes a minute to share your feedback, ask a question, or vote for a new feature!