This posting is here to collect cyber security news in December 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in December 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
435 Comments
Tomi Engdahl says:
Sophisticated Noberus Ransomware First to Be Coded in Rust
https://www.securityweek.com/sophisticated-noberus-ransomware-first-be-coded-rust
Tomi Engdahl says:
MobileIron Users Targeted in Log4Shell Attacks as Exploit Activity Surges
https://www.securityweek.com/mobileiron-users-targeted-log4shell-attacks-exploit-activity-surges
Log4Shell Attacks Can Be Launched by Luring Targets to Malicious Website
Customers of the MobileIron security and endpoint management product are being targeted in Log4Shell attacks, just as researchers identify new attack vectors and Cloudflare reports a surge in exploit activity.
Ivanti, which owns MobileIron, has informed customers that the MobileIron Core, Sentry and Core Connector products are affected by the recently disclosed Log4j vulnerability tracked as CVE-2021-44228, Log4Shell and LogJam. The vendor provided mitigations and warned that “the risk associated with CVE-2021-44228 is High because these products sit in the DMZ and are vulnerable to a RCE attack due to the CVE.”
The Log4Shell flaw has been exploited by both profit-driven cybercriminals and state-sponsored groups, including ones linked to China, Iran, North Korea and Turkey.
Tomi Engdahl says:
Ransomware Persists Even as High-Profile Attacks Have Slowed
https://www.securityweek.com/ransomware-persists-even-high-profile-attacks-have-slowed
In the months since President Joe Biden warned Russia’s Vladimir Putin that he needed to crack down on ransomware gangs in his country, there hasn’t been a massive attack like the one last May that resulted in gasoline shortages. But that’s small comfort to Ken Trzaska.
Trzaska is president of Lewis & Clark Community College, a small Illinois school that canceled classes for days after a ransomware attack last month that knocked critical computer systems offline.
“That first day,” Trzaska said, “I think all of us were probably up 20-plus hours, just moving through the process, trying to get our arms around what happened.”
Even if the United States isn’t currently enduring large-scale, front-page ransomware attacks on par with ones earlier this year that targeted the global meat supply or kept millions of Americans from filling their gas tanks, the problem hasn’t disappeared. In fact, the attack on Trzaska’s college was part of a barrage of lower-profile episodes that have upended the businesses, governments, schools and hospitals that were hit.
Tomi Engdahl says:
Phorpiex Botnet Hijacked 3,000 Cryptocurrency Transactions
https://www.securityweek.com/phorpiex-botnet-hijacked-3000-cryptocurrency-transactions
Over the past five years, the Phorpiex botnet has managed to hijack approximately 3,000 cryptocurrency transactions, stealing at least hundreds of thousands of dollars, Check Point says.
Around since 2016, the botnet became famous for its large sextortion spam campaigns, and was estimated in 2019 to have infected one million devices worldwide. Despite that, its activity dropped sharply in the summer of 2021, and in late August its operators announced they were selling it.
A couple of weeks later, the botnet’s command and control (C&C) servers reemerged with a new IP address, and also started distributing a new bot, called Twizt, which switched to a peer-to-peer mode and no longer relied on a central C&C server.
Tomi Engdahl says:
Russian Cyberspy Groups Start Exploiting Log4Shell Vulnerability
https://www.securityweek.com/russian-cyberspy-groups-start-exploiting-log4shell-vulnerability
Severity of Second Log4j Vulnerability Increased to Critical
Russia has been added to the list of nation states targeting the recently disclosed Log4Shell vulnerability, with exploitation attempts linked to several of the country’s cyberespionage groups.
Exploitation of the Log4j vulnerability tracked as CVE-2021-44228, Log4Shell and LogJam started in early December, with initial attack reports describing activity associated with profit-driven cybercriminals delivering cryptocurrency miners, DDoS malware, ransomware and other malicious programs.
Then, on December 14, Mandiant reported seeing Chinese and Iranian state-sponsored threat actors exploiting the Log4Shell flaw. The next day, Microsoft said it had observed activity that it had connected to China, Iran, North Korea and Turkey.
On Friday, cybersecurity rating and risk management company SecurityScorecard reported seeing reconnaissance activity apparently linked to Chinese and Russian APTs. In the case of China, the company named APT10, and in the case of Russia it mentioned APT28, Turla, Ursnif and Grizzly Steppe.
Tomi Engdahl says:
VMware Patches Critical Flaw in Workspace ONE UEM Console
https://www.securityweek.com/vmware-patches-critical-flaw-workspace-one-uem-console
VMware on Thursday announced the release of patches for a critical server-side request forgery (SSRF) vulnerability in Workspace ONE UEM console.
An attacker could exploit the flaw to access sensitive data in the management console, VMware says. Tracked as CVE-2021-22054, the security error carries a CVSS score of 9.1.
To exploit the vulnerability, an attacker needs to have network access to UEM, so they can send unauthenticated requests and trigger the bug.
The vulnerability was reported privately to the cloud computing and virtualization technology company, and both patches and workarounds have been released to address it.
CVE-2021-22054 was fixed with the release of VMware Workspace ONE UEM console versions 21.5.0.37, 21.2.0.27, 20.11.0.40, and 20.0.8.36. VMware Workspace ONE UEM patch 21.9.0.13 and above also address the bug.
Tomi Engdahl says:
Microsoft warns of easy Windows domain takeover via Active Directory bugs https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-of-easy-windows-domain-takeover-via-active-directory-bugs/
Microsoft warned customers today to patch two Active Directory domain service privilege escalation security flaws that, when combined, allow attackers to easily takeover Windows domains. The company released security updates to address the two security vulnerabilities (tracked as CVE-2021-42287 and CVE-2021-42278 and reported by Andrew Bartlett of Catalyst IT) during the November 2021 Patch Tuesday. Redmond’s warning to immediately patch the two bugs both allowing attackers to impersonate domain controllers comes after a proof-of-concept (PoC) tool that can leverage these vulnerabilities was shared on Twitter and GitHub on December 11.
Tomi Engdahl says:
Log4j vulnerability now used to install Dridex banking malware
https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-to-install-dridex-banking-malware/
Threat actors now exploit the critical Apache Log4j vulnerability named Log4Shell to infect vulnerable devices with the notorious Dridex banking trojan or Meterpreter. The Dridex malware is a banking trojan originally developed to steal online banking credentials from victims.
However, over time, the malware has evolved to be a loader that downloads various modules that can be used to perform different malicious behavior, such as installing additional payloads, spreading to other devices, taking screenshots, and more.
Tomi Engdahl says:
New stealthy DarkWatchman malware hides in the Windows Registry https://www.bleepingcomputer.com/news/security/new-stealthy-darkwatchman-malware-hides-in-the-windows-registry/
A new malware named ‘DarkWatchman’ has emerged in the cybercrime underground, and it’s a lightweight and highly-capable JavaScript RAT (Remote Access Trojan) paired with a C# keylogger. According to a technical report by researchers at Prevailion, the novel RAT is employed by Russian-speaking actors who target mainly Russian organizations.
Tomi Engdahl says:
Dissident’s Doubly-Infected iPhone Reveals Cytrox Mercenary Spyware https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/
We confirmed the hacking of the devices of two individuals with Cytrox’s Predator spyware: Ayman Nour, a member of the Egyptian political opposition living in exile in Turkey, and an Egyptian exiled journalist who hosts a popular news program and wishes to remain anonymous.
Tomi Engdahl says:
Healthcare provider Texas ENT alerts 535, 000 patients to data breach https://portswigger.net/daily-swig/healthcare-provider-texas-ent-alerts-535-000-patients-to-data-breach
More than half a million patients have been impacted by a data breach at US healthcare provider Texas Ear, Nose and Throat Specialists (Texas ENT). After learning of a security compromise on October 19, Texas ENT “determined that unauthorized parties gained access to our computer systems and took copies of Texas ENT files between August 9,
2021 and August 15, 2021″, reads a security alert (PDF) from the healthcare specialist. The breached data includes patient names, dates of birth, medical record numbers, procedure codes used for billing purposes, and, for only “a limited number of files”, Social Security numbers.
Tomi Engdahl says:
The NCA shares 585 million passwords with Have I Been Pwned https://therecord.media/the-nca-shares-585-million-passwords-with-have-i-been-pwned/
The UK National Crime Agency has shared a collection of more than 585 million compromised passwords it found during an investigation with Have I Been Pwned, a website that indexes data from security breaches.
The NCA now becomes the second law enforcement agency to officially supply HIBP with hacked passwords after the US Federal Bureau of Investigations began a similar collaboration with the service back in May. In a blog post today, Troy Hunt, HIBP creator Troy Hunt said that
225 million of the compromised passwords found by the NCA were new and unique.
Tomi Engdahl says:
Limes Security – KNXlock
https://limessecurity.com/en/knxlock/
In October 2021 we received an interesting request for help from a German engineering company. The company, providing electrical and automation engineering services for various industrial cases was having an issue with one of their customers: They had been contracted at some point to engineer the building automation system of a mid-sized site. They built the system based on the so-called KNX technology, which is a building automation standard that is very common throughout Europe. KNX is a very powerful standard, as it allows to engineer and manage everything from small to very large building sites. Control system devices which are publicly accessible on the internet have been a known problem that security experts were pointing for a decade already. What made this attack campaign interesting was that it was executed, using unique, control system-technology specific aspects.
Tomi Engdahl says:
Google Finds 35,863 Java Packages Using Defective Log4j
https://www.securityweek.com/google-finds-35863-java-packages-using-defective-log4j
The computer security industry is bracing for travel on long, bumpy roads littered with Log4j security problems as experts warn that software dependency patching hiccups will slow global mitigation efforts.
The sheer scale and impact of the crisis became a bit clearer this week with Google’s open-source team reporting that a whopping 35,863 Java packages in Maven Central are still using defective versions of Log4j library. (Editor’s note: Maven Central is the largest and most significant Java package repository).
“This means that more than 8% of all packages on Maven Central have at least one version that is impacted by this vulnerability,” according to a note from researchers James Wetter and Nicky Ringland of Google’s Open Source Insights Team.
“As far as ecosystem impact goes, 8% is enormous. The average ecosystem impact of advisories affecting Maven Central is 2%, with the median less than 0.1%,” the Google team explained.
The vulnerability, flagged as CVE-2021-44228, was first discovered and reported by the Alibaba cloud security team on November 24 this year. Less than two weeks later, exploitation was spotted in the wild, prompting the release of multiple high-priority patches and an industry-wide scramble to apply practical mitigations.
With security programs around the world in full-blown crisis mode, experts are warning that eradicating the problem will be a long, laborious process because of software dependencies and so-called “transitive dependencies” that make patching very difficult.
“[It's still] difficult to determine the full blast radius of this vulnerability,” said Google’s Wetter.
Among the 35,863 vulnerable Java artifacts on Maven Central, the Google team found that direct dependencies account for around 7,000 of the affected artifacts, meaning that any of their versions depend upon an affected version of log4j-core or log4j-api, as described in the CVEs.
“The majority of affected artifacts come from indirect dependencies (that is, the dependencies of one’s own dependencies), meaning log4j is not explicitly defined as a dependency of the artifact, but gets pulled in as a transitive dependency,” the researchers explained.
“At the time of writing, nearly five thousand of the affected artifacts have been fixed. This represents a rapid response and mammoth effort both by the log4j maintainers and the wider community of open source consumers. That leaves over 30,000 artifacts affected, many of which are dependent on another artifact to patch (the transitive dependency) and are likely blocked.”
The main issue at stake is that most artifacts depend on Log4j indirectly, meaning that the deeper the vulnerability is in a dependency chain, the more steps are required for it to be fixed.
“For greater than 80% of the [affected] packages, the vulnerability is more than one level deep, with a majority affected five levels down and some as many as nine levels down,” the Google team said. “These packages will require fixes throughout all parts of the tree, starting from the deepest dependencies first.”
The researchers believe it will be “a long wait, likely years” before all the artifacts affected by the Log4j vulnerabilities are fully patched.
Threat hunters at edge security giant Akamai Technologies say there’s already “a global tsunami of malicious activity” linked to the Log4j flaws and warn that the vulnerability will have a very long attack tail.
A research note from Akamai warns of scanning reconnaissance in “massive, successive waves” as attackers found new attack vectors, firewall filter bypasses and exploit variations.
“From our data we can tell that ~57% of the attacking infrastructure sending log4j exploits was already known to Akamai from previous attacks — essentially, the tsunami came from existing malicious actors being opportunistic as much as it did from new attackers,” Akamai said, noting that networks in the U.S. are bearing the brunt of the attacks.
Threat Intelligence on Log4j CVE: Key Findings and Their Implications
https://www.akamai.com/blog/security/threat-intelligence-on-log4j-cve-key-findings-and-their-implications
Continuing with our research into CVE-2021-44228, Akamai has previously written about what the vulnerability is and given recommendations on how to go beyond patching for extra protection. Across the Akamai network, we see traffic from 1.3 billion unique devices daily, with record traffic of 182 Tbps. The threat research team has been investigating this traffic to gain deeper insights into how this vulnerability is being exploited. We want to share more technical findings and what they mean for threat hunters. Here are some implications for defenders and threat hunters to consider:
Expect this vulnerability to have a long attack tail. We anticipate that due to how widely used this software is and the large number of exploit variations, we will continue to see exploit attempts for months to come and expect many breaches will get uncovered going forward. We continue to recommend urgent patching to mitigate future attack attempts.
Attackers used opportunistic injections and became more targeted. As with the exploit mutations, the attackers went after every injection spot they could. And while they started with obvious opportunistic spots like the user agent, attackers quickly began to go after organization-specific parameters. Such intelligence is highly useful for web defenders in adapting quickly to the evolving threat landscape
Consequences of the reconnaissance may not be fully understood for months. The vast majority of the observed activity was reconnaissance/testing, compared to a relatively smaller percentage of actual attacks. And while the attacks can be mitigated by patching and other methods, it’s unclear how many breaches have happened during this period. It will take time for the breaches to come to light and for us to understand their magnitude.
Now let’s look into the detailed findings.
Finding 1: A mild start, then a global tsunami of malicious activity
Finding 2: Unprecedented exploit mutations
Finding 3: Multiple injection places, moving from opportunistic to targeted
Finding 4: Payload analysis shows use of blind reconnaissance, dropping malware and post exploitation tools
Tomi Engdahl says:
Ransomware Operators Leak Data Stolen From Logistics Giant Hellmann
https://www.securityweek.com/ransomware-operators-leak-data-stolen-logistics-giant-hellmann
Logistics giant Hellmann Worldwide Logistics has confirmed that attackers were able to exfiltrate data from its systems during a cyberattack earlier this month.
On Thursday, December 9, after detecting the breach, the company took down servers at its central data center, to isolate them from the rest of the environment and contain the incident.
Hellmann, which provides air and sea freight, rail and road transportation, and other services in 173 countries, was apparently targeted by RansomEXX ransomware, whose operators have already made available data allegedly stolen from the German company.
One their leak website on the Tor network, the hackers published 70.64GB of compressed data, in the form of 145 archive files that contain, among others, customer names, user IDs, emails, and passwords.
In an updated cyber incident statement published last week, the German company confirmed that the attackers stole data from its servers, although it did not provide details on the type of information that was compromised.
Tomi Engdahl says:
Log4j Update Patches New Vulnerability That Allows DoS Attacks
https://www.securityweek.com/log4j-update-patches-new-vulnerability-allows-dos-attacks
CISA Orders Federal Agencies to Mitigate Log4j Vulnerabilities
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive instructing federal agencies to mitigate the Log4j vulnerabilities. The announcement came just before the disclosure of a new flaw affecting the popular logging utility.
CISA on Friday issued emergency directive ED 22-02, which directs federal civilian executive branch agencies to identify internet-exposed systems, determine whether those assets use Log4j, and whether they are affected by the recently disclosed vulnerability tracked as CVE-2021-44228, Log4Shell and LogJam.
Once vulnerable systems have been identified, agencies are required to either install available Log4j patches, apply mitigations, or remove the affected software. These actions need to be carried out by the end of the work day on December 23.
“For all solution stacks containing software that agencies identified as affected: assume compromise, identify common post-exploit sources and activity, and persistently investigate and monitor for signs of malicious activity and anomalous traffic patterns,” CISA said.
Tomi Engdahl says:
https://www.securityweek.com/log4j-update-patches-new-vulnerability-allows-dos-attacks
New high-severity DoS vulnerability (CVE-2021-45105) found in Log4j
Since the disclosure of CVE-2021-44228, several other related issues have come to light and two additional CVE identifiers — CVE-2021-45046 and CVE-2021-4104 — have been assigned.
CVE-2021-45046 was initially said to allow DoS attacks and classified as “medium severity,” but its rating was later updated to “critical” after it came to light that exploitation could lead to information leaks and arbitrary code execution. This issue was patched with the release of versions 2.12.2 and 2.16.0, which not only fix the flaw, but also remove and disable abused functionality.
On Saturday, Log4j developers released another update, version 2.17.0, to address CVE-2021-45105, a high-severity vulnerability that can be exploited for denial-of-service (DoS) attacks by sending specially crafted requests.
Tomi Engdahl says:
Problematic Log4j Functionality Disabled as More Security Issues Come to Light
https://www.securityweek.com/problematic-log4j-functionality-disabled-more-security-issues-come-light
Tomi Engdahl says:
https://logging.apache.org/log4j/2.x/security.html#Fixed_in_Log4J_2.17.0
Tomi Engdahl says:
Log4j-haavoittuvuutta yritetty hyödyntää jo joka toisessa suomalaisessa yritysverkossa
https://etn.fi/index.php/13-news/12985-log4j-haavoittuvuutta-yritetty-hyoedyntaeae-jo-joka-toisessa-suomalaisessa-yritysverkossa
Tomi Engdahl says:
New analysis further links Pegasus spyware to Jamal Khashoggi murder
https://www.theverge.com/2021/12/21/22848485/pegasus-spyware-jamal-khashoggi-murder-nso-hanan-elatr-new-analysis
Forensics suggest that a UAE government agency installed spyware on the phone of Hanan Elatr, Khashoggi’s wife, months before his death
New forensic analysis indicates that representatives of the United Arab Emirates government installed Pegasus spyware on the phone of Hanan Elatr, wife of murdered journalist Jamal Khashoggi, just months before her husband was killed.
NSO has denied that its spyware was used to target Khashoggi or his associates, including Hanan Elatr — but Citizen Lab’s analysis makes it hard to believe that claim. Phone numbers belonging to Elatr and to Khashoggi’s Turkish fiancée, Hatice Cengiz, were also found in a list of 50,000 numbers in a data leak that revealed potential targets of Pegasus spyware
The investigation, branded The Pegasus Project, exposed widespread targeting of journalists, activists, and politicians, up to and including heads of state.
A phone number belonging to French president Emmanuel Macron was among the numbers in the list, along with another belonging to South African president Cyril Ramaphosa and Pakistani prime minister Imran Khan.
As a spyware company, NSO’s operations have long been shrouded in secrecy. But in the face of mounting evidence of the company’s willingness to assist repressive and authoritarian regimes around the world — including surveilling American officials in some cases — the US government has begun to take action against the Israeli company.
NSO was recently placed on a blacklist by the US Department of Commerce, preventing US companies from providing NSO with goods or services.
Tomi Engdahl says:
https://www.forbes.com/sites/thomasbrewster/2021/12/20/google-scans-gmail-and-drive-for-cartoons-of-child-sexual-abuse/?sh=73ad045a79c7
Tomi Engdahl says:
Mehul Srivastava / Financial Times:
Sources: how a 2019 NSO deal to sell Pegasus services to Uganda, followed by an attempt to hack US diplomats in Uganda using Pegasus, led to NSO’s decline — For years, the Israeli spyware maker thrived through scandal. Then, US diplomats in Uganda got hacked by Pegasus
https://t.co/W0h9lXv34g
Tomi Engdahl says:
Lucas Matney / TechCrunch:
An announcement bot for Justin Kan’s NFT platform Fractal was hacked by a scammer who made off with about $150K, before the startup even launched its platform
Justin Kan’s NFT platform suffers rocky debut as scammer makes off with $150K in user funds
https://techcrunch.com/2021/12/21/justin-kans-nft-platform-suffers-rocky-debut-as-scammer-makes-off-with-150k-in-user-funds/
Despite billions in VC investment, many web3 crypto platforms are still pretty hostile places for users new to the crypto world.
Case in point, today Justin Kan’s NFT platform Fractal suffered a security breach when a scammer hacked the announcement bot for the startup’s Discord which sent out a fraudulent link to the platform’s more than 100,000 users, urging them to pay up for a new NFT. The message promised users access to 3,333 commemorative NFTs designed to celebrate the platform’s success, but the link was faked with a URL for fractal.is that swapped an “i” for the “l”, taking users to a minting site where funds were taken and they earned nothing in return.
Tomi Engdahl says:
Google Finds 35,863 Java Packages Using Defective Log4j
https://www.securityweek.com/google-finds-35863-java-packages-using-defective-log4j
Tomi Engdahl says:
Facebook Patches Vulnerability Exposing Page Admin Identity
https://www.securityweek.com/facebook-patches-vulnerability-exposing-page-admin-identity
Tomi Engdahl says:
FBI Sees APTs Exploiting Recent ManageEngine Desktop Central Vulnerability
https://www.securityweek.com/fbi-sees-apts-exploiting-recent-manageengine-desktop-central-vulnerability
Tomi Engdahl says:
AP Exclusive: Polish Opposition Duo Hacked With NSO Spyware
https://www.securityweek.com/ap-exclusive-polish-opposition-duo-hacked-nso-spyware
The aggressive cellphone break-ins of a high-profile lawyer representing top Polish opposition figures came in the final weeks of pivotal 2019 parliamentary elections. Two years later, a prosecutor challenging attempts by the populist right-wing government to purge the judiciary had her smartphone hacked.
In both instances, the invader was military-grade spyware from NSO Group, the Israeli hack-for-hire outfit that the U.S. government recently blacklisted, say digital sleuths of the University of Toronto-based Citizen Lab internet watchdog.
Citizen Lab could not say who ordered the hacks and NSO does not identify its clients, beyond saying it works only with legitimate government agencies vetted by Israel’s Defense Ministry. But both victims believe Poland’s increasingly illiberal government is responsible.
A Polish state security spokesman, Stanislaw Zaryn, would neither confirm nor deny whether the government ordered the hacks or is an NSO customer.
Tomi Engdahl says:
Vulnerabilities Can Allow Hackers to Tamper With Walk-Through Metal Detectors
https://www.securityweek.com/vulnerabilities-can-allow-hackers-tamper-walk-through-metal-detectors
Walk-through metal detectors made by Garrett are affected by potentially serious vulnerabilities that can be exploited to hack the devices and alter their configuration.
The metal detection products and services provided by Texas-based Garrett are sold in more than 100 countries around the world, including in Europe, the Middle East and Australia. Its metal detectors are deployed in stadiums, event venues, schools, courthouses, hospitals, prisons, and government buildings.
Cisco’s Talos threat intelligence and research unit revealed on Monday that one of its researchers has identified several vulnerabilities in Garrett iC Module, which provides wired or wireless network connectivity to the company’s PD 6500i and Multi Zone walk-through metal detectors.
The vendor was notified about the vulnerabilities in August and patches were released on December 13, Talos said.
Talos has disclosed the details of seven vulnerabilities discovered in the iC Module, including five that have been assigned a critical or high severity rating.
Three of the security holes can be exploited without authentication by sending a specially crafted packet to the device, allowing the attacker to execute arbitrary code.
Vulnerability Spotlight: Vulnerabilities in metal detector peripheral could allow attackers to manipulate security devices
https://blog.talosintelligence.com/2021/12/vuln-spotlight-garrett-metal-detector.html
Tomi Engdahl says:
Russian Hacker Extradited to US for Trading on Stolen Information
https://www.securityweek.com/russian-hacker-extradited-us-trading-stolen-information
A Russian national was extradited to the United States from Switzerland over the weekend, to face charges for his alleged role in a scheme whose participants traded on information stolen from hacked U.S. companies.
Tomi Engdahl says:
Microsoft Urges Customers to Patch Recent Active Directory Vulnerabilities
https://www.securityweek.com/microsoft-urges-customers-patch-recent-active-directory-vulnerabilities
Microsoft on Monday released an alert on two Active Directory vulnerabilities addressed with the November 2021 Patch Tuesday updates, urging customers to install the available patches as soon as possible, to prevent potential compromise.
Tracked as CVE-2021-42287 and CVE-2021-42278, the two security errors can be chained to impersonate domain controllers and gain administrative privileges on Active Directory.
Proof-of-concept code exploiting the two bugs has been public for more than a week, and Microsoft is warning companies of potential malicious attacks, while also sharing a guide to help organizations identify suspicious behavior exploiting the flaws.
“When combining these two vulnerabilities, an attacker can create a straightforward path to a Domain Admin user in an Active Directory environment that hasn’t applied these new updates. This escalation attack allows attackers to easily elevate their privilege to that of a Domain Admin once they compromise a regular user in the domain,” Microsoft explains.
SAM Name impersonation
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/sam-name-impersonation/ba-p/3042699
Tomi Engdahl says:
800K WordPress sites still impacted by critical SEO plugin flaw https://www.bleepingcomputer.com/news/security/800k-wordpress-sites-still-impacted-by-critical-seo-plugin-flaw/
Two critical and high severity security vulnerabilities in the highly popular “All in One” SEO WordPress plugin exposed over 3 million websites to takeover attacks. The security flaws discovered and reported by Automattic security researcher Marc Montpas are a critical Authenticated Privilege Escalation bug (CVE-2021-25036) and a high severity Authenticated SQL Injection (CVE-2021-25037).
Tomi Engdahl says:
Conti Ransomware Gang Has Full Log4Shell Attack Chain https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/
The Conti ransomware gang, which last week became the first professional crimeware outfit to adopt and weaponize the Log4Shell vulnerability, has now built up a holistic attack chain. As of today, Monday, Dec. 20, the attack chain has taken the following form, AdvIntel’s Yelisey Boguslavskiy told Threatpost: Emotet -> Cobalt Strike -> Human Exploitation -> (no ADMIN$ share) -> Kerberoast -> vCenter ESXi with log4shell scan for vCenter.
Tomi Engdahl says:
Russian hackers made millions by stealing SEC earning reports https://www.bleepingcomputer.com/news/security/russian-hackers-made-millions-by-stealing-sec-earning-reports/
A Russian national working for a cybersecurity company has been extradited to the U.S. where he is being charged for hacking into computer networks of two U.S.-based filing agents used by multiple companies to file quarterly and annual earnings through the Securities and Exchange Commissions (SEC) system. Along with other conspirators, the individual made millions of U.S. dollars by trading on the material non-public information (MNPI) stolen from the two filings agents.
Tomi Engdahl says:
Threat actors steal $80 million per month with fake giveaways, surveys
https://www.bleepingcomputer.com/news/security/threat-actors-steal-80-million-per-month-with-fake-giveaways-surveys/
Scammers are estimated to have made $80 million per month by impersonating popular brands asking people to participate in fake surveys or giveaways. Researchers warn of this new trend in global fraud schemes involving targeted links to make investigation and take-down increasingly challenging.
Tomi Engdahl says:
Belgian Defense Ministry confirms cyberattack through Log4j exploitation
https://www.zdnet.com/article/belgian-defense-ministry-confirms-cyberattack-through-log4j-exploitation/
The Belgian Ministry of Defense has confirmed a cyberattack on its networks that involved the Log4j vulnerability. In a statement, the Defense Ministry said it discovered an attack on its computer network with internet access on Thursday. They did not say if it was a ransomware attack but explained that “quarantine measures” were quickly put in place to “contain the infected elements.”
Tomi Engdahl says:
7 Scams To Avoid This Christmas
https://www.pandasecurity.com/en/mediacenter/security/7-scams-to-avoid-this-christmas/
Christmas is supposed to be a time of joy and goodwill but unfortunately cybercriminals don’t care. In fact, many will use Christmas as a way to target even more victims. Here are seven scams you should look out for this festive season!
Tomi Engdahl says:
Erottaisitko huijauksen? Suomalaisnainen huomasi asioivansa valeverkkokaupassa viime hetkellä valesivuista on tullut erehdyttävän aidon näköisiä
https://yle.fi/uutiset/3-12231298
Pelkästään suomalaista fi-päätettä käyttäviä valeverkkokauppoja on aktiivisena ainakin noin sata. Verkossa on esimerkiksi Fjällrävenin, Canada Goosen ja Haglöfsin kauppoja jäljitteleviä valesivustoja.
Kenkiä netistä etsinyt uusimaalainen Tia Ainola sai viime viikolla tuta, kuinka erehdyttäviä aitoja kauppoja jäljittelevät valeverkkokaupat voivat nykyään olla.
Tomi Engdahl says:
Meta Sues Hackers Behind Facebook, WhatsApp and Instagram Phishing Attacks
https://thehackernews.com/2021/12/meta-sues-hackers-behind-facebook.html
Facebook’s parent company Meta Platforms on Monday said it has filed a federal lawsuit in the U.S. state of California against bad actors who operated more than 39, 000 phishing websites that impersonated its digital properties to mislead unsuspecting users into divulging their login credentials.
Meta Sues Hackers Behind Facebook, WhatsApp and Instagram Phishing Attacks
https://thehackernews.com/2021/12/meta-sues-hackers-behind-facebook.html
The attacks were carried out using a relay service, Ngrok, that redirected internet traffic to the phishing websites in a manner that concealed the true location of the fraudulent infrastructure. Meta said the volume of these phishing attacks ramped up in volume since March 2021 and that it worked with the relay service to suspend thousands of URLs to the phishing websites. The social engineering scheme involved the creation of rogue webpages that masqueraded as the login pages of Facebook, Messenger, Instagram, and WhatsApp, on which victims were prompted to enter their usernames and passwords that were then harvested by the defendants. The tech giant is also seeking $500,
000 from the anonymous actors.
Tomi Engdahl says:
AWS just can’t catch a break
https://techcrunch.com/2021/12/22/aws-just-cant-catch-a-break/?tpcc=tcplusfacebook
For the third time this month, AWS today suffered an outage in one of its data centers. This morning, a power outage in its US-EAST-1 region affected services like Slack, Asana, Epic Games and others.
“We can confirm a loss of power within a single data center within a single Availability Zone (USE1-AZ4) in the US-EAST-1 Region,” the company explained in an update at 8 a.m. ET. “This is affecting availability and connectivity to EC2 instances that are part of the affected data center within the affected Availability Zone.
If this had been the only AWS outage in recent weeks, it would have barely been noteworthy. Given the complexity of the modern hyper clouds, outages are bound to happen every now and then. But outages are currently a weekly occurrence for AWS. On December 7, the same US-EAST-1 region went down for hours due to a networking issue. Then, on December 17, an outage that affected connectivity between two of its West Coast regions took down services from the likes of Netflix, Slack and Amazon’s own Ring. To add insult to injury, all of these outages happened shortly after AWS touted the resilience of its cloud at its re:Invent conference earlier this month.
Ideally, of course, none of these outages would ever happen and there are some ways that AWS users can protect themselves from them by architecting their systems to fail over to a geographically separate region — but that can add significant cost, so some decide that the trade-off between downtime and cost isn’t worth it. At the end of the day, it’s on AWS to provide a stable platform.
Tomi Engdahl says:
China suspends deal with Alibaba for not sharing Log4j 0-day first with the government
https://thehackernews.com/2021/12/china-suspends-deal-with-alibaba-for.html?m=1
China’s internet regulator, the Ministry of Industry and Information Technology (MIIT), has suspended a partnership with Alibaba Cloud, the cloud computing subsidiary of e-commerce giant Alibaba Group, for six months for failing to promptly report a critical security vulnerability affecting the broadly used Log4j logging library.
The development was reported by Reuters and South China Morning Post, citing a report from 21st Century Business Herald, a Chinese business-news daily newspaper.
“Alibaba Cloud did not immediately report vulnerabilities in the popular, open-source logging framework Apache Log4j2 to China’s telecommunications regulator,” Reuters said. “In response, MIIT suspended a cooperative partnership with the cloud unit regarding cybersecurity threats and information-sharing platforms.”
Tracked as CVE-2021-44228 (CVSS score: 10.0) and codenamed Log4Shell or LogJam, the catastrophic security shortcoming allows malicious actors to remotely execute code by getting a specially crafted string logged by the software.
Post the bug’s public disclosure, Log4Shell has been subjected to widespread exploitation by threat actors to take control of susceptible servers, thanks to the near-ubiquitous use of the library, which can be found in a variety of consumer and enterprise services, websites, and applications — as well as in operational technology products — that rely on it to log security and performance information.
Chen Zhaojun of Alibaba Cloud has been credited with reporting the flaw on November 24. Further investigation into Log4j by the cybersecurity community has since uncovered three more flaws in the Java-based tool, prompting the Apache Software Foundation (ASF) to ship a series of patches to contain real-world attacks exploiting the flaws.
Israeli security firm Check Point noted that it has blocked over 4.3 million exploitation attempts so far, with 46% of those intrusions made by known malicious groups. “
Tomi Engdahl says:
Cybersecurity company identifies months-long attack on US federal commission
https://www.zdnet.com/article/cybersecurity-company-identifies-months-long-attack-on-us-federal-commission/
Both CISA and USCIRF refused to engage with the company after being notified repeatedly of the attack.
Avast said the attack has been going on for months, yet USCIRF and CISA refused to engage with them when notified. They allegedly tried multiple channels over the course of months to help resolve the issue but were ignored after initial communications.
“The attempts to resolve this issue included repeated direct follow-up outreach attempts to the organization. We also used other standard channels for reporting security issues directly to affected organizations, and standard channels the United States Government has in place to receive reports like this,” Avast explained.
“In these conversations and outreach, we have received no follow up, or information on whether the issues we reported have been resolved and no further information was shared with us. Because of the lack of discernible action or response, we are now releasing our findings to the community so they can be aware of this threat and take measures to protect their customers and the community.”
An Avast spokesperson told ZDNet that after the report was published, they were contacted by CISA.
The Avast spokesperson said that with the ability to intercept and possibly exfiltrate all local network traffic from USCIRF, the backdoor “had the potential to give the attackers total visibility of the network including information exchanged with other agencies, or international governmental or non-governmental organizations, and complete control of the agencies’ system.”
It has been about one year since the SolarWinds attack, where hackers for the Russian government spent months inside the systems of multiple US government agencies, including the Justice Department, Treasury Department, Department of Homeland Security, State Department and Department of Energy.
Tomi Engdahl says:
What’s missing in this wave is the extortion, the ransomware, and the disruptive attacks that have defined so much of the past two years. This won’t be the case for long.
https://www.wired.com/story/log4j-log4shell-vulnerability-ransomware-second-wave/?mbid=social_facebook&utm_brand=wired&utm_medium=social&utm_social-type=owned&utm_source=facebook
Tomi Engdahl says:
A Bluetooth bug in a popular at-home COVID-19 test could falsify results
https://techcrunch.com/2021/12/21/ellume-bug-covid-results/?tpcc=tcplusfacebook
A security researcher found a Bluetooth vulnerability in a popular at-home COVID-19 test allowing him to modify its results.
F-Secure researcher Ken Gannon identified the since-fixed flaw in the Ellume COVID-19 Home Test, a self-administered antigen test that individuals can use to check to see if they have been infected with the virus. Rather than submitting a sample to a testing facility, the sample is tested using a Bluetooth analyzer, which then reports the result to the user and health authorities via Ellume’s mobile app.
Gannon says that when he received an email with his results from Ellume, it incorrectly showed he had tested positive. To complete the proof-of-concept, F-Secure also successfully obtained a certified copy of the faked COVID-19 test results from Azova, a telehealth provider that Ellume partners with for certifying at-home COVID-19 tests for travel or going into work.
While Gannon’s writeup only includes changing negative results to positive ones, he says that the process “works both ways.”
https://labs.f-secure.com/blog/faking-a-positive-covid-test
Tomi Engdahl says:
Everyone who just upgraded log4j to 2.16… I have some bad news….
Time to upgrade to 2.17, when it comes out; as 2.16 and earlier has a very nasty recursion bug where certain strings can cause infinite recursion… Yea I love open source…
https://issues.apache.org/jira/plugins/servlet/mobile#issue/LOG4J2-3230
Tomi Engdahl says:
Nice chat with three folks. We’re dOomEd!
Log4J & JNDI Exploit: Why So Bad? – Computerphile
https://m.youtube.com/watch?v=Opqgwn8TdlM&feature=youtu.be
The “most critical vulnerability of the last decade?” – Dr Bagley and Dr Pound explain why it’s so pervasive, and even affected Mike’s own code!
Tomi Engdahl says:
CISA – Mitigating Log4Shell and Other Log4j-Related Vulnerabilities https://www.cisa.gov/uscert/ncas/alerts/aa21-356a
This joint Cybersecurity Advisory expands on the previously published guidance by detailing steps that vendors and organizations with IT and/or cloud assets should take to reduce the risk posed by these vulnerabilities. Identifying assets affected by Log4Shell and other Log4j-related vulnerabilities, upgrading Log4j assets and affected products to the latest version as soon as patches are available and remaining alert to vendor software updates, and initiating hunt and incident response procedures to detect possible Log4Shell exploitation.
Tomi Engdahl says:
NCC Group Monthly Threat Pulse November 2021
https://newsroom.nccgroup.com/news/ncc-group-monthly-threat-pulse-november-2021-439934
NCC Group’s Strategic Threat Intelligence team has identified PYSA and Lockbit as the threat actors dominating the ransomware landscape in November. Since August this year, Conti and Lockbit have been the top threat groups, but in November, PYSA, also known as Mespinoza, overtook Conti with an increase of 50%. Meanwhile, the prevalence of Conti decreased by 9.1%.
Tomi Engdahl says:
Phishing incident causes data breach at West Virginia hospitals https://www.zdnet.com/article/phishing-incident-causes-data-breach-at-west-virginia-hospitals/
Attackers gained access to email accounts containing information from patients and employees of Mon Health including Social Security numbers, health insurance plan member ID numbers, medical and clinical treatment information and more.
Tomi Engdahl says:
Microsoft notifies customers of Azure bug that exposed their source code https://therecord.media/microsoft-notifies-customers-of-azure-bug-that-exposed-their-source-code/
The issue, nicknamed NotLegit, resides in Azure App Service, a feature of the Azure cloud that allows customers to deploy websites and web apps from a source code repository. Wiz researchers said that in situations where Azure customers selected the “Local Git” option to deploy their websites from a Git repository hosted on the same Azure server, the source code was also exposed online.