CyberWire Daily - Attacking where vulnerable. [Research Saturday]
Episode Date: May 7, 2022Tushar Richabadas from Barracuda joins Dave Bittner to discuss their findings detailed in their "Threat Spotlight: Attacks on Log4Shell vulnerabilities." Their research shows the percentage of attacke...rs targeting the vulnerabilities, and shows where the dips and spikes are over the course of the past couple of months. The research has also gathered where the attackers main IP addresses are located, with 83% of them located in the United States. They breakdown what this malware can do and how to protect yourself against it. They say "Due to the growing number of vulnerabilities found in web applications, it is getting progressively more complex to protect against attacks." The research can be found here: Threat Spotlight: Attacks on Log4Shell vulnerabilities Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
So, a lot for sure hit us on a Friday evening.
We almost immediately started seeing spike in what looked like exploit attempts for it
and started getting down to identifying the ways of blocking those attacks.
That's Tushar Rikabadas.
He's a senior product marketing manager at Barracuda.
The research we're discussing today is titled
Threat Spotlight, Attacks on Log4Shell Vulnerabilities.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context, simplifying security management with AI-powered
automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
It was a bit of an evolving situation given that there were multiple vulnerabilities that were being targeted. So it took a few days to get a hold on everything given that the disclosures happened slowly.
But we were soon in good shape and we were able to identify and block these vulnerabilities.
Well, let's go through the research here together.
One of the things that you highlight is where these attacks are coming from.
So the majority of attacks always look like they come from the US.
This, again, is because attackers just need a bunch of IPs to rotate through.
They need machines to infect from.
So a lot of the traffic ends up coming from some hosting provider or the other.
In fact, there are a few persistent IPs that don't show up in this list
because they don't make up that much traffic.
But then after looking at the data for so long,
we almost instinctively know that this one is coming from
this cloud provider and has been trying this same payload for a very long time and for some reason
it hasn't been shut down yet in terms of the others it was a little surprising to see so much
traffic originating from japan we normally don't see that in our traffic patterns. But
outside of that, nothing massively different from previous vulnerabilities,
like the exchange vulnerabilities and so on. Now, help me understand here, this is sort of
the first step of a multi-step process where, you process where these initial intrusions would come from these IP addresses,
but then payloads would likely come from somewhere else?
Yes, the initial access, it looks like the attack itself
will come from one specific AWS machine,
but the payload itself will be delivered from some other website
that has been compromised to host the payload itself will be delivered from some other website that has been compromised to host the payload.
Well, let's go through some of the examples that you all have here in the research.
I have to say, as I was reading through, I laughed out loud on the first one here.
I'm just going to quote the research.
It says, for the first one, let's look at a relatively benign or, depending on your viewpoint, very annoying payload.
What exactly did you find here so uh it is interesting to see someone uh essentially pushing a recall video uh
link in the payload um and i had to play the video um the first few seconds of it. It almost seemed like it was predestined.
But yeah, it is nice to see
when you're going through an entire sea
of other exploits to see this one.
Someone is clearly having fun.
Yeah, yeah.
So just for clarity here,
this one will take you to a YouTube video,
of course, playing Rick Astley's Never Gonna Give You Up.
So Rick rolling you, which, I mean, I suppose if you're going to point out a vulnerability to someone that they have in their system, this is about as benign as a way as you can do it, right?
Yep, yep. As benign as you can get.
Well, let's move on to some more serious ones here.
You highlighted one that had
to do with crypto mining. This was one of the first crypto miner payloads that we saw. It was
a Monero miner. It ranked quite high in the number of payloads being pushed our way in the
first few days. The actual payload was available on that website for quite a while before it was
taken down i think it was almost two or three weeks of it being up before it was taken down
interestingly it has been more or less the minor payloads have gone down the crypto minor payloads
have gone down since then i was looking at the data just now before we got on this
recording and I noticed that they're among the lower pushed payloads, but it's mostly that
Kinsing malware, sorry, the Kinsing miner rather than Monero or any other miner that was initially
seen in the early days.
Do you have any insights as to why that may have fallen off?
I mean, is it just a matter that at the outset it was low-hanging fruit?
Yeah, I think we still have a lot of people looking for low-hanging fruit.
If you actually look through our installations and honeypot logs we are seeing
massive amounts of noise for log4shell still and most of it is the same payload over and over again
from various sources we are not seeing very targeted attacks so people are still being
very opportunistic and just spraying and praying essentially, let's move on to the next example here. And this was targeting VMware
installations. What did you all find here? So we didn't see too much VMware traffic.
There was a little bit. And I'm assuming that VMware installations,
most people don't expose them on the internet and it's probably going to be more of an insider threat.
We saw some lower levels of probing for VMware
with these log4shell vulnerabilities though.
I do see off and on in traffic those probes,
but not as much as the other payloads.
And then the last one you highlight here is some DDoS.
Right, and that is the biggest part
of the traffic that we see now.
If you look at all the exploits being delivered
through all these automated scripts right now,
we are seeing a large number of Mirai
and Mirai variants being delivered.
It is quite interesting,
given what we heard yesterday
about the US government going after another botnet
and bringing it down,
essentially shutting down a botnet,
which was probably going to create a large DDoS attack.
The fact that so many people are trying to build out Mirai botnets
and to use for later is definitely interesting.
Yeah, it absolutely is.
What are your recommendations then in terms of protecting against these sorts of payloads?
So the first thing is always plan your upgrades.
These things come out and strike you at times when you don't expect it.
So you need to have defense in depth. Having a plan in place to upgrade your software, making sure, and it is a moving target, making sure that you are addressing that is an important part of your security posture.
As always, having the cover of a firewall, a web application firewall or a web application firewall service that can stop these types of attacks is definitely useful. And it also
gives you that cover while you actually do the upgrades, you figure out your plans and so on.
Based on the information that you all are gathering here, the traffic that you all are
able to monitor, where do you suppose we stand when it comes to log for shell vulnerabilities?
I mean, is this a case where we had an initial flurry of activity
and now we've sort of settled into a baseline?
Or does it come in waves?
What are we looking at these days?
So this is interesting.
And I'll probably use another example instead for this. There is this one IP
that comes from a Russian ISP that does probing of various installations that we see every now
and then and it does it in waves. On one day it will be going after a PHP vulnerability,
on another day it will be going after the Laravel vulnerability. If you look at Shellshock, the original explorations stopped fairly soon, but for years later,
we still see spikes in the traffic.
Now, log4shell is essentially considered one of the biggest vulnerability complexes that are there and then i say one
of the biggest addressable or exploitable vulnerabilities so i think we will see
continued probing in waves as people start looking for new ways to exploit systems they're going to
come back to log4shell and probably find
some vulnerable installations along the way and cause havoc it also bears to note that
people are getting better at patching and protecting their cyber installations so
you're going to see attackers look for that one hole that they can get through at all times.
And in this case, Log4Shell is a very attractive hole.
Yeah, I mean, is this a case where if someone is willing to put in the work,
that it's achievable to have the defenses in place to protect against this?
Yeah, if someone is willing to put in the work,
it's eminently defendable.
We have the upgrades required to block it.
We have all the vendors have put out patches
to protect against the traffic.
So it's very defendable.
It's a matter of time and effort
for the defender to get it done.
Our thanks to Tushar Rikabadas from Barracuda for joining us.
The research is titled Threat Spotlight,
Attacks on Log for Shell Vulnerabilities.
We'll have a link in the show notes.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
approach can keep your company safe and compliant. team is Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sebi, Tim Nodar, Joe Kerrigan, Kirill Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week.