CyberWire Daily - Log4j and Log4shell updates. Cyberespionage and C2C market developments. Patch Tuesday notes. And how do you pronounce that, anyway?.
Episode Date: December 15, 2021A second vulnerability is found and fixed in Log4j as both criminals and nation-state intelligence services increase their exploitation of Log4shell. Iranian intelligence services have been actively c...onducting cyberespionage against a range of targets in the Middle East and Asia. Andrea Little Limbago from Interos checks in on supply chain issues. Our guest is Suzy Greenberg from Intel with a look ahead toward the coming year. A quick look back at Patch Tuesday, and, finally, some musing on literacy, orality, and the way you pronounce stuff people tweet about... For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/239 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A second vulnerability is found and fixed in Log4J
as both criminals and nation state intelligence services increase their exploitation of Log4Shell.
Iranian intelligence services have been actively conducting cyber espionage against a range of targets in the Middle East and Asia.
Andrea Little-Limbago from Interos checks in on supply chain issues.
Our guest is Susie Greenberg from Intel with a look ahead toward the coming year.
A quick look back at Patch Tuesday.
And finally, some musings on literacy, orality,
and the way you pronounce stuff people tweet about.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, December 15th, 2021.
We open, as we have all week, with updates on the vulnerabilities found in Apache's Log4j.
And today, it is indeed vulnerabilities, plural, because a second vulnerability has been discovered.
Unlike its Log4Shell cousin, it hasn't, as we go to press, received a catchy nickname yet,
but MITRE has registered the issue
as CVE-2021-45046. MITRE says, quote, it was found that the fix to address CVE-2021-44228
in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over thread context map MDC input data
when the logging configuration uses a non-default pattern layout
with either a context lookup or a thread context map pattern
to craft malicious input data using a JNDI lookup pattern
resulting in a denial-of-service attack.
End quote.
In any case, the flaw is now patched and organizations should apply that patch or,
if they're using older versions of Log4J, they should disable JNDI functionality.
That's, in any case, the default in the newer patched versions.
Late yesterday afternoon and running into the early evening, the U.S. Cybersecurity
and Infrastructure Security Agency held a phone conference with the media to discuss the current
state of risk and remediation surrounding Log4Shell. CyberScoop quotes CISA's Executive
Assistant Director Eric Goldstein to the effect that, quote, certainly given the nature of this vulnerability,
the triviality of exploitation, the ubiquity of the presence across enterprise, consumer,
and IoT products, really our broad focus here is driving mitigation across the board,
recognizing that malicious cyber actors of all types may decide to use this vulnerability to
achieve a variety of attack types or drive a variety of malicious ends.
In some respects, Goldstein offered reassurances that exploitation had, so far,
been not as consequential as it might have been,
but that this was no grounds for complacency.
ABC News quotes him as saying,
At this point in time, we are not seeing widespread, highly sophisticated, damaging intrusion campaigns.
But certainly we are deeply concerned about the prospects of adversaries using this vulnerability to cause real harm
and even impacting national critical functions,
which is why we have such a sense of urgency at CISA and across the cybersecurity community
to drive urgent mitigation and
adoption of controls wherever we can, end quote. On balance, however, as Reuters reports, CISA
thinks most of the activity has been scanning and cryptojacking and that it hasn't confirmed
industry reports of more damaging activity. Those industry reports are warning of both nation-state activity and more sophisticated
moves from cyber gangland. We've seen, as the record notes, that Log4Shell has been exploited
to distribute ransomware. It's also now being used by nation-state espionage services. Microsoft
reported yesterday that it's seeing, quote, the CVE-2021-44-228 vulnerability being used by multiple tracked nation-state activity groups originating from China, Iran, North Korea, and Turkey.
This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment and exploitation against targets
to achieve the actors' objectives.
End quote.
Microsoft particularly draws attention to Iran's phosphorus and China's hafnium groups
as among the nation-state actors that have been using log4shell against their targets.
Security Week reports that Mandiant has also seen Iranian and Chinese exploitation in progress.
Mandiant thinks more intelligence services will be joining the party soon.
The company's vice president of intelligence analysis, John Holquist, emailed Security Week to tell them,
quote,
We have seen Chinese and Iranian state actors leveraging this vulnerability,
and we anticipate other state actors are doing so as well or preparing to. We believe these actors will work quickly to create
footholds and desirable networks for follow-on activity, which may last for some time. In some
cases, they will work from a wish list of targets that existed long before this vulnerability was
public knowledge. In other cases, desirable targets may be selected after broad targeting.
End quote.
The criminal-to-criminal market has also taken note,
and Microsoft has seen access brokers working to monetize the vulnerability.
Quote,
Mystic and the Microsoft 365 Defender team have confirmed that multiple tracked activity groups
acting as access brokers
have begun using the vulnerability to gain initial access to targeted networks. These access brokers
then sell access to these networks to ransomware-as-a-service affiliates. We have observed
these groups attempting exploitation on both Linux and Windows systems, which may lead to an
increase in human-operated ransomware impact
on both of these operating system platforms.
The basic advice about handling the vulnerability has remained stable.
Both ESET and Fastly, to take two of the many security firms who've published recommendations,
emphasize the importance of determining where the log-for-shell vulnerability exists in an organization
and of then applying the available patches.
Bleeping Computer is offering a list of affected products along with vendor advice on mitigation,
and Security Week is maintaining a current list of tools and resources for defenders.
Spare a thought, gentle listener, for the Apache volunteers working their end of this problem.
The Apache Software Foundation is, the Wall Street Journal reminds us, a U.S. 501c3 not-for-profit outfit and dependent on its volunteers.
Their work is invaluable.
Self-described cybersecurity plebe and Double Pulsar editor Kevin Beaumont, who tweets under the handle GossyTheDog, has been following the Log4Shell incident with bemused interest.
He summed things up yesterday with an askance look at some of the freewheeling history of open source development.
Quote,
Basically, the perfect ending to cybersecurity in 2021 is a 90s-style Java voln in an open source module Nicely woofed and good doggy, Gossy the dog.
End quote.
Nicely woofed and good doggy, Gossy the dog.
An apparent Iranian government threat actor,
which Symantec tentatively associates with the organization known variously as Seedworm or Muddy Water,
has been active against targets in Israel, Jordan, Kuwait, Saudi Arabia,
the United Arab Emirates, Pakistan, Thailand, and Laos.
The cyber espionage campaign has concentrated on telecommunications and IT service providers.
The attacks do not appear to use bespoke malware, but instead rely on legitimate tools and commodity malware.
Once inside the targets, the operators live off the land, making use of the victims' own infrastructure,
and steal credentials
to pivot across networks of interest to them. IBM independently has identified a novel attack
vector in use by Iranian state actors, and that vector is Slack. The group IBM tracks as TG17,
and others call Muddy Water, employed free workspaces in the legitimate and widely used business chat tool in an attempt to compromise an unnamed Asian airline.
Slack's APIs to create an actor-controlled Slack workspace and channels where the adversary could receive system information, including requested files and screenshots, post commands to the back
door, and receive commands in return. End quote. It's not clear yet what data, if any, Muddy Water
removed through the back door, but it's at least possible some information about reservations was obtained. Slack has shut
down the malicious workspaces and reassures users that their services as a whole have not been
compromised. Lest you find yourself inclined to be too hard on Tehran, Tehran would like you to know
that, hey, it's the victim here, really. Iran's ambassador to the United Nations
complained that the Islamic Republic is more sinned against than sinning, since it's well
behaved in cyberspace, and because of the way it's subjected to constant cyber harassment by Israel
and the U.S. He called for more development of international norms for cyberspace.
The Zero Day Initiative offers a rundown of fixes
Adobe, Apache, Apple, Google, and Microsoft
issued yesterday on Patch Tuesday.
Some of Microsoft's fixes addresses a zero day
that's been used in the resurgent Emotet campaigns.
Also yesterday, the U.S. Cybersecurity and Infrastructure Security Agency
released three industrial control system advisories.
And finally, our social media desk tells us there's a hot debate among InfoSec practitioners
on the one true pronunciation of the library at the root of the log4shell vulnerability,
with some saying it's log4j and others proclaiming, no, FYI, it's actually log4j, thank you very much.
Not since GIF versus GIF have we seen such passion over a label,
but that's what you get when a post-literate culture like ours abandons the oral formulaic tradition
and names stuff as if it's to be read silently instead of spoken aloud.
The greatest generation got this. Everyone knew how to pronounce Kilroy was here,
and the acronyms all made sense, like snafu. We'll add that perhaps as an industry we would
do well to stop naming things like their track titles from a 1980s album from Prince.
things like their track titles from a 1980s album from Prince. That new vulnerability in Log4J,
by the way, doesn't yet have a snazzy name, so hop to it, InfoSecWorld, and share your thoughts.
And you can take that from me, because I'm giving it to you straight here. I'm the artist formerly known as Dave.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Susie Greenberg is Vice President of Communications and Incident Response at Intel.
As we approach the end of 2021, I spoke with her to gather her insights on the year we've had,
what's yet to come, and how to ensure everyone has an opportunity to contribute.
It's been an exciting year, to say the least.
I think we've really seen an expanded attack surface, especially for our
adversaries to capitalize on. And, you know, we have a number of things that we can think for that.
There's been technology advancements for one. Others include a more complex and growing supply
chain. And then we're seeing this shift from what, you know, was the new normal to just now it's just reality of full-time
remote and hybrid work that we really need to take into consideration. And that really is going to
impact all of the areas of security that we're seeing. So that's everything from firmware and
hardware security to supply chain, and really that importance on transparency as well.
You know, when I think of Intel, I certainly think about hardware innovation,
literally dozens of devices that use the chips that you all manufacture. What is on the roadmap
there in terms of innovation and the types of things we might expect to see from a security point of view going forward?
One of the things that we've seen is that organizations, it's really basic in terms
of what we need to be doing, and that's being more proactive versus reactive in the way
that we're responding to threats.
Typically, today, the way organizations are, they're more reactive in the way that they're
responding.
What we're seeing is that there's a shift more to that proactive side and that it's important to be
identifying these vulnerabilities. And that requires a significant investment. And so
businesses are really looking at the way that they increase their engagements and partnerships
with external researchers in developing more coordinated
vulnerability disclosure and bug bounty programs that really kind of get to the root of some of
these issues and facilitate a better collaboration between companies and external researchers to
stay ahead of these threats and help avoid zero days wherever possible.
You know, I know something that you're very active in is working on improving the situation
when it comes to diversity in cybersecurity, specifically more opportunities for women.
And I'm curious, you know, where do you think we find ourselves there? Have we seen improvements
this year and what work is yet to be done? I don't know how much improvement we've seen
this last year. I think, in fact, we've probably seen in the industry as a whole a drop-off in the
number of women that are working at all. They've had to make some really tough choices in the last
year about what they're able to do when it comes to working and then also supporting their families.
I have three young kids and, you know, I'm very fortunate that I didn't have to make those decisions, but I'm not the norm.
And, you know, there was a recent study that came out from the Aspen Institute, and it found that only 24% of cybersecurity workers self-identify as women.
And so while we're seeing a greater awareness around the need for diversity and security
today, there's really no question that the gender gap in cybersecurity remains an industry-wide
problem.
And I do feel really passionate about this because I think employees and individuals feel some sort of security and no pun intended and safety in numbers.
And, you know, we really need to be fostering an environment that gives women more opportunities to thrive in environments that are friendly towards all different types of people and perspectives.
And so, you know, I think we have a significant way to go in this area and we're seeing still
a pretty major gap and that's going to negatively impact the overall workforce and diversity
as well.
So bringing awareness, I think, is the first step and talking about it,
which is something I don't think
we typically have done in the past.
And then how do we support and give those platforms
to women to feel like they can come into this type of field
and feel supported and feel recognized
for their contributions
in a very male-dominated environment.
That's Susie Greenberg from Intel.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Andrea Little-Limbago.
She is Vice President of Research and Analysis at Interos.
Andrea, it's always great to have you back.
You know, we have seen lots of headlines about supply chain issues,
both, of course, in the cybersecurity realm, but then just globally in general.
Those things are, of course, linked.
And I'm curious for your take on this, kind of where things stand and how you think it's going to shake out.
Yeah, thanks for having me, Dave.
And this is an important area that I think we've risen to prominence, you know, from the beginning of COVID and with SolarWinds. And I think it is just going to be an area that will dominate discussions going into 2022.
And there are those two different angles that are, though, really just almost increasingly intertwined.
You almost can't separate them.
One is the notion of the supply chain attacks.
And that's like your solar winds exchange, because, say, Codeco, Excelion,
kind of the list kind of keeps going on and on that we saw over the last year.
And that's where there is manipulation of the software or malicious code embedded within it as part of updates and so forth.
There are many different ways that the supply chain hardware and software can get manipulated.
And that's one component of it.
And that we really have seen to be on the rise and is a troubling trend.
We are seeing some legislation in the U.S. to help secure some aspects of that. And I think the movement toward the software bill of material, the SBOM, which we hear a lot about, I think we're just continuing hearing a lot more about that.
And that really requires companies to know where the various code comes from, basically having transparency for the various libraries and software and so forth that are within their ecosystem.
And I think that's a big shift where many companies don't necessarily know that.
And so I think there'll be some requirements that will continue to come along.
At the same time, we're seeing all the supply chain disruptions.
And those are also tightly linked because some of them are and have been disrupted by ransomware,
really disrupting some of the supply chain.
So there's supply chain issues as far as some of the supply and demand and the just-in-time and some of the disruptions due to
concentration risks. But there are also the disruptions that are occurring because of ransomware
and other kinds of cyber attacks that are occurring on the energy sector, which we see in colonial
pipeline, for instance, the transportation sector, logistics. An interesting way where I'm seeing
right now where that intersection, China's new
data privacy law, basically has large requirements on data transfer outside of China. And so where
that's impacting right now is the shipping data. That's what we're seeing where the companies that
normally track global shipping to help assess for congestion and so forth and bottlenecks in the
shipping lanes, they're
now missing a lot of that Chinese data.
It basically has gone blank based on the data privacy regulations of not sharing that data
externally.
And so that's a relatively new occurrence that's going on.
The data privacy law came into effect in early November, but it's already having an impact
there for those companies that track, basically mirror time tracking metrics, are seeing basically
a huge data gap now. And so it's just an interesting sort of confluence of how all this is just so
interdependent with each other and has these externalities that in many ways are just
unanticipated. You know, it's easy to Monday morning quarterback this stuff. And I think
for me, you know, it seems as though we chipped away at the supply chain in terms of having things be more and more just in time and where can we save money, where can we save money, where can we save money.
And we're kind of paying for that now.
We're paying for that in that there was very little room for excess, room excess capacity.
Do you think we're going to see a global emphasis on getting some of that
capacity back? Is this a lesson learned? I think the companies that are going to have
a competitive advantage going forward are taking this as a lesson learned. And what I've seen,
it varies across industries. It varies even within some companies. There are debates going
on exactly about that right now. But the biggest bumper sticker that summarizes where some companies, there are debates going on exactly about that right now. But sort of the biggest sort of bumper sticker that summarizes where some companies are heading is from just in time to just in case.
And so basically making sure that they're switching that paradigm so that they have some sort of capacity.
So just in case a big climate, severe weather event happens, just in case a ransomware attack happens, just in case a global pandemic requires lockdown.
And it's really that broad range, right?
I mean, it could even be just in case your key supplier goes bankrupt, just in case you have a key supplier that all of a sudden is connected to human rights violations.
Or it's linked to technology that supports a foreign military.
I mean, it's really, the just in case really isn't just in case for having capacity in the storage. It's just-in-case for all these whole range of events that can
disrupt supply chains. I think it will become a competitive advantage. So for those companies
that are thinking that way and are adjusting and making those investments now, I think that will
pay off. For those that don't and are kind of still wanting to retreat back to the old ways,
I think are going to pay the price down the road. Yeah, that's interesting. All right. Well, Andrea Little-Limbago, thanks for joining us.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karpf, Eliana White,
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.