CyberWire Daily - Log4j: new exploitation, new mitigations, new risk assessments. Service interruptions, Space Force’s capture-the-flag, and official interventions.
Episode Date: December 20, 2021Updates on Log4j vulnerabilities: new exploitation, new mitigations, new risk assessments, some good advice from the NCSC, and from Betsy Carmelite and Mike Saxton, analysts at Booz Allen Hamilton. Kr...onos interruptions continue into the holiday season. NCA shares compromised passwords with Have I Been Pwned. A power grid security exercise in Ukraine, AWS outage last week put down to congestion. Hack-A-Sat promises more transparency. Tis the season for charity scams, as Carole Theriault reports. And the SEC wants financial services companies to use proper channels, not, say, WhatsApp and personal email. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/242 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Updates on Log4J vulnerabilities,
new exploitation, new mitigations, new risk assessments,
some good advice from the NCSC and from analysts at Booz Allen Hamilton.
Kronos interruptions continue into the holiday season.
NCA shares compromised passwords with Have I Been Pwned?
A power grid security exercise in Ukraine.
AWS outage last week put down to congestion.
Pakasat promises more transparency.
Tis the season for charity scams, as Corralterio reports.
And the SEC wants financial services companies to use proper channels, not, say, WhatsApp and personal email.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, December 20th, 2021. Today's news continues to be dominated by the fallout from vulnerabilities disclosed in Apache's Log4J library.
New patches, new attacks, and fresh assessments have all appeared over the weekend. Apache on Saturday introduced Log4J 2.17.0, a new version that addresses the
denial-of-service risk posed by vulnerability CVE-2021-45105. The problem, now fixed in the
latest release, is that, as Apache puts it, Apache Log4J 2 does not always protect from infinite recursion in lookup evaluation.
Ransomware continues to arrive via Log4Shell.
The first major ransomware strain to take advantage of Log4Shell was newcomer Consare,
but a familiar player has now also been observed exploiting the vulnerability.
Advanced Intelligence tells Bleeping Computer that it's observed Conti seeking to use Log4Shell
to move laterally into VMware vCenter networks.
Bleeping Computer quotes them as saying,
The current exploitation led to multiple use cases,
through which the Conti group tested the possibilities
of utilizing the Log4J exploit.
End quote.
Those servers aren't normally exposed to the Internet,
and Conti's activity shows that networks are susceptible to attack
via RDP, VPN, or email phishing vectors.
So security teams should expand their focus
to include these alternative avenues of approach.
Ridiculously widespread and incredibly dangerous is Morphosec's
summary risk assessment of Log4Shell. The company explains, quote, many widely used frameworks such
as enterprise search platform Apache Solar and database platform Apache Druid use Log4J.
This makes the likelihood that any organization hosts a compromised application or server incredibly high.
Even for C-based servers that are theoretically safe, a connected online form written in Java could lead to a compromise.
End quote.
Google's security blog is equally grim and applies some quantification to its assessment.
Quote, Grim and applies some quantification to its assessment, quote, As of December 16, 2021, we found that 35,863 of the available Java artifacts from Maven Central
depend on the affected Log4J code. This means that more than 8% of all packages on Maven Central
have at least one version that is impacted by this vulnerability. These numbers do not encompass all Java packages, such as directly distributed binaries,
but Maven Central is a strong proxy for the state of the ecosystem.
As far as ecosystem impact goes, 8% is enormous.
The average ecosystem impact of advisories affecting Maven Central is 2%,
with the median less than 0.1%.
And where are the attackers coming from? The call is coming from inside the house,
says Bitdefender. The log for J exploitation the company's honeypots have drawn show that
most attacks are originating in Germany and the U.S., but that doesn't mean the threat actors are predominantly or even significantly German or American.
Quote,
Threat actors exploiting Log4J are routing their attacks through machines that are closer to their intended targets,
and just because we don't see countries commonly associated with cybersecurity threats at the top of the list
does not mean that attacks did not originate there,
end quote. So the honeypots reveal staging, not origin, and Bitdefender in this case has used its
familiarity with slasher flicks to good effect. The call is coming from inside the house, but
that doesn't mean the menace lives at that address. The geolocation of the targets is unsurprising, with the U.S., the U.K., and Canada
leading the pack. Rounding out the top 10 are, in this order, Romania, Germany, Australia, France,
the Netherlands, Brazil, and Italy. Britain's National Cybersecurity Center has offered
corporate boards advice on dealing with Log4J vulnerabilities. NCSC writes,
quote, the Log4J issue has the potential to cause severe impact to many organizations.
As cybersecurity experts attempt to detect which software and organizations are vulnerable,
attackers start to exploit the vulnerability. Initial reports indicate this is likely to include
remote control malware and ransomware.
However, the situation is fluid and changing regularly.
End quote.
The NCSC usefully frames its advice in the form of questions
boards should be asking executives and security leads.
Who is leading our response?
What is our plan?
How will we know if we're being attacked and can we respond?
What percentage visibility of our software and How will we know if we're being attacked and can we respond? What percentage
visibility of our software and services do we have? How are we addressing shadow IT and appliances?
And this one is actually two related questions. Does anyone in our organization develop Java code?
What is their plan for finding out if we are affected? How will people report issues they
find to us? When did we last check our business continuity plans and crisis response?
And how are we preventing teams from burning out?
They're good questions, and ones that could be readily adapted to use in other security incidents.
More of the CyberWire's ongoing coverage of Log4J can be found on our website.
The ransomware attack that led UKG
to shut down elements of its Kronos payroll service
have, the Wall Street Journal reports,
led retailers and other affected users
to revert to manual payroll processing
during the busy holiday season.
It's an inconvenience,
especially coming as it does
when many retailers have taken on part-time holiday staff
to handle the seasonal surge in trade.
The UK's National Crime Authority has shared 585 million compromised passwords
with Have I Been Pwned? the record writes,
making the NCA the second major law enforcement organization with the US FBI
to undertake such sharing with the
Security Breach Intelligence website. As tensions with Russia remain high, and as Russia issues
what approaches an ultimatum to NATO about the Atlantic Alliance's expansion into the near abroad,
Ukraine conducts with the SANS Institute an exercise that simulated a large-scale cyber attack on the country's power grid.
The Daily Swig reports that grid net wars involve some 250 Ukrainian security professionals.
Ukraine's power grid has been the subject of at least two regional disruptions run by Russian intelligence services, and it's likely to be the focus of escalated cyber operations
during the ongoing conflict between the two countries.
According to Computing, Amazon has traced last Wednesday's regional AWS outages,
the second in as many weeks, to network congestion,
more specifically to network congestion between parts of the AWS backbone
and a subset of Internet service providers, which was triggered by AWS traffic engineering,
executed in response to congestion outside of their network.
Those interested in white-hat hacking a satellite will be interested to know that
U.S. Space Force plans more transparency
in scoring for its next Hack-A-Sat competition. Air Force Magazine explains the plans to give
White Hats another go at ground-based satellite hardware provided for a capture-the-flag exercise.
That's ground-based hardware for any chicken littles who may be listening. The sky is not going to fall on you or on anyone else,
at least not because of this Space Force exercise.
And finally, JPMorgan Chase has agreed to pay a $125 million penalty
to the U.S. Securities and Exchange Commission
imposed for employees' use of WhatsApp and personal email accounts
to transact official business.
That usage ran afoul of SEC record-keeping requirements, UPI reports.
It's not that there's anything inherently nefarious about either WhatsApp or personal email accounts,
but the SEC wants transactions and communications about them to be properly recorded and accessible,
and both those methods of communicating fall outside the scope of what's on the books.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Tis the season for generosity,
for goodwill toward your friends, family, and colleagues,
and for folks inclined to do so to take care of their end-of-year charitable giving.
Not surprisingly, scammers are more than willing
to take advantage of that, as our UK correspondent Carol Terrio explains. Every year at the end of
October, charity regulators bang the same drum in order to raise awareness about charity fraud.
I've seen reports from organizations like the U.S. Federal Trade Commission, the FTC, the Federal Bureau of
Investigation, the FBI, and oh, the Fraud Advisory Panel. And there's the U.K. Government Action
Fraud and Charity Commission, Canada's Better Business Bureau, oh, and Australia's Scam Watch.
You get the idea. This charity scam awareness drive is transcending national borders. The FTC
wrote that it joins this effort once again this year because it's so important for us all to know how to spot a charity scam.
They write, the more you know, the less likely you'll donate to a bogus charity.
Better yet, you'll make sure your money is helping in the way you intended.
I mean, if you think about it, being duped by a charity scam during the holiday season is akin to skidding wallet first into a steaming pile of reindeer muck.
You decide to do the right thing and help the homeless or the sick or the elderly or the lonely, and you end up lining the pocket of some ne'er-do-well festive season scrounger.
So let's unpack this a bit.
So let's unpack this a bit.
Charity scammer is different from other scammers in that it needs to fool you into happily giving your money away,
unlike a ransomware attack where you are threatened with data loss or a reputation hit unless you pay up.
The charity scammer convinces you to generously part with your cash.
And this makes these scams particularly insidious.
We depend on charities to help our communities, both local and elsewhere.
If people stop giving to food banks or shelters or health centres,
they cannot look after the most vulnerable in our society.
So if your cash is misdirected by a charity scam, it is a double-tap hit.
One, the giver, of course, has been scammed out of their donation.
But even worse, those that are dependent on these donations are utterly shafted. So rather than not give to charities because there are scammers out there,
how about we check the latest advice from the experts on how to donate safely to a chosen
charity? Charity scammers all have a preferred attack method from the traditional to the digital.
They can hack ads, post fake social posts, send
emails, call you, doorstop you, or even stop you in the city center. So the first thing to do is to
slow everything down. Responding to a charity donation request does not need to happen right
now. So in other words, listen to the pitch, ask for information, and then take it away to do your own research.
If they pressure you into donating right away, my advice is to walk away.
Now scammers often pick names or use website addresses that sound very similar to legitimate, well-known charities.
So instead of clicking a link in an email or in a social media post,
use a search engine to find the homepage of the charity of interest.
And then research the cause or organization.
Searching online for the name of the organization with words like review or scam or complaint to see if any others have had good or bad experiences with this charity.
Know that legitimate charities are registered and you can
verify this fact at your government official website. Check out charity watchdog groups.
So in the US, for example, consider BBB Wise Giving Alliance, Charity Navigator, Charity Watch,
and Candid. Now here's a pro tip. The IRS's tax-exempt organization search tool,
I know it's a mouthful,
but this is a smart way to check
if the charity in question you're considering giving to
is officially listed in the US
as an actual bona fide charity.
And I'm sure similar services exist elsewhere.
More than any other payment method,
a credit card will give you more rights
to dispute the charge if something goes wrong.
And maybe this is obvious, but never buy from sellers
that only accept gift cards, money transfers, or cryptocurrency for payment.
And if you decide to proceed with your donation,
make sure you get a receipt and review that it contains all the correct details.
So there you have it.
Now, I know most you listeners out there
probably knew most of that because, well, you listen to the smart people on the Cyber Wire.
But I am sure you have someone in your life, a generous soul who likes to give, especially around
the festive season. It might be good for them to be forewarned with this info. I leave it in your
very capable hands.
This was Carol Theriault with The Cyber Wire.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, Thank you. and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
The log for shell vulnerability has prompted an all-hands-on-deck response from cyber defenders.
I checked in with our CyberWire partner from Booz Allen Hamilton, Betsy Carmelite,
and her colleague, Senior Associate Mike Saxton, for the latest.
Betsy Carmelite started our discussion with insights on what she and her colleagues are seeing in terms of nation-states exploiting the log-for-shell
vulnerability. So what we're seeing here is that nation-state actors could exploit the log-for-J
vulnerability through a number of means. For example, the vulnerability could be exploited
to extend the reach of groups targeting in new ways,
possibly by targeting virtualization infrastructure with the exploits,
or it could be leveraged to deploy new strains of ransomware. We did hear you mention a list of
reported state-sponsored actors that have been observed using the exploits to compromise targets
earlier this week. And what will really make the understanding of
what nation-state sponsors are doing with this vulnerability are the goals of and the behaviors
of state-sponsored or intelligence services. And so we're talking about patience, avoiding
detection, penetration, persistence, all of this prior to conducting possible loud exfiltration
activities. And finally, an attacker can leverage the noise being created right now with this
publicized vulnerability. They know all security operators and defenders are focusing on log4j,
so what other known vulnerabilities have been designated as lower priorities now
and overlooked to address the hot issue of the day and who is manipulating those other flaws?
You know, Mike, since the Log4Shell vulnerability was revealed a week or so ago,
it's really been all hands on deck for a lot of organizations out there. What are you seeing in
terms of smaller businesses? What are your recommendations for them to protect themselves?
Yeah, you know, our approach for initial defense and countermeasures against this,
regardless of size, has been pretty consistent that we're going to need a short-term, mid-term,
and long-term approach here. Specifically for smaller business, I would recommend
working across the
industry to find out the newest and latest and greatest indicators of compromise, continuing to
apply countermeasures for other types of activity as we are seeing increasing activity with botnets
and malware being dropped as a result of this. And also, as always, continue patching
and just general security hygiene
is the best place to start,
especially as the patch to this vulnerability
has seen, I think, three different versions come out.
The midterm step,
and this can be difficult for some organizations,
but we recommend moving logs
that have not been previously put into a SIEM
or if smaller businesses don't have access to a SIEM,
moving them to a central location.
And there's been a number of scripts that have been released
to help organizations process the vast amount of data
so they can find things easily.
And finally, in our long-term approach,
we look at the need to move to a persistent hunt operation.
CISA has mentioned persistent hunt. DOD is getting to hunt forward. And for some of the smaller organizations, using managed service providers can help them accomplish this mission.
What about for the professionals in cybersecurity, the sector as a whole? How should they go about calibrating their response to this?
response to this? Yeah, I think this has been a massive vulnerability that has caught everybody a little bit off guard. I think one of the things we need to keep in mind is that sharing information
widely and broadly as much as possible via your ISACs, Twitter, social media, email,
threat intelligence platforms. There's no good in holding back information in this environment.
It should all be shared. And finally, continuing to rely on expertise and guidance from some of these
organizations as it relates to hunt activity, software developers that understand the counter
measures that need to be applied, the software development practices that got us here in
the first place.
So, you know, continuing information sharing and collaboration, I think, is our best approach
here from an industry.
Our thanks to Betsy Carmelite and Mike Saxton from Booz Allen for joining us.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security Ha.
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
every week. You can find Grumpy Old Geeks where all the fine podcasts are listed.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Kirill Terrio, Ben Yellen, Nick Thanks for listening. We'll see you back here tomorrow. Thank you. not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.