CyberWire Daily - Log4j updates, including an Aquatic Panda sighting. Cyberattacks hit news services in Norway, Israel, and Portugal. Addressing Y2K22.
Episode Date: January 3, 2022Aquatic Panda has been found working Log4shell exploits against an academic institution. Apache fixes new Log4j issues reported last week, and Microsoft also updates Windows Defender to address Log4j ...risks. Cyberattacks, criminal or hacktivist in motivation, hit news outlets around the new year. Microsoft works on fixing a Y2K22 bug in on-premise Exchange Server. Andrea Little Limbago from Interos on technology spheres of influence. Our guest is Mark Dehus from Lumen’s Black Lotus Labs with DDoS insights. And CISA issues some ICS security advisories. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/11/1 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Aquatic Panda has been found working log for shell exploits against an academic institution.
Apache fixes new log for J issues reported last week.
And Microsoft also updates Windows Defender to address log for J risks.
Cyber attacks, criminal or hacktivist in motivation hit news outlets around the new year.
Microsoft works on fixing a Y2K22 bug in on-premise exchange server.
Andrea Little-Limbago from Interos on technology spheres of influence,
our guest is Mark Dayas from Lumen's Black Lotus Labs with DDoS Insights,
and CISA issues some ICS security advisories.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Monday, January 3rd, 2022. CrowdStrike has found log for shell exploitation tools in the possession of Aquatic Panda,
a Chinese government-operated threat group.
The researchers explain, quote,
Aquatic Panda is a Chinese-based targeted intrusion adversary
with a dual mission of intelligence collection and industrial espionage. It has
likely operated since at least May 2020. Aquatic Panda operations have primarily focused on
entities in the telecommunications, technology, and government sectors. Aquatic Panda relies
heavily on Cobalt Strike, and its toolset includes the unique Cobalt Strike downloader tracked as Fishmaster.
Aquatic Panda has also been observed delivering NJ rat payloads to targets.
End quote.
The affected organization was able to address the issue,
patch the vulnerability, and disrupt the attempt.
This isn't the first nation-state exploitation of a Log4J issue.
North Korean, Turkish, Iranian, and Russian units have all been
reported to be active against the vulnerability. On December 28th, Checkmarks reported and Apache
fixed a new arbitrary code execution vulnerability in Log4J. It's not, as Naked Security notes,
an unauthorized remote code execution issue, which is probably among the reasons it's rated at moderate severity,
an attacker would need to be authenticated inside the target in order to be able to take advantage of the flaw.
Nonetheless, users would do well to upgrade their systems promptly.
And Naked Security also suggests that it might be worth seeing if your organization could do without Log4J entirely.
But we're going to suggest once again that if you have found Log4J in your ecosystem recently,
especially on servers where you didn't even know it was there, that you should ask yourself the question,
do I genuinely need a multi-megabyte logging toolkit consisting of close to half a million lines of source code, That's not a criticism of Apache.
It's merely a reminder that inherited security problems such as log4shell
are often the unexpected side effect of a cybersecurity decision made years ago
by someone from outside your company whom you've never met and never will.
End quote.
Sleeping Computer Keeping Score counts this as the fifth Log4J CVE
that's been addressed in less than a month.
And Microsoft last week issued new services designed to protect its users
against exploitation of Log4J vulnerabilities.
The company blogged on December 27th, quote,
New capabilities in threat and vulnerability management, including a new advanced hunting schema and support for Linux,
which requires updating the Microsoft Defender for Linux client, new Microsoft Defender for containers solution, end quote.
You can follow the CyberWire's pro-coverage of the Log4J affair on the Stories page of
the CyberWire website.
Several media companies have been hit over the past week with cyberattacks that are interfering
with publication.
Reuters reports that the websites of Portugal's Expresso newspaper and SIC TV station,
both owned by the media conglomerate Impressa, were taken down over the weekend by a ransomware attack.
This one seems to be a straightforward criminal double extortion scam,
thereby continuing 2021's big cybercrime trend into the new year.
The Lapsus Group gang has claimed responsibility,
and Impressa says it's working with the authorities.
SC Magazine reports that last week,
Norway's Emedia, which owns some 50 newspapers
and the ANB news agency,
was hit with an unspecified cyberattack
that disrupted printing.
Emedia has also been working with the authorities since detecting the incident last Tuesday,
but the group has been tight-lipped about both the nature of the data incident and the pace of its recovery.
And Reuters reports that the Jerusalem Post was hit yesterday in an apparent hacktivist incident
that came on the anniversary of the U.S. drone strike
that killed Iranian General Qasem Soleimani in 2020.
The attack was a website defacement with a hand wearing a ring
said to resemble one worn by General Soleimani.
It's shown shooting a missile downward, as if from the heavens,
alongside the legend,
We are close to you where you do not think about it.
The Post is resolving the issue with its website.
Microsoft is working to fix an issue with on-premise exchange servers
that's been causing emails to hang in transport queues since January 1st.
In an homage to the Y2K episode, those of a certain age will remember
some are calling it Y2K episode. Those of a certain age will remember some are calling it Y2K22.
Bleeping Computer says the problem arose because Microsoft used a signed int32 variable to store
the value of the date, but the minimum value of dates in 2022 exceeds the maximum permissible
value. Redmond explained, This is not an issue with malware scanning or the malware engine, and it is not a security-related issue.
The version checking performed against the signature file is causing the malware engine to crash, resulting in messages being stuck in transport queues. A note in disclosure, Microsoft is a CyberWire sponsor.
The U.S. Cybersecurity and Infrastructure Security Agency, that's CISA, of course spent the holidays working to mitigate the risk of Log4J vulnerabilities in federal systems.
But its more routine work also continued.
On December 23rd, CISA released two industrial control system advisories.
And finally, we wish all of you a happy, healthy, and prosperous new year as we open 2022.
We hope you all got a Bitcoin in your stocking or at least a nice NFT.
We hear those were all the rage for the holidays. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform Thank you. discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
Mark Diaz is Director of Information Security and Threat Intelligence with Lumen's Black Lotus Labs.
He and his colleagues recently released their third quarter DDoS report,
and Mark Diaz joins us with some of the highlights.
So some key things that I'd highlight from the report that we observed in Q3 was an increase in the number of complex attacks, meaning typically when we see an attack,
there's many different types.
There's reflective DDoS attacks, and typically they tend to use,
in the past they've used a single protocol for reflection.
We're seeing a lot more of the different botnets
using multiple protocols for reflection.
And so that is a trend in growth that we've seen, Q3 compared to others.
We also scrubbed our larger attack than prior and had an increase in terms of bandwidth quarter over quarter,
which was also interesting and concerning as well.
So those are a couple of key things that were in the report.
Some things that occurred towards the end of Q3 and beginning of Q4 that were also of
interest was a trend towards DDoS actors attacking services not commonly attacked by other actors.
And so there were some targets towards the voice and telecom industry in particular that had some
pretty significant impacts that we observed and helped work to mitigate and clean up as well.
Yeah, it's interesting because just in the past few days here, I've seen some reports of, I guess, extortion threats at voice over IP companies.
And when you align that with the report that you and your team have put out here, I wonder, were we doing some tests here?
Were these shots across the bow?
Is there any relationship at all?
Yeah, I'd say these attacks seem like
they are just the forefront of some future attacks that could come.
They were definitely very successful
in terms of the impact that they had.
And so it is concerning that those actors, other actors have observed
the success of these voice attacks could be targeting other services and other providers.
What are your recommendations for organizations to dial in their,
the appropriate amount of risk management here when it comes to how much of an investment should they make
towards blocking DDoS attempts here?
Any words of wisdom there?
Yeah, sure.
I mean, that's always a challenge
where it's something that's unique
to that individual organization and their trade-offs.
In general, I'd recommend having a DDoS mitigation service
in place for key services that are business critical.
Or, if not, having one that is capable
of being turned up very quickly.
Lumen had been working hard to make our DDoS services
the provisioning fully automated,
and we do emergency turn-ups in very quick time frames.
And so that to me is key
because extortion-based DDoS attacks,
letters could come in at any time
and actors can be threatening.
Well, that sure is a nice service you have there.
It'd be a shame if something happened to it
on your most important business day on this week.
We can make that not happen
if you send us this much Bitcoin to this address
or doing the same thing while an attack is actually active and having a business impact.
And so it's far much better to at least be prepared and know what are you going to do in those circumstances
and who are you going to work with and how are you going to mitigate that attack without having to go pay the ransom.
Where do you suppose we're headed with this?
Do you suspect that the DDoS attacks will continue to grow in size
and folks like you will keep pace with them?
Or are there ways that this may become something
that we look back on and say,
well, remember when those things used to happen?
It's always hard to predict the future.
My speculation with it would be,
yeah, I mean, obviously DDoS attacks
and those trends are going to continue,
but we've been seeing a lot of the less sophisticated actors
realize, hey, I could actually make money at this.
And so more extortion type of attacks
and those sorts of attacks continuing in the coming year,
if I had to guess,
and something that we'd see as being more of a trend,
especially towards the services not typically attacked, right?
Just as we as a corporate business look for ways we can be differentiated,
we're seeing actors, DDoS actors in particular,
try to find ways that they can differentiate themselves
from the types of attacks they launch
as well as the degree of success they can have
in getting an extortion payment out of those things.
That's Mark Diaz from Lumen's Black
Lotus Labs. Cyber threats are evolving every second, and staying ahead is more than just a
challenge. It's a necessity. That's why we're thrilled to partner with ThreatLock evolving every second, and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Andrea Little-Limbago.
She's the vice president of research and analysis at Interos.
You know, I wanted to touch today on sort of the regulatory things that are going on globally,
touching on some of the different spheres, hardware, software, restrictions on trade, who's allowed to have what in different people's telecommunication systems. Seems to me like there's a lot of action in this area right now, and you're a good person
to touch base with on this. What's on your radar right now? Yeah, it is. And it's one of those
things that it comes out almost like dripping from different places here and there. But when you start looking at the whole picture,
it becomes fairly overwhelming and obvious that there are major changes going on.
And to the point that it really is the area where we're seeing industrial policy
making a very big comeback over the course of the last two years and really will continue
going forward. And what that means for those of us in the cybersecurity community,
it's really the industrial policy is focused on that technology and the software,
the hardware, and just trusted technologies within your own ecosystems.
It's really become quite a prominent tool to help ensure that,
and almost to the point where I know we've talked a lot about the weaponization of cyber,
and that is something that garnered a ton of discussion for a while
and almost is taken for granted now.
We're seeing the same thing starting to happen and evolve in trade policy
as it pertains to technologies.
And so just a good example of that would be there's a tech partnership
called the Quad, which is India, Japan, Australia, and U.S.,
really focused on helping create more resilient and trusted technologies,
collaboration and networks across those countries.
And I think that's just one of several instances that we're seeing.
And then even just within the U.S., there's a huge whole-of-government approach from DOD, Treasury, Commerce, State Department, FCC,
all focused on ensuring trusted technologies are within the supply chain and within the ecosystem,
both of the government, the government's providers,
and then within U.S. companies as well.
And sort of a good example is just Commerce alone
has basically on their deny list
has over 300 different Chinese companies
that are part of that.
And we hear a lot about Huawei, perhaps ETE,
but when you start thinking about it,
it's really that broad to everything from drone makers to surveillance companies.
It's a whole range of technology, technological companies that are under there.
Yeah, and I mean, it has the potential to really be a serious tension there.
I mean, so much of our stuff, the stuff we rely on day to day. I'm
looking at my mobile device, my iPhone, you know, these things, they come out of China and it's not
like we can just switch to a different nation to provide those, you know, by turning a dial.
No, and I think that's where it's going to be, you know, something to keep an eye on is,
you know, on the one hand, where does it make sense to maintain those ties? Because I think
that any kind of, you know, there's too many just interdependencies, right, to do a complete
divide. But at the same time, there is going to have to be, you know, based on just the regulatory
framework and how everything is evolving, you know, companies really do need to think about
what their plan is to deal with these regulations so they're not in compliance
problems, but also there are national security issues that come along with it as well.
The government has talked about funding some aspects of this, especially for telecoms.
The rip-and-rip replaces in the billions by estimates.
I mean, if you think about some of the small companies, that's just going to be very, very hard.
So there is a focus on the government providing various kinds of funding for that.
various kinds of funding for that. But at the same time, while it is going to be a big investment,
it's almost a necessity, at least the way the regulatory framework is evolving right now.
Australia recently released their list of core technologies that they're focusing on.
And basically, a fundamental belief within those technologies is focusing on collaboration with like-minded nations. And that's a term that you're going to just continue to hear.
We've heard it a fair amount,
but we're going to keep hearing that
as far as really what it means,
the like-minded nations,
the alliance of the democracies, really.
What may fall into a democracy
then becomes the next question
based on various criteria and so forth
because there are different,
like Australia, for instance,
has the anti-encryption law, right?
And so how does that play into basic data security for those companies in the U.S.?
So there are going to be a lot of interesting conflicts within democracies themselves as we try and figure out what that trusted network may look like.
And in its case, China is doing something very similar.
It basically has a strategy to lay out to replace U.S. and foreign technology with their own.
to lay out to replace U.S. and foreign technology with their own. And I suppose, I mean, along with that are going to come ramping up manufacturing capabilities within various nations as well. I
mean, you know, you mentioned the rip and replace. I mean, you can only do that so fast. Right. And
that's why you can't do it alone. And I think that's the key thing that gets lost in a lot of
these conversations, that it really does take a community. And this is where I try and focus on the notion
of collective resilience,
where we actually need to be working together.
We cannot be doing all this alone.
We're all too interdependent.
It doesn't make sense financially,
for efficiency, for resilience,
for so many different reasons.
So we need to identify those areas
where comparative advantage exists
and leverage those.
And that's where, hopefully,
we continue to have more of these discussions
at the governmental level,
but I would even argue at the private sector level.
What can the private sector do,
both across with their peers for companies,
but also across or down within their supply chain?
Because there are things that the companies themselves
can also do across their entire supply chain
to help incentivize and encourage their own suppliers
to adhere to some of these trusted technology and security protocols.
And we really just haven't taken a holistic view on that and how to really create greater
collective resilience in this area for the government and for the private sector.
So I think there's going to be a lot of interesting things going on there over the next year.
Yeah.
All right.
Well, Andrea Little-Limbago, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security Ha!
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
be all geeks where all the fine podcasts are listed. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation
of cybersecurity teams and technologies. Our amazing Cyber Wire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Eliana White, Puru Prakash, Justin Sebi, Tim Nodar, Joe Kerrigan,
Kirill Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Thanks for listening. We'll see you back here tomorrow. Thank you. and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can
channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.