CyberWire Daily - Log4Shell updates. Payroll provider disrupted by ransomware. Companies supporting surveillance distance themselves from the business. Cybercrime and IRL punishment.
Episode Date: December 14, 2021An update on the Log4shell, and how it’s being exploited in the wild. A ransomware attack disrupts a cloud-based business service provider. NSO Group is said to be considering selling off its Pegasu...s unit. A marketing presentation suggests Huawei has been deeply implicated in providing tools for Chinese repression. Nigeria’s cyber gangs are actng like Murder, Inc. An arrest in Romania, sentences in Germany. Joe Carrigan looks at the language of cyber security. Our guest Brad Hawkins of SaferNet wonders if digital privacy even exists anymore. And news from Mars. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/238 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
An update on the log for Shell and how it's being exploited in the wild.
A ransomware attack disrupts a cloud-based business service provider.
NSO Group is said to be considering selling off its Pegasus unit.
A marketing presentation suggests Huawei has been deeply implicated in providing tools for Chinese repression.
Nigeria's cyber gangs are acting like Murder Incorporated.
An arrest in Romania, sentences in Germany.
Joe Kerrigan looks at the language of cybersecurity.
Our guest Brad Hawkins of SaferNet wonders if digital privacy even exists anymore.
And news from Mars.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, December 14th, 2021. Criminals continue scanning for the log-for-shell vulnerability,
and they've moved from cryptojacking to ransomware installation to data theft.
Organizations have begun their long slog through a remediation that will take months, if you follow the Wall Street Journal,
or years, if you believe CRN, or months, if not years, as ZDNet reports. In any case,
consensus is that Log4J isn't going to be a simple fix. The vulnerable code is easy to exploit
and is as close to ubiquitous as a Java logging package can be. The first step any
organization should take is to determine where the library containing Log4J is actually used,
and that's not a trivial task. As Duo Security observes, quote, Log4J is so prevalent,
utilized by millions of third-party enterprise applications, cloud services, and manufacturers,
including Apple, Twitter, and Tesla,
that security teams may have difficulties pinpointing where the library is actually being used.
End quote.
And once they've been found, upgrade Log4J or applications that use it
to Apache's latest version, which is 2.15.0.
Also, by consensus, the vulnerability is a serious one,
being compared variously to EternalBlue, NotPetya, ShellShock, and the like.
NetSparker, which thinks Log4Shell is arguably the worst software vulnerability ever,
offers a brief review of how the vulnerability might be exploited.
Quote, the vulnerability is high impact yet extremely easy to exploit. The attacker simply
needs to prepare a malicious Java file, put it on a server they control, and include a specific
string in any data that will be logged by the application server. When the vulnerable server logs this string,
Log4J will retrieve and execute Java code from an attacker-controlled server,
allowing arbitrary code execution.
If the code is a remote shell,
the attacker will obtain a local shell with the privileges of the system user
running the vulnerable application.
End quote.
JFrog discusses the implications.
Quote, this means that if any part of a logged string
can be controlled by a remote attacker,
the remote attacker gains remote code execution
on the application that logged the string.
End quote.
So, as Reuters reports,
we're seeing the familiar race between offense and defense.
The U.S. Cybersecurity and Infrastructure Security Agency we're seeing the familiar race between offense and defense.
The U.S. Cybersecurity and Infrastructure Security Agency continues its active outreach to organizations affected by Log4Shell.
The organization met yesterday with critical infrastructure stakeholders,
CyberScoop reports, and it's worth noting that in the U.S., at least,
most of these stakeholders are in the private sector.
The public sector
hasn't escaped tension either. On Friday, CISA added Log4Shell to its known exploited
vulnerabilities catalog of actively exploited vulnerabilities, and it gave the federal
agencies under its jurisdiction until Christmas Eve, December 24th, to apply updates per vendor instructions. CISA is updating its Apache
Log4J vulnerability guidance as new information becomes available. U.S. federal agencies and
other interested organizations may follow updates there. Scanning for vulnerable systems,
and this is presumably hostile, of course, has been very widespread, ZDNet reports.
Some of the earliest reports of exploitation in the wild involved, according to CyberScoop,
cryptojacking, but the crooks seem to have quickly moved on from this grubbiest level of cybercrime.
Microsoft researchers are among those who detected cryptojacking efforts,
but they also saw attempts to install Cobalt Strike
to enable credential theft and lateral movement
and exfiltrating data from compromised systems.
Since Cobalt Strike is a common precursor of ransomware,
VentureBeat and others had predicted
that ransomware exploiting the vulnerability would soon follow,
and Bitdefender has reported finding Log4Shell exploited to install
the relatively new Kansari ransomware strain, as well as the Orcus remote-access Trojan.
And threat actors haven't been content to stick with the original exploits.
Checkpoint reports that new variations of the original exploit are being introduced rapidly,
over 60 in less than 24 hours.
Industrial control system security specialists at Dragos have evaluated the implications of
the vulnerability for operational technology networks. Quote, Dragos assesses with moderate
confidence that as network defenders close off more simplistic exploit paths and advanced They recommend that organizations move to an assume-breach posture, and they also provide a useful set of steps that can be followed to locate Log4J in an enterprise's systems.
In sum, their recommendations are similar to those offered by CISA.
Sergio Caltagirone, vice president of threat intelligence at Dragos, summed up the company's advice in an email, quote, Log4J is used heavily in external or internet-facing and internal applications
which manage and control industrial processes,
leaving many industrial operations like electric power, water, food and beverage,
manufacturing, and others exposed to potential remote exploitation and access.
Dragos identified active exploitation of vulnerability CVE-2021-44-228
and has provided immediate detection support and specific intelligence to industrial customers.
It's important to prioritize external and internet-facing applications over internal
applications due to their internet exposure, although both are vulnerable.
Dragos recommends all industrial environments update all affected applications where possible based on vendor guidance immediately and employ monitoring that may catch exploitation
and post-exploitation behaviors.
The CyberWire's ongoing coverage of Log4Shell can be found on our website.
CyberWire's ongoing coverage of Log4Shell can be found on our website.
UKG Kronos has disclosed to its users that the Kronos private cloud is currently down due to a ransomware attack.
There are few details about the specific nature of the attack, but the business services customers depend upon from Kronos may, the company says, be unavailable for some weeks.
Prominent among those services are payroll processing and human resources functions.
The interruption of payroll processing comes at a particularly unfortunate time
during the holiday season, ZDNet notes. UKG recommends putting business continuity
procedures in place until their services can be restored.
One of their clients told the Record that whatever inconvenience is involved,
they appreciate UKG's realism in warning that recovery and restoration of service is likely to be a matter of weeks.
The Times of Israel reports that NSO Group, feeling pressure from U.S. sanctions
and the widespread odium abuse of its surveillance tools has attracted,
is to be considering the sale of its Pegasus unit.
There are thought to be two potential unnamed suitors.
Should NSO Group succeed in offloading Pegasus in exchange for a cash infusion,
the company is expected to shift to purely defensive
products and services. Haaretz thinks other Israeli firms also in the intercept or surveillance
business may eventually come under U.S. sanction as well. The Washington Post finds Huawei documents
suggesting a closer connection to Chinese state surveillance than Huawei has yet acknowledged.
The documents were apparently marketing presentations and had been publicly available,
posted to a public-facing Huawei website before the company removed them late last year.
They show Huawei pitching how its technologies can help government authorities identify individuals by voice,
Huawei offered a denial that eschewed the subjunctive mood and the passive voice,
customary in such responses. Quote,
and the passive voice customary in such responses.
Quote,
Huawei has no knowledge of the projects mentioned in the Washington Post report,
the company said after the Post shared some of the slides and asked for comment.
Like all other major service providers, Huawei provides cloud platform services that comply with common industry standards.
End quote.
So yeah, Washington Post, who are you going to believe, Huawei or your lying eyes?
Of course, we only ask this rhetorically.
A BBC investigation of Nigeria's Black Axe Gang, a curious combination of student fraternity, quasi-religious cult, and criminal organization,
religious cult, and criminal organization,
finds that the group is engaged in far more lethal operations than the crude advance fee scams it's commonly associated with.
The black axe is given to human trafficking and murder, even torture,
and the advanced Nigerian print scams and other internet hokum they're associated with
are apparently ways of funding their core violent activity.
They have rivals known as the
EI, the Buccaneers, the Pirates, and the Maphites, and they're all engaged in a gang war for regional
supremacy. I am the widow of the late Prince So-and-so has become a punchline, but there's
nothing funny about the Black Axe or its rivals. There's also some news from the world of law enforcement.
Europol describes the operation in which it, with the US FBI,
supported the Romanian National Police arresting a ransomware affiliate
targeting high-profile organizations and companies for their sensitive data.
The unnamed suspect, 41 years old, is one of those criminals, allegedly,
who buy their attack tools from others,
paying them an agreed-upon fraction of their take.
And a German court in Trier
has sentenced eight proprietors of the Cyber Bunker,
a bulletproof hosting service
operated from a decommissioned NATO bunker
in the Rhine Valley town of Treben
Trabach that catered to online contraband markets. The cyber bunker was closed down by police in
2019. The operators received prison sentences ranging from one year suspended to five years
and nine months, Security Week reports. And just one more thing.
We return to log4shell before we sign off.
So how widespread is the log4shell vulnerability?
It is literally interplanetary.
Log4j is in the code aboard NASA's Ingenuity Mars probe,
the one with the helicopter.
And in this case, when we say literally, we mean literally.
So get patching on the red planet, NASA.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI. Now that's a new
way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
When it comes to protecting your privacy online,
many security practitioners will recommend a VPN
as a potentially useful tool.
Many will also follow that advice with a warning
that not all VPNs are created equal, and it's a market with a wide spectrum of providers,
both good and bad. Brad Hawkins is CEO of VPN provider SaferNet.
Well, I got to tell you, I love the fact that people are starting to pay attention to it a
little bit now, even though they may be resigning to it.
But because before, it was hard to even get people to believe that their privacy was being invaded.
You know, basically, the most valuable part of business right now, or at least in the digital world, is metadata.
And people are losing their metadata all over the world all the time.
And most people don't even realize that it's happening.
So what are your recommendations then for folks who want to get on top of this?
What are some of the tools, the techniques that they have available to them to get a handle on it?
Really good question.
There's multiple things that I think are important.
One is turn off your Wi-Fi off of your mobile devices.
When you're just at Starbucks, even if you're not Starbucks or any public Wi-Fi, I use Starbucks
as a general term, but when you're on any public Wi-Fi and you have your Wi-Fi turned
on on that device, even though you're not logged in,
there's still access to be able to reach into your device and gather that information.
And then be careful about what you're choosing to say yes to. I don't know if you're like most
people, but when you download an app, there's a large permission that you're giving to people.
It's fascinating. If you go through and read the permissions that you're giving to people. It's fascinating. If you go through and read the
permissions that you're giving, you're basically giving complete control over your device just by
downloading an app. It could be a free app, but it could be a paid app. Still, you're giving that
information away. Be aware of what it is that you're giving away and understand what you're
getting in return. But I truly believe that one of the most important things
is to run a VPN 24-7, always on.
That VPN will put you into a communication tube
to anywhere that you're going on the internet.
When you're running a VPN,
people cannot penetrate that VPN,
especially if it's an encrypted VPN. I'd suggest an encryption
level of 256-bit, which is considered military or bank-grade encryption. So when you're running
that VPN, people are not able to penetrate. Just while we've been talking, I've probably been hit
oh, maybe 20 or 30 times by
outside sources trying to gather information off of my devices. And by running my VPN,
and we also have virus protection within that VPN, you can keep people from accessing your
information unless you choose to allow it like you would on a specific app that you're allowing in.
Now, you know, that is a product that you all supply, but broadly speaking, I think
there's a lot of confusion out there when it comes to shopping around for VPNs.
There are, you know, good suppliers, but there are absolutely bad suppliers out there as
well.
What's your guidance then for choosing a good one?
Very, very good question. And it's a little bit difficult because this bit of information is hidden, but it's important to find out who it is that owns the company. Who is the company behind
the company? There's a lot of larger companies that are actually owned by Chinese
companies, which is fascinating to me because I know as a company ourselves, we have access to
more data than really anybody else. Now, because we're a U.S.-based company and we have to abide
by all U.S. laws, when we put in our privacy statement that we don't hang on to any data,
we have to live by that.
And by dumping the data, as soon as it comes in, we don't collect it.
Now, I realize we could probably do the same thing that Google does and sell that data
and make an enormous amount of money.
But I personally believe that if we don't do that, people will gravitate towards the
privacy and the safety, be much more
motivated to use us versus other companies that might not be owned and operate under the same
rules that we have to operate under. That's a critical aspect of things, too, is you need to
make sure that that VPN is encrypted, which means that the data is scrambled as you travel through the internet.
If you just have a VPN that's not encrypted, if they penetrate that VPN, they can gather your data.
But even when you access a VPN that is encrypted, you can't even make sense of what happens.
So those are some critical aspects of what's happening. Now, in our VPN, I don't think there's anybody else that does
this, but we also put virus scrubbing, virus protection within that VPN so that if you wind
up at a website that happens to have viruses on it, you won't be able to allow that virus to get
back to your device. That's a special thing that we do. I don't know if there's really other competitors that do that from what I know, but really in my mind, making sure it's
an encrypted VPN, making sure it's owned by the U.S. or a company that has to abide by the rules
that they put out. European companies would be a wise move as well. So that's kind of the generals
that I would look at.
That's Brad Hawkins from SaferNet.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
Interesting article here from the Wall Street Journal
that actually you brought to my attention.
It's called The Language of Cybersecurity.
Test Your Vocabulary.
And this is written by Cheryl
Winnicore Monk.
What's going on here, Joe? So this was sent to me
by our executive director, Dr.
DeBura. Okay. And this article, I think,
makes a really good point about
cybersecurity jargon that they may not have actually
intended to make. But let's take a look at some of these.
Dave, I'm going to read them, and you tell me what they are. Oh, boy. Okay.
Chances are, Dave, you're going to do very well in this survey. I hope so.
What is an attack surface? What is an attack surface? That is the ways that people can get into your system. That is sort of the total combined ways that they can have access to your stuff.
Right.
Very good.
You said total, and the correct answer contains the word sum.
Okay.
The correct answer is a sum of different points that bad actors can use to enter your systems.
Okay.
Let's do one more.
Okay.
One more.
Let's see here.
Let's go with catfishing. Oh, catfishing. Okay. Let's do one more. Okay. One more. Let's see here. Let's go with catfishing.
Oh, catfishing. Okay. Catfishing is when someone creates like a fictitious persona to try to trick you into something. So it could be like a, I don't know, like a romance scam or
something like that. They're pretending to be someone they're not to lure you in to do something
that they want you to do.
Exactly right. The answer in the quiz here is when a bad actor creates an online fictional persona,
almost the exact words you used, for deceptive purposes. So yes, that's correct. Now,
there are a couple of things that this article or this quiz makes a point about that they really
might not be trying to make a point about, but I picked up on it. Yeah. And that is, in any industry, jargon tends to be an exclusionary factor.
Yes.
Right? If you don't know the terms, then it's obvious you're not part of that club.
That's right.
Right? Cybersecurity is a club that we want more members in, right? So, it really is a bad idea
for us. I don't know if it's a bad idea to have jargon because we need a clear and concise way to communicate the ideas to one another without having to say long things, right?
Yeah.
You know, like if I'm going to say click-checking, everybody's supposed to know what that is.
That's intercepting a browser click and redirecting it somewhere else, right?
But I don't want to have to say intercepting the browser click and redirecting it somewhere
else.
I just want to say click checking.
Here's a great point in this article.
Number 10 is ransomware.
Okay.
And the first incorrect answer is a pejorative term for overpriced software.
I got to tell you, the first time I heard the term ransomware, that is exactly what
popped into my mind.
That is exactly what I thought that term meant until I learned what it meant a couple seconds ago.
So we really have to be more open
with our communication about what this jargon means.
We can't assume.
We have this thing called the curse of knowledge, right,
in the field where we live and breathe this stuff
every single day.
In fact, I use that exact phrase
in the comment I made in this article on the Wall Street Journal's website.
I scored 15 out of 15 on this quiz because this is what I do, right? Other people are scoring lower.
I'd like to hear from people who are doing about average, right? Getting about 50% of these
questions right. I'd like to know what keys they're missing. These are all very important concepts,
not just for cybersecurity professionals,
but for everybody who uses any kind of connected device.
And right now, that's just about everybody.
Yeah.
Right?
We all need to understand what these threats are,
and it's helpful to be able to communicate quickly
and elegantly with nice terms.
Yeah, I agree.
I think there's no question that there is too much gatekeeping
by some parties when it comes to welcoming folks
into cybersecurity.
I have a real problem with this.
What really gets my dander up is when I hear people,
like if, for example, an exchange would go like this.
Someone would say,
well, we've been keeping an eye on their TTPs.
Right.
Right.
And then someone will say, oh, what's a TTP?
And the person will say, oh, you don't know what a TTP is?
Right.
Yeah, yeah.
Oh, well, you consider yourself a cybersecurity professional and you don't know what a TTP is?
I've asked that question once in public.
I'm not ashamed to ask these questions because, frankly, I'm not too worried about it. It's not something that bothers me, but that kind of thing,
I'm like, no. And there's a lot of things I know that you don't know either. Yeah, yeah. But I
think your point is excellent. First of all, I think it's important for those of us who've been
around for a while, also those of us who are older, that we have the ability, we have the privilege, if you will, of saying, what does that mean?
Right.
Without fear of someone, you know, looking down on us or giving us a bad recommendation or blah, blah, blah, blah, blah.
Right. Agreed.
Our experience shields us from a lot of that.
Right. A younger person might not be able to pull that off as well.
Right.
That's right. Right. But I want to make the point that I think a lot of people think that asking those questions of saying, I don't know,
is a sign of weakness. Right. And I make the point that it is actually a sign of strength.
I would agree with that a hundred percent. And so if someone uses a term that you don't understand,
just say, what is, I'm sorry, what does that mean? You use the term there that I don't understand,
what does TTP mean? I don't understand. What does that mean? You used the term there that I don't understand. What does TTP mean? I don't understand.
What does that mean?
The first time I heard TTP, I had no idea what it meant.
Yeah.
Just help me understand.
People want to be helpful.
So if you frame it that way, say, I'm sorry, wait, help me understand.
What does that mean?
That tends to not put them on the defensive.
You get to learn something.
You're viewed as being inquisitive rather than ignorant. So there are diplomatic ways to
handle this, but I think your overall point is excellent. We got to stop making people feel
dumb for not knowing things. Help spread the information. Don't keep it to yourself. Don't
let it be something that you lord over people just to demonstrate how smart you are, right?
A lot of us have a lot
of knowledge. Spread that wealth, right? Yeah, absolutely. That's how we're going to make us,
everybody, safer and solve these problems, not by keeping these secret code words to ourselves.
Yeah. The conversation has to be much more open and we have to be
much more willing to share information. We got to do better.
I agree.
All right.
Joe Kerrigan, thanks for joining us.
It's my pleasure.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you.