CyberWire Daily - Updates on Log4shell, now being exploited in the wild. India PM’s Twitter account is hijacked. Extortion at Brazil’s Ministry of Health and Volvo. Phishing sites’ lifespan. Sentence passed.
Episode Date: December 13, 2021The Log4shell vulnerability is trouble, and its remediation isn’t going to be quick or easy. In India, Prime Minister Modi’s Twitter account was hijacked. Official Brazilian COVID vaccination data... bases are stolen and rendered unavailable. Extortionists claim to have taken sensitive, proprietary R&D information from Volvo. Phishing sites appear and vanish in a matter of hours. Rick the Toolman Howard expands his cast of characters. Robert M. Lee from Dragos shines a light on solar storms and risk management. And sentence is passed in a case related to the Kelihos botnet. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/237 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The log for shell vulnerability is trouble, and its remediation isn't going to be quick or easy.
In India, Prime Minister Modi's Twitter account was hijacked.
Official Brazilian COVID vaccination databases are stolen and rendered unavailable.
Extortionists claim to have taken sensitive proprietary R&D information from Volvo.
Phishing sites appear and vanish in a matter of hours.
Rick the Toolman Howard expands his cast of characters.
Robert M. Lee from Dragos shines a light on solar storms and risk management.
And sentence is passed in a case related to the Kellehos botnet.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, December 13th, 2021. Organizations and security agencies have spent the weekend grappling with a vulnerability that's proved to have wide-ranging implications.
At the end of last week, a vulnerability in the Java Log4j library was disclosed. Now generally being called Log4Shell, a vulnerability in Apache's
Log4j library that's formally tracked as CVE-2021-44-228, the effects are serious,
widespread, and difficult to mitigate. NIST describes the problem as an attacker who can control log messages or log message parameters
can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
The problem lies in the lookup function, security firm Sophos explains. Apache describes the
function and how it might be exploited in its logging services blog, the vulnerability could
give attackers a means of controlling a server, executing whatever code they might choose to
execute. In its useful overview of how exploitation works, security firm Sygenta credits researchers
at Alibaba with discovering the flaw in November and then responsibly disclosing it to Apache.
That's why upgrades to Log4J were out by the time the vulnerability was disclosed last week.
The Wall Street Journal compares Log4Shell in scope and risk to 2014's Heartbleed vulnerability,
and it's probably an apt comparison.
Log4Shell has by now moved beyond the proof-of-concept stage
and is being actively exploited in the wild.
Widespread exploitation appears to have begun
only after the vulnerability was publicly disclosed,
but researchers at both Cloudflare and Cisco Talos say
they saw signs of an exploit in the wild some nine days before the disclosure.
It was minor and not widespread, but someone was on to the vulnerability before proofs of concept
were out. Since the disclosure last week, white hats have developed proofs of concept and black
hats have weaponized the vulnerability and used their exploits in the wild. So, exploitation of what amounts to a
software supply chain issue isn't unified or systematic, the work of any single threat actor,
but is rather distributed and opportunistic. All of the Five Eyes have issued warnings about
Log4Shell, as have other allied cybersecurity services. Their advice is consistent, the flaw
is serious, and enterprises should take immediate steps to mitigate their risk.
Cybersecurity and Infrastructure Security Agency Director Jen Easterly on Saturday wrote, in part,
quote, this vulnerability, which is being widely exploited by a growing set of threat actors,
presents an urgent challenge to network defenders given its broad use.
End users will be reliant on their vendors,
and the vendor community must immediately identify, mitigate, and patch
the wide array of products using this software.
Vendors should also be communicating with their customers
to ensure end users know that their product contains this vulnerability
and should prioritize software updates.
Britain's National Cyber Security Centre warns that it's detecting active scanning for the vulnerability
and singles out five Apache frameworks as particularly at risk,
Apache Struts 2, Apache Solar, Apache Druid, Apache Flink, and Apache Swift. The Australian
Cybersecurity Center tells affected organizations that it's standing by and available to render
assistance. The Canadian Center for Cybersecurity urges immediate patching, and a number of Canadian
government sites are taken offline. The reaction was especially quick and thorough
in Quebec, where the province's Ministry for Government Digital Transformation has, according
to CBC, shut down almost 4,000 websites as a precautionary measure. The responsible minister,
Eric Kerr, explained the decision, saying, We were facing a threat with a critical level of 10 out of 10.
According to the new protocols by the head of government information security,
that rating automatically calls for the closure of the targeted systems.
CertNZ in New Zealand is also urging their users to protect themselves.
Germany's BSI in its alert emphasizes both the severity of the risk and prospect of remote code execution.
The BSI rates the risk red, that is, of the highest severity.
France's CERT-FR warns that the issue is already undergoing exploitation in the wild
and urges users to upgrade to the latest version of Log4j as soon as possible.
The Swiss government computer emergency response team,
like the NCSC, offers advice on what to do when patching is impossible or impractical.
It adds a list of indicators of compromise, and it also has a clear description of the
exploitation kill chain that defenders will find useful. And the Netherlands NCSC has posted a comprehensive list of affected software.
The Cyber Wire has a summary of the vulnerability and how organizations are responding to it on our website.
Elsewhere in cyberspace, the usual crimes, vandalism and larceny, both petty and grand, continue.
Indian authorities are investigating the hijacking of Prime Minister
Modi's Twitter account, the Wall Street Journal reports. The motive appears to have been relatively
frivolous. The attackers tweeted, obviously falsely, that India had declared Bitcoin its
official currency. India has, in fact, been considering imposing some stringent regulations on the trading and use of altcoin generally.
As the journal writes,
The hack came after the Indian government last month said it would consider a bill to prohibit private cryptocurrencies in India, with some exceptions,
and create an official digital currency to be issued by the Reserve Bank of India, according to a parliamentary bulletin.
Brazil's Ministry of Health has sustained a significant data breach,
according to Reuters.
The attack hit Friday and police are investigating.
A group calling itself the Elapsis Group claimed responsibility,
telling the ministry that its data had been copied and then deleted.
Quote, contact us if you want the data back, they said. The Brazilian government confirmed that the
data had indeed been lost and said that it's working to restore it. The affected data that
has drawn the most attention involves COVID-19 vaccination records. Volvo disclosed Friday that it had sustained a cyber attack. The company said,
Volvo Cars has become aware that one of its file repositories has been illegally accessed by a
third party. Investigations so far confirm that a limited amount of the company's R&D property
has been stolen during the intrusion. Volvo Cars has earlier today concluded, based on
information available, that there may be an impact on the company's operation. The threat actors were
apparently intellectual property thieves, Bleeping Computer reports. The record assesses the theft
as directed toward collecting ransom. A gang, Snatch, known to engage in such extortion, has claimed responsibility,
listing Volvo among its victims in a November 25th post on their dark web site.
Since then, they've published samples of what they allege are stolen Volvo data.
One of the difficulties of tracking down ransomware gangs and other criminal operators is the mayfly-like lifespan of their phishing pages.
Security firm Kaspersky looked at such pages over the summer
and found that phishing sites are surprisingly ephemeral.
Quote,
The bulk of phishing pages were only active for less than 24 hours.
In the majority of cases, the page was already inactive
within the first few hours of its life.
End quote.
Blink, and you'll miss them.
And finally, Security Week reports
that Oleg Koshkin,
a Russian national residing in Estonia
who was convicted in June on U.S. charges
related to his operation of crypto services
that assisted the operators of the
Kellehaus botnet has been sentenced. Mr. Koshkin received a four-year prison sentence for one count
of conspiracy to commit computer fraud and abuse and one count of computer fraud and abuse.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you
know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And it's always my pleasure to welcome back to the show the CyberWire's own Chief Security Officer and Chief Analyst, Rick Howard.
Rick, great to have you back.
Hey, Dave.
So for your seventh season of CSO Perspectives, and let me just quick aside here.
I can't believe we're seven seasons already.
Oh, my God.
Time does fly, right?
It does indeed.
right? It does indeed. So for season seven, you have introduced your Rick the Toolman series, which is, of course, is modeled after one of your favorite TV shows from back in the 90s,
Home Improvement. I think like a lot of folks, I love that show. I still can't help myself
whenever I have a home improvement project, I walk around the house going,
er, er, er, er, er. But since you started it, I know I've wondered, along with a lot of our listeners, who your sidekick was going to be.
I mean, after all, on the Tim the Toolman show, he had Al Borland.
He did.
So are you going to designate an official sidekick like they did on Home Improvement?
Well, it's funny you mention that, Dave, because you're not alone.
on home improvement. Well, it's funny you mentioned that, Dave, because you're not alone.
The CSO Perspectives mailroom was flooded with that question and a gaggle of suggestions about who it should be. So we're not the only ones. That's kind of nice. So if that kind of esoteric
TV trivia from the 90s is your thing, download the last episode of the season and find out who it is.
Yeah. All right. Well, you know, the holidays are upon us, and this week's episode is not only the last of the season,
it's also the last of the year before we take a much-needed break,
as I like to say, our long winter's nap for the holidays.
Exactly right.
And, you know, 2021 seems like it has gone by extremely fast, right?
Yeah.
With all these great shows that we produce,
but simultaneously it has dragged dragged on a snail's pace
with like COVID stuff and political upheaval. Yeesh, what a year, right? But so I just want to
say, Dave, that these past 12 months working with you, okay, on this daily podcast and Hacking
Humans Goes to the Movies and all the Cyber Wire Xs that we've done together, that brings a little
joy into the world for our listeners and has been a real big highlight for me. So, and I thank you
for it, my friend. Happy holidays, and I will see you in 2022. Well, thank you, Rick, and a heartfelt
thanks to you as well. I have to say it was really exciting when we heard that the opportunity was
coming up that maybe you could join us here at the Cyber Wire. And I really think it's been great. So on behalf of all the rest of us, what a great addition to
the team you've been. And we're all looking forward to what is yet to come. Well, thank you,
sir. And it's been a highlight. So like I said, so thank you very much for accepting me and giving
me freedom to do all this. And we will do it again next year. All right. Right back at you.
Rick Howard, thanks for joining right. Right back at you. Rick Howard,
thanks for joining us. Thank you, sir.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're
thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant.
And I'm pleased to be joined once again by Robert M. Lee.
He is the CEO at Dragos. Rob, it is always great to have you back.
You know, probably once or twice a year I see a story come by,
and one from Wired came by, written by Lily Hay Newman,
who I have a tremendous amount of respect for as a journalist.
This article is titled, A Bad Solar Storm Could Cause an Internet Apocalypse.
These come by once or twice a year, and I just wanted to sort of check in with you to calibrate
how big a deal is something like this.
I think Lily did a great job on the article for my two cents or whatever it's worth,
where it was very measured.
And usually what turns me off about the EMP-style discussions
is the sheer lunacy of how they're presented.
It's the, well, it's not about solar storms,
it's about North Korea launching a missile,
but they're going to drop it just a little bit above,
but they won't actually take out the capital,
they just want to take out the internet.
Oh gosh, calm down.
But there's always some of that.
But I think the article is well presented
in the sense that it talks about there is risk
from high altitude impact, from storms,
essentially creating EMP-like results
across infrastructure.
And it accurately captured that the electric system
in the United States,
which is usually the focus of these articles, has actually put a lot of research, development,
preparation, et cetera.
It will never be enough for the people who believe this is the existential crisis, but
over the last decade, they've done a significant amount of work.
And I like that the article talked about that there's not a lot of available data.
So it's not as if people are ignoring a problem.
You don't even know if what you're doing
is addressing the problem
just because of the lack of insights and data on this.
But we're doing something
and we're trying to be proactive.
I think that's really sharp.
The open-ended question is,
is it related to undersea internet cables?
And I think that's a perfectly valid discussion
where the electric sector has done a lot
to be ready for these types of events.
Maybe ISPs and sort of the transatlantic internet fiber
and cable has not.
And again, it goes back to what can we invest
to make it sort of a risk reduction that's appropriate
with actually having some validation
that it's going to work. And I think that's where most people get hung up. So long story short,
I don't think there's many serious people that debate the efficacy of the risk and say that,
yeah, there's some risk there as it relates to storms and solar projections and so forth.
But I do think most people struggle, myself included, with,
well, what do you want me to do against a risk
without understanding what I'm going to get in return?
And you could just waste a lot of resources
by looking like you're doing something.
I think it's an interesting case study, though,
I mean, in risk management, where you have something like this
that historically we know has happened,
but seems to be unusual and yet could be a major event if it did happen. So dialing all of that in
your mitigations against something that has the, you know, those particular aspects, uh, seems to
me like it could be quite challenging. Yeah, absolutely. I think we've all had a master's level course over the last couple of years
that people suck at risk management.
It's not that we're just great at this.
We all need to be prepared for black swan events
and once in 100, 200 year events.
You've got to be prepared for it anyways.
I think we've seen, especially relating to weather and climate
and sometimes even cyber,
where you're seeing,
oh, that's a very unlikely thing to happen.
Once in 100 years,
that happens like four times in like five years.
You're like, oh man, this is, okay.
Maybe our calculations are off.
Thousand year floods, right?
Yeah, exactly.
But when you're talking about winterizing
an electric system in Texas
and you're saying, yeah, it's a once-in-a-hundred-year storm,
but we know how to do it and we know that we'd be better off,
that is a good conversation to have.
And it's like, you know what, we need to invest in this.
And the climate is unpredictable these days,
and we can't have people dying in their homes
because we didn't charge an uplift on the rate
to be able to go winterize an electric system.
So there's some of those things that make sense.
Again, with these kind of discussions, though, I think where people lose traction
is, what would you like me to do about it so much so that I know
it's actually going to return value?
And if it's a, hey, we don't know when this is going to happen,
we don't know what the impact is going to be, and it's extraordinarily rare,
and we don't know how to fix it.
You combine all of those factors together,
then people start turning off.
And I think what some of the proponents of it
sometimes lose out on is that last piece
of it's not that people are not seeing the problem
that they're seeing,
it's that they don't see the resolution.
And I think every time you and I do an EMP-related segment,
people emailing me for a week at least after,
I'm like, you don't understand, Rob, and the missiles.
I'm like, I get it.
I really do understand the science behind it.
I'm just saying we don't know how to solve it.
And then you ask, how much do you think would be required
to put a dent in the problem?
And it's like, we need $300 billion to start.
And it's like, what?
That is not an early investment.
Right.
But so I guess part of what I'm puzzling through in my mind here is to what degree do you fund prevention and to what degree do you fund cleaning up the mess afterwards? In other words,
do we prevent the lights going out or do we help people whose lights have gone out after the fact?
Yeah, I mean, this goes even to the cybersecurity discussion, right? Where everyone's always like,
I want to prevent all cyber attacks. I'm like, we can't. And also without detection, you don't
even know what you're preventing without response. You never developed the right detection strategy. You got to do all three, prevent, detect, respond. And I don't even know what you're preventing. Without response, you never develop the right detection strategy.
You've got to do all three, prevent, detect, respond.
And I don't think this is any bit different.
There's going to be some element of detection of,
hey, is there early warnings that we can establish that help us prepare?
And hey, have the appropriate backup plans responsible for the situation?
Is there a certain amount of response that we have an idea
of what we can invest in to get things going again?
All of that is fair, and so I agree with you.
But I don't know that we know.
And it goes back to the, what are we going to invest?
And we can do as much research as we want, but as Lily's article captured, there's not a lot of data to operate on.
So it's not a lack of interest and
a lack of research. It's very theoretical for a lot of these discussions. And again, that doesn't
mean we get to ignore it, but it means we have to be thoughtful in how much we invest in prevention,
detection, response. Should it be all three? Yes. And especially if we don't know how to prevent it
and we don't actually know what we're doing, then the response plan might be the best course of action.
But if we don't know what we're preventing,
then I don't know that we're going to know how to respond to it either.
So again, we've got to be thoughtful in that.
And then we've got to look at the other things
that we could be using those resources for.
Winterizing the electric system, as an example,
or redundant pathways as it relates to internet infrastructure,
which are going to be useful in a lot of situations.
And maybe they benefit this situation, maybe they don't.
But I don't think we can look at investments to be done
by countries and their citizens in isolation
of the other investments that need to take place.
All right. Well, Robert M. Lee, thanks for joining us.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security, Ha! Thank you. host. The subject there is threat intelligence, and every week we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com slash podcast.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karpf, Puru Prakash, Thank you. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.