Log4Shell, a serious and widespread vulnerability in Apache's Log4j library.
At the end of last week a vulnerability in Apache's Java Log4j library was disclosed. Now generally called "Log4Shell," it's formally tracked as CVE-2021-44228. Its effects are serious, widespread, and difficult to mitigate. NIST explains, "An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled." JFrog writes, "This means that if any part of a logged string can be controlled by a remote attacker, the remote attacker gains remote code execution on the application that logged the string."
The problem lies in the lookup function, Sophos explains, (Apache describes the function and how it might be exploited in its Logging Services blog.) The vulnerability could give attackers a means of controlling a server, executing whatever code they might choose. Cygenta has a useful overview of how exploitation works. It credits researchers at Alibaba with discovering the flaw in November, then responsibly disclosing it to Apache, which is why upgrades to Log4j were out when the vulnerability was disclosed. The Wall Street Journal compares Log4Shell in scope and risk to 2014's Heartbleed vulnerability.
Widespread exploitation appears to have begun only after the vulnerability was publicly disclosed, but Cloudflare and Cisco Talos both report signs of an exploit in the wild nine days before that disclosure.
Both ESET and Fastly, to take two of the many security firms who've published recommendations, emphasize the importance of determining where the Log4Shell vulnerability exists in an organization, and of then applying the available patches. BleepingComputer offers a list of affected products along with vendor advice on mitigation, and SecurityWeek is maintaining a current list of tools and resources for defenders.
Organizations have begun their long slog through a remediation that will take months (if you follow the Wall Street Journal) or years (if you believe CRN) or "months if not years" (as in ZDNet's headline). Consensus is that Log4j won't be a simple fix. The vulnerability is easy to exploit and is close to ubiquitous as a Java logging package can be. Any organization should, first, begin by determining where the library containing Log4j is actually used, and that's not a trivial task. As Duo Security observes, "Log4j is so prevalent - utilized by millions of third-party enterprise applications, cloud services and manufacturers, including Apple, Twitter, and Tesla - that security teams may have difficulties pinpointing where the library is actually being used."
Five Eyes and allies respond to Log4Shell.
All Five Eyes have issued warnings about Log4Shell, as have other allied cybersecurity services. Their advice is consistent: the flaw is serious, and enterprises should take immediate steps to mitigate their risk. Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly on Saturday wrote, "This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use. End users will be reliant on their vendors, and the vendor community must immediately identify, mitigate, and patch the wide array of products using this software. Vendors should also be communicating with their customers to ensure end users know that their product contains this vulnerability and should prioritize software updates." CISA is updating its Apache Log4j Vulnerability Guidance as new information becomes available.
The US Cybersecurity and Infrastructure Security Agency (CISA) on Friday issued Emergency Directive 22-02, directing the US Federal agencies that fall within its remit to identify and update all vulnerable systems no later than 5:00 PM Eastern Standard Time on December 23rd. CISA gives the agencies until December 28th to report completion.
Britain's National Cyber Security Centre (NCSC) warns that it's detecting active scanning for the vulnerability, and singles out five Apache frameworks as particularly at risk: Apache Struts2, Apache Solr, Apache Druid, Apache Flink, and Apache Swift. The Australian Cyber Security Centre tells affected organizations that it's standing by and available to render assistance. The Canadian Centre for Cyber Security urges immediate patching. CERT-NZ, in New Zealand is also urging users to protect themselves.
Germany's Bundesamt für Sicherheit in der Informationstechnik (BSI) emphasizes both the severity of the risk and prospect of remote code execution. The BSI rates the risk "red," that is, of the highest severity. France's CERT-FR warns that Log4shell is already undergoing exploitation in the wild, and urges users to upgrade to the latest version of Log4j as soon as possible. The Swiss Government Computer Emergency Response Team offers advice on what to do when patching is impossible or impractical. It adds a list of indicators of compromise, and it also has a clear description of the exploitation kill chain that defenders will find useful. And the Netherlands NCSC has posted a comprehensive list of affected software.
Criminal activity around Log4Shell.
Scanning for vulnerable systems has been very widespread, ZDNet reports. Some of the earliest reports of exploitation in the wild, according to CyberScoop, involved cryptojacking, but criminals seem to have quickly moved on to ransomware installation to data theft. Microsoft researchers are among those who detected cryptojacking efforts, but they also saw attempts to install Cobalt Strike "to enable credential theft and lateral movement, and exfiltrating data from compromised systems."
Since Cobalt Strike is a common ransomware precursor, Venture Beat and others predicted that ransomware exploiting the vulnerability would soon follow. Bitdefender has reported finding Log4Shell exploited to install the relatively new Khonsari ransomware strain as well as the Orcus remote access Trojan.
And threat actors haven't been content to stick with the original exploits. Check Point reports that "new variations of the original exploit [are] being introduced rapidly- over 60 in less than 24 hours."
The criminal-to-criminal market has also taken note, and Microsoft has seen access brokers working to monetize the vulnerability: "MSTIC and the Microsoft 365 Defender team have confirmed that multiple tracked activity groups acting as access brokers have begun using the vulnerability to gain initial access to target networks. These access brokers then sell access to these networks to ransomware-as-a-service affiliates. We have observed these groups attempting exploitation on both Linux and Windows systems, which may lead to an increase in human-operated ransomware impact on both of these operating system platforms."
Nation-state actors exploiting Log4Shell.
Log4Shell is also being used by nation-state espionage services. Microsoft reported that it's seeing "the CVE-2021-44228 vulnerability being used by multiple tracked nation-state activity groups originating from China, Iran, North Korea, and Turkey. This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives." Microsoft particularly draws attention to Iran's Phosphorus and China's Hafnium groups as among the nation-state actors that have been using Log4Shell against their targets.
Mandiant has also, SecurityWeek reports, seen Iranian and Chinese exploitation in progress. Mandiant thinks more intelligence services will be joining the party soon. The company's vice president of intelligence analysis, John Hultquist, emailed SecurityWeek to tell them, “We have seen Chinese and Iranian state actors leveraging this vulnerability, and we anticipate other state actors are doing so as well, or preparing to. We believe these actors will work quickly to create footholds in desirable networks for follow-on activity, which may last for some time. In some cases, they will work from a wish list of targets that existed long before this vulnerability was public knowledge. In other cases, desirable targets may be selected after broad targeting.”
Haaretz reports, citing sources at Check Point, that Iranian operators had by Wednesday sought to compromise seven Israeli governmental and commercial targets using Log4Shell exploits.
In some respects, however, nation-state exploitation seems less than might have been expected. The Wall Street Journal quotes CrowdStrike's senior vice president of intelligence, Adam Meyers to that effect: “It’s a surprise it’s not more widespread. The question that everyone is asking is, ‘What aren’t we seeing?’” Mandiant also expects to see more nation-state exploitation: "We expect threat actors from additional countries will exploit it shortly, if they haven’t already. In some cases, state sponsored threat actors will work from a list of prioritized targets that existed long before this vulnerability was known. In other cases, they may conduct broad exploitation and then conduct further post-exploitation activities of targets as they are tasked to do so."
SecurityScorecard reported Friday that it's observed Drovorub activity associated with Fancy Bear, APT28, Russia's GRU military intelligence service. Drovorub is a toolkit developed by the GRU for use against Linux-based systems.
Log4Shell's implications for OT networks.
Industrial control system security specialists at Dragos have evaluated the implications of the vulnerability for operational technology (OT) networks. "Dragos assesses with moderate confidence that as network defenders close off more simplistic exploit paths and advanced adversaries incorporate the vulnerability in their attacks, more sophisticated variations of Log4j exploits will emerge with a higher likelihood of directly impacting Operational Technology networks." They recommend that organizations move to an "assume breach" posture, and they also provide a useful set of steps that can be followed to locate Log4j in an enterprise's systems. In sum, their recommendations are similar to those offered by CISA.
Iranian government threat actors active against targets in the Middle East and Asia.
An apparent Iranian government threat actor, which Symantec "tentatively" associates with the organization known variously as Seedworm or MuddyWater, has been active against targets in Israel, Jordan, Kuwait, Saudi Arabia, the United Arab Emirates, Pakistan, Thailand, and Laos. The cyberespionage campaign has concentrated on telecommunications and IT service providers. The attacks do not appear to use bespoke malware, but instead rely on legitimate tools and commodity malware. Once inside the targets, the operators live off the land, making use of the victims' own infrastructure, and steal credentials to pivot across networks of interest to them.
IBM independently has identified a novel attack vector in use by Iranian state actors: Slack. The group IBM tracks as TG17 (and others call MuddyWater), employed free workspaces in the legitimate and widely used business chat tool in an attempt to compromise an unnamed Asian airline. Slack has shut down the malicious workspaces and reassures users that their services as a whole have not been compromised.
Volvo sustains a cyberattack; IP theft seems to have been the goal.
Volvo disclosed Friday that it had sustained a cyberattack. The threat actors were apparently intellectual property thieves, BleepingComputer reports. In this case, the Record assesses the theft as directed toward collecting ransom. A gang, Snatch, known to engage in such extortion, has claimed responsibility, listing Volvo among its victims in a post on their dark web site. Since then they've published samples of what they allege are stolen data.
Payroll services provider disrupted by ransomware.
UKG Kronos has disclosed to its users that the Kronos Private Cloud is currently down due to a ransomware attack. There are few details about the specific nature of the attack, but the business services customers depend upon from Kronos may be unavailable for some weeks. Prominent among those services are payroll processing and human resources functions. The interruption of payroll processing comes, ZDNet notes, at a particularly unfortunate time during the holiday season.
High technical marks for commercial surveillance software.
Google's Project Zero concludes that companies are now able to develop offensive cyber capabilities once thought to be within the reach of only a few nation-states. Project Zero worked on a sample of NSO Group's ForcedEntry tool obtained by Citizen Lab in the course of its investigation of a zero-click iMessage exploit used earlier this year against a Saudi activist. Apple’s Security Engineering and Architecture (SEAR) group cooperated with Project Zero on the technical analysis.
Notes from the underground.
Symantec has an update on ALPHV/BlackCat ransomware group in which the researchers describe the Noberus ransomware the group's campaign uses. Noberus, which exists in at least three versions, is unusual in that it's written in Rust. It's commonplace in that it's used in double-extortion scams.
IBM says that Squid Game remains popular phishbait, much used against fans of the Netflix series. IBM recommends that businesses address these campaigns with employee awareness training.
Kaspersky finds that phishing pages are surprisingly ephemeral. "The bulk of phishing pages were only active for less than 24 hours. In the majority of cases, the page was already inactive within the first few hours of its life."
The last Patch Tuesday of 2021 occurred this week. The Zero-Day Initiative offers a rundown of fixes Adobe, Apache, Apple, Google, and Microsoft issued on Patch Tuesday.
Also on Patch Tuesday, the US Cybersecurity and Infrastructure Security Agency (CISA) released three industrial control system advisories: Advantech R-SeeNet, Schneider Electric Rack PDU, and Hillrom Medical Device Management (Update A).
On Thursday CISA added to its total of ICS advisories, releasing twenty-seven more.
Crime and punishment.
A BBC investigation of Nigeria's Black Axe gang, a curious combination of student fraternity, quasi-religious cult, and criminal organization, finds that the group is engaged in far more lethal operations than the crude advance-fee scams it's commonly associated with.
Europol describes the operation in which it, with the US FBI, supported the Romanian National Police in arresting "a ransomware affiliate targeting high-profile organisations and companies for their sensitive data."
Indian authorities are investigating the hijacking of Prime Minister Modi's Twitter account, the Wall Street Journal reports. The motive appears to have been relatively frivolous: the hijackers tweeted (obviously falsely) that India had declared Bitcoin its official currency. (India has in fact been considering imposing some stringent regulations on the trading and use of alt-coin generally.)
French police have arrested a man from the Vaucluse on charges related to laundering more than €19 million in ransomware payments, the Record reports.
Policies, procurements, and agency equities.
Iran's ambassador to the United Nations on Tuesday complained that Iran is really the victim in cyberspace, subject as it is, he said, to constant cyber harassment by Israel and the US. He called for more development of international norms for cyberspace.
The US Federal Reserve is moving in many areas of monetary policy, but Federal Reserve Chairman Jerome Powell told CNBC that cyberattack represented the most significant threat to financial stability. He was seconded by the JPMorgan International Council, which, CNN reports, also singled out cyber operations as "the most dangerous weapon."
Fortunes of commerce.
The Times of Israel reports that NSO Group, feeling pressure from US sanctions and the widespread odium abuse of its surveillance tools has attracted, is considering the sale of its Pegasus unit. There are thought to be two potential, unnamed suitors. Should NSO Group succeed in offloading Pegasus in exchange for a cash infusion, the company is expected to shift to purely defensive products and services. Haaretz thinks other Israeli firms also in the intercept or surveillance business may eventually come under US sanction.
The Washington Post finds Huawei documents suggesting a closer connection to Chinese state surveillance than Huawei has been willing to acknowledge. The files were a once-public marketing presentation the company took down when the Post asked them about it.