2022 begins with the continuing detection and mitigation of Log4j vulnerabilities.
On December 28th Checkmarx reported, and Apache fixed, a new arbitrary code execution vulnerability in Log4j. Newly released Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6) all address CVE-2021-44832. BleepingComputer, keeping score, counts this as the fifth Log4j CVE that's been addressed in less than a month.
Microsoft last week issued new services designed to protect its users against exploitation of Log4j vulnerabilities. "New capabilities in threat and vulnerability management including a new advanced hunting schema and support for Linux, which requires updating the Microsoft Defender for Linux client; new Microsoft Defender for Containers solution," the company blogged on December 27th.
Redmond on Monday updated its Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability. It's clear, sobering, and worth attention. In brief, Microsoft's researchers have been seeing on-going exploitation across the full range of threat actors, from intelligence services down to low-level grifters using commodity tools. The vulnerabilities represent, in sum, "a complex and high-risk situation for companies across the globe." That risk extends beyond applications that use vulnerable libraries to any services that that themselves employ such applications. Microsoft concludes, "Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance."
The good news, as the Washington Post sees it, is that both companies and government agencies seem to be taking the issue seriously, and have been more on top of things than they were, for example, in the earlier Shellshock and Heartbleed incidents. May the vigilance be as ongoing as possible.1.3.22
Industrial control system vendors are working to close Log4j vulnerabilities in their products. SecurityWeek has a useful and interesting summary of the ways in which the companies are working on the problem. Most of the issues the companies have found are related specifically to Log4shell, but some of the other, later and lesser vulnerabilities have also been detected.
The UK's National Health Service on Thursday issued a warning that "unknown threat actors" are working to exploit vulnerable VMware Horizon servers to set up webshells in their victims, thereby establishing persistence in their targets. The versions under active exploitation include Horizons Connection Server (64bit) 2006-2111, 7.13.0-7.13.1, and 7.10.0-7.10.3. VMware was quick to respond to notification of Log4j vulnerabilities, and its products have received appropriate upgrades. Nonetheless, as the Record points out, a non-negligible number of users haven't yet updated their software, and the threat actors are misbehaving accordingly.
NHS doesn't identify the threat actor whose behavior it describes, and indeed there may not be any single actor responsible for the attempts. Duo Security's Decipher says that there are more than one bad actor engaged in this kind of exploitation: "[S]ince the first disclosures of the Log4j bug a wide variety of attack groups have been exploiting it. APT groups, lone actors, and cybercrime groups all have been seen exploiting one or more of the Log4j flaws that have been disclosed in the last few weeks."
Ransomware exploitation of Log4j vulnerabilities.
Ransomware gangs have continued to exploit these vulnerabilities where they can. BleepingComputer reports that the Vietnamese cryptocurrency trading firm ONUS has declined to pay the $5 million ransom that hoods demanded in a double-extortion scheme.
As an indication of the speed with which criminals can move on newly available exploits, Cyclos delivered a patch for its systems on December 13th, and ONUS promptly applied it. That was just four days after Log4shell was first publicly disclosed, but by then it was already too late. The hoods had gained access to know-your-customer databases that contained personal information and hashed passwords.
Another nation-state actor exploits Log4j issues.
CrowdStrike has found Log4shell exploitation tools in the possession of Aquatic Panda, a Chinese-government operated threat group. The researchers explain, "AQUATIC PANDA is a China-based targeted intrusion adversary with a dual mission of intelligence collection and industrial espionage. It has likely operated since at least May 2020. AQUATIC PANDA operations have primarily focused on entities in the telecommunications, technology and government sectors. AQUATIC PANDA relies heavily on Cobalt Strike, and its toolset includes the unique Cobalt Strike downloader tracked as FishMaster. AQUATIC PANDA has also been observed delivering njRAT payloads to targets." The affected organization was able to address the issue, patch the vulnerability, and disrupt the attempt.
Nur-Sultan locks down the country's Internet.
As widespread unrest and an increasingly violent government response continue in Kazakhstan, that country's government has cut back Internet services to an effective blackout level. Netblocks says that the interruption, which began Wednesday at about 5:00 PM local time, has also affected mobile and some fixed-line telephone services. This morning service had, as Netblocks put it, "flatlined" at 55% of normal levels. President Kassym-Jomart Tokayev, who has requested and received military support from the Russian-led Collective Security Treaty Organization (CSTO) of former Soviet republics to put down civil disorder, opened up mass communications long enough to deliver an address explaining the steps his government is taking. (The CSTO includes Armenia, Belarus, Kazakhstan, Kyrgyzstan, and Tajikistan, in addition to Russia.)
One consequence of the Internet blackout in Kazakhstan has been a disruption of cryptocurrency mining in that country. After China cracked down on coin mining in 2021, many coin-miners set up shop in Kazakhstan, which became the world's second largest center of alt-coin mining (after the US, which moved into first place after Chinese restrictions came into effect). CNBC reports that the disruption of mining in the Central Asian country has already had an effect on Bitcoin prices.
DPRK operators are phishing for Russian diplomats.
The DPRK's isolation would lead one to think that North Korean APTs are interested in targeting most countries, and that seems to be the case. Cluster25 reports finding a New Year's virtual greeting card-cum-screensaver, packaged as a zip file, that's directed at Russian diplomats and that carries Pyongyang's familiar Konni remote access Trojan (RAT) as its payload. The tactic may seem too obvious for anyone to fall for, but, as Recorded Future points out, it's a good bet somebody will. The greeting with a phish hook is the most recent in a series of North Korean attempts to compromise Russian diplomatic targets.
Tehran-aligned hacktivists commemorate General Soleimani's death.
Reuters reports that the Jerusalem Post was hit yesterday in an apparent hacktivist incident that came on the anniversary of the US drone strike that killed Iranian General Qassem Soleimani in 2020. Hackread says that the Israeli Hebrew-language news outlet Maariv also had its Twitter account compromised briefly with a message similar to the one that appeared on the Jerusalem Post's website. The content injected in both cases warned of vengeance for the death of Quds Force commanding general Qasem Soleimani in a US drone strike two years ago. It's unclear which group, specifically, was responsible for either incident, but alignment with Iranian policy seems obvious enough. Reuters reports that Iranian President Ebrahim Raisi yesterday demanded the trial of former US President Trump and Secretary of State Pompeo for the murder of Soleimani (which the US has characterized as a legitimate battlefield killing). Failing such a trial, "Muslims will take our martyr's revenge," President Raisi said.
Ransomware attacks afflict media outlets.
Last week and over the past weekend several media companies have been hit with cyberattacks that are interfering with publication. Reuters reports that the websites of Portugal's Expresso newspaper and SIC TV station, both owned by the media conglomerate Impresa, have been taken down by a ransomware attack. The Lapsus$ Group gang has claimed responsibility. SC Magazine reports that last week Norway's Amedia (which owns some fifty newspapers and the Avisenes Nyhetsbyrå news agency) was hit with an unspecified cyberattack that disrupted printing.
"Highly polymorphic" ransomware hits video platform.
Researchers at Palo Alto Networks' Unit 42 have found criminals exploiting a cloud video platform to infect a real estate company's websites with formjacking skimmer malware. The skimmer was so placed in a video that it was injected into sites that downloaded the content. Researchers assess the skimmer itself as "highly polymorphic, elusive and continuously evolving." The data the skimmer collected included names, email addresses, phone numbers, and credit card information. Palo Alto identified neither the platform nor the company, but Recorded Future does, reporting that the video platform was Brightcove, and the affected business was Sotheby's real estate unit.
The Vice Society hits UK supermarkets.
The relatively new ransomware gang Vice Society, first observed in 2021, has claimed responsibility for an attack against about six-hundred Spar supermarkets in the UK. Tech Monitor says that observers believe the gang uses the PrintNightmare vulnerability as its preferred mode of access to its victims. Young though they may be, the Vice Society has already acquired a reputation for ruthlessness and lack of discrimination in its target selection, hitting schools and hospitals as often as it hits commercial enterprises. The gang may have some connection to the longer-established HelloKitty group, and that outfit is believed to operate from Ukraine.
Patch news.
The US Cybersecurity and Infrastructure Security Agency (CISA) of course spent the holidays working to mitigate the risk of Log4j vulnerabilities in Federal systems, but its more routine work also continued. On December 23rd, 2021, CISA released two industrial control system (ICS) advisories, for Johnson Controls exacq Enterprise Manager and Moxa MGate Protocol Gateways.
Microsoft is working to fix an issue with on-premise Exchange Servers that's been causing emails to hang in transport queues since January 1st. BleepingComputer says the problem arose because Microsoft used a signed int32 variable to store the value of the date, but the minimum value of dates in 2022 exceeds the maximum permissible value. "The problem relates to a date check failure with the change of the new year and it not a failure of the AV engine itself," Redmond explained. "This is not...a security-related issue."
Crime and punishment.
Vladislav Klyushin, the Russian tech oligarch who faces charges in the US over alleged trading on non-public information obtained by hacking, was a midweek denied bail by a US Federal Magistrate in Boston, Newsweek reports. Reuters says Mr. Klyushin pleaded not guilty. His attorneys maintain that the charges are trumped up, and that the US wants Mr. Klyushin in custody to extract what he knows about Russian attempts to interfere with the 2016 US elections.
Complaints about robocalls to the US Federal Trade Commission (FTC) increased by 25% over the past year, Reuters reports. Automation permits the scammers to operate on a large scale, and more widespread use of spoofing has lent the calls more initial plausibility than they would otherwise enjoy.
Courts and torts.
The US Federal Trade Commission (FTC) isn't about to let businesses forget their responsibility to address the Log4j vulnerabilities. The FTC has given the businesses it regulates some direct advice on how seriously they ought to take the recently discovered Log4j vulnerabilities: "The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act. It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action." The Commission's advisory includes a pointed reminder of what happened to Equifax when the credit bureau's failure to patch Apache Struts was implicated in a data breach that compromised information on some hundred-forty-seven-million individuals.
Media reaction to the US Federal Trade Commission's advisory about companies' responsibility for fixing Log4j vulnerabilities has focused on the FTC's tough line, and not-so-veiled warning that businesses would be well advised to get on with detection, remediation, and disclosure, lest they get the Equifax treatment.
Policies, procurements, and agency equities.
As Presidents Putin and Biden prepare to meet next week in Switzerland, Reuters reports that NATO's foreign ministers also intend to meet to develop the Atlantic Alliance's response to the threat Russia poses to Ukraine. An Atlantic Council policy paper recommends that the US recognize that, like it or not, this is effectively a period of hybrid war (both cyber and kinetic) and the US ought to act accordingly: “The United States must respond where competition with China and Russia is taking place today, primarily by playing an enhanced role in gray-zone competition.”
The US Cybersecurity and Infrastructure Security Agency (CISA) told MeriTalk that large Federal agencies have substantially complied with Emergency Directive 22-02, which required that they take specified actions to mitigate risk by December 23rd, and that they report their status by December 28th. A CISA spokesperson said, “Agencies have reacted with significant urgency to successfully remediate assets running vulnerable Log4j libraries, even over the holiday season, or to mitigate the majority of affected applications identified that support ‘solution stacks’ that accept data input from the internet. CISA has received status reports from all large agencies, which have either patched or deployed alternate mitigations to address the risk from thousands of internet-connected assets, the focus of the recent Emergency Directive." Full mitigation of the risk remains a work in progress.
Regulators and legislators are looking for ways of preempting the next widespread vulnerability, and for the required responses and incentives (these last more stick than carrot) for organizations to do better. Defense Daily says US Senator Gary Peters (Democrat of Michigan), chairman of the Senate Homeland Security and Governmental Affairs Committee, commented yesterday that the Log4j issues show the importance of mandatory reporting requirements.
Duo's Decipher points out that, while the US Cybersecurity and Infrastructure Security Agency (CISA) has indicated that the agencies it oversees are now in general compliance with Emergency Directive 22-02 (Mitigate Apache Log4j Vulnerability), the agency has been tight-lipped about details of compliance. This is understandable in what CISA characterized to MeriTalk yesterday as an ongoing process of remediation, and the agency intends to issue a cross-agency status report by February 15th.
The experience of finding and fixing Log4j vulnerabilities has demonstrated how complex the software supply chain is, and how complicated the process of vetting it will inevitably be. As ZDNet puts it in writing about this particular case, "the Log4j flaw for Java web applications will haunt tech people for years." An essay in POLITICO argues, in part, that Log4j has exposed the limitations of the self-correcting, evolutionary model of security that's long informed the open-source community's practices.
Fortunes of commerce.
TheHill reports that the Cyber Ninjas, the firm that conducted the controversial election audit in Maricopa County, Arizona, has gone out of business. The proximate cause of the exit appears to have been a judge's order that the business turn election review records over to the Arizona Republic.
A University of Delaware study suggests that hacktivists may in 2022 increasingly hit companies they feel are guilty of "greenwashing," that is, falsely and publicly claiming corporate social responsibility as a core value, but then failing to live up to their pious brand placement.