Updates on Log4shell, now being exploited in the wild. India PM’s Twitter account is hijacked. Extortion at Brazil’s Ministry of Health and Volvo. Phishing sites’ lifespan. Sentence passed.
Dave Bittner: The Log4shell vulnerability is trouble, and its remediation isn’t going to be quick or easy. In India, Prime Minister Modi’s Twitter account was hijacked. Official Brazilian COVID vaccination databases are stolen and rendered unavailable. Extortionists claim to have taken sensitive, proprietary R&D information from Volvo. Phishing sites appear and vanish in a matter of hours. Rick the Tool Man Howard expands his cast of characters. Robert M. Lee from Dragos shines a light on solar storms and risk management. And sentence is passed in a case related to the Kelihos botnet.
Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Monday, December 13, 2021.
Dave Bittner: Organizations and security agencies have spent the weekend grappling with a vulnerability that’s proved to have wide-ranging implications.
Dave Bittner: At the end of last week, a vulnerability in the Java Log4j library was disclosed. Now generally being called Log4shell, a vulnerability in Apache's Log4j library that's formally tracked as CVE-2021-44228, the effects are serious, widespread and difficult to mitigate. NIST describes the problem as an attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
Dave Bittner: The problem lies in the lookup function, security firm Sophos explains. Apache describes the function and how it might be exploited in its Logging Services blog. The vulnerability could give attackers a means of controlling a server, executing whatever code they might choose to execute.
Dave Bittner: In its useful overview of how exploitation works, security firm Cygenta credits researchers at Alibaba with discovering the flaw back in November, and then responsibly disclosing it to Apache. That’s why upgrades to Log4j were out by the time the vulnerability was disclosed last week. The Wall Street Journal compares Log4shell in scope and risk to 2014's Heartbleed vulnerability, and it’s probably an apt comparison.
Dave Bittner: Log4shell has by now moved beyond the proof-of-concept stage, and is being actively exploited in the wild. Widespread exploitation appears to have begun only after the vulnerability was publicly disclosed, but researchers at both Cloudflare and Cisco Talos say they saw signs of an exploit in the wild some nine days before that disclosure. It was minor and not widespread, but someone was on to the vulnerability before proofs-of-concept were out. Since the disclosure last week, white hats have developed proofs of concept and black hats have weaponized the vulnerability and used their exploits in the wild.
Dave Bittner: So exploitation of what amounts to a software supply chain issue isn’t unified or systematic, the work of any single threat actor, but is rather distributed and opportunistic.
Dave Bittner: All of the Five Eyes have issued warnings about Log4shell, as have other allied cybersecurity services. Their advice is consistent - the flaw is serious, and enterprises should take immediate steps to mitigate their risk.
Dave Bittner: Cybersecurity and Infrastructure Security Agency Director Jen Easterly on Saturday wrote in part, quote, "This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use. End users will be reliant on their vendors, and the vendor community must immediately identify, mitigate, and patch the wide array of products using this software. Vendors should also be communicating with their customers to ensure end users know that their product contains this vulnerability and should prioritize software updates," end quote.
Dave Bittner: Britain's National Cyber Security Center warns that it's detecting active scanning for the vulnerability, and singles out five Apache frameworks as particularly at risk - Apache Struts2, Apache Solr, Apache Druid, Apache Flink, and Apache Swift. The Australian Cyber Security Center tells affected organizations that it's standing by and available to render assistance.
Dave Bittner: The Canadian Center for Cyber Security urges immediate patching, and a number of Canadian government sites are taken offline. The reaction was especially quick and thorough in Quebec, where the province's Ministry for Government Digital Transformation has, according to CBC, shut down almost 4,000 websites as a precautionary measure. The responsible Minister, Eric Caire, explained the decision, saying, we were facing a threat with a critical level of 10 out of 10. According to the new protocols by the head of government information security, that rating automatically calls for the closure of the targeted systems. CERT-NZ in New Zealand is also urging their users to protect themselves. Germany's BSI in its alert emphasizes both the severity of the risk and prospect of remote code execution. The BSI rates the risk red - that is, of the highest severity.
Dave Bittner: France's CERT-FR warns that the issue is already undergoing exploitation in the wild and urges users to upgrade to the latest version of Log4j as soon as possible. The Swiss Government Computer Emergency Response Team, like the NCSC, offers advice on what to do when patching is impossible or impractical. It adds a list of indicators of compromise, and it also has a clear description of the exploitation kill chain that defenders will find useful. And the Netherlands NCSC has posted a comprehensive list of affected software. The CyberWire has a summary of the vulnerability and how organizations are responding to it on our website.
Dave Bittner: Elsewhere in cyberspace, the usual crimes - vandalism and larceny, both petty and grand - continue. Indian authorities are investigating the hijacking of Prime Minister Modi's Twitter account, The Wall Street Journal reports. The motive appears to have been relatively frivolous. The attackers tweeted, obviously falsely, that India had declared bitcoin its official currency. India has, in fact, been considering imposing some stringent regulations on the trading and use of altcoin generally. As the Journal writes, quote, "the hack came after the Indian government last month said it would consider a bill to prohibit private cryptocurrencies in India, with some exceptions, and create an official digital currency to be issued by the Reserve Bank of India, according to a parliamentary bulletin," end quote.
Dave Bittner: Brazil's Ministry of Health has sustained a significant data breach, according to Reuters. The attack hit Friday, and police are investigating. A group calling itself the Lapsus$ Group claimed responsibility, telling the ministry that its data had been copied and then deleted. Quote, "contact us if you want the data back," they said. The Brazilian government confirmed that the data had indeed been lost and said that it's working to restore it. The affected data that has drawn the most attention involves COVID-19 vaccination records.
Dave Bittner: Volvo disclosed Friday that it had sustained a cyberattack. The company said, quote, "Volvo Cars has become aware that one of its file repositories has been illegally accessed by a third party. Investigations so far confirm that a limited amount of the company's R&D property has been stolen during the intrusion. Volvo Cars has earlier today concluded, based on information available, that there may be an impact on the company's operation," end quote. The threat actors were apparently intellectual property thieves, BleepingComputer reports. The Record assesses the theft as directed toward collecting ransom. A gang, Snatch, known to engage in such extortion, has claimed responsibility, listing Volvo among its victims in a November 25 post on their dark web site. Since then, they've published samples of what they allege are stolen Volvo data.
Dave Bittner: One of the difficulties of tracking down ransomware gangs and other criminal operators is the mayfly-like lifespan of their phishing pages. Security firm Kaspersky looked at such pages over the summer and found that phishing sites are surprisingly ephemeral. Quote, "the bulk of phishing pages were only active for less than 24 hours. In the majority of cases, the page was already inactive within the first few hours of its life," end quote. Blink, and you'll miss them.
Dave Bittner: And finally, SecurityWeek reports that Oleg Koshkin, a Russian national residing in Estonia who was convicted in June on U.S. charges related to his operation of crypter services that assisted the operators of the Kelihos botnet, has been sentenced. Mr. Koshkin received a four-year prison sentence for one count of conspiracy to commit computer fraud and abuse and one count of computer fraud and abuse.
Dave Bittner: And it's always my pleasure to welcome back to the show the CyberWire's own chief security officer and chief analyst, Rick Howard. Rick, great to have you back.
Rick Howard: Hey, Dave.
Dave Bittner: So for your seventh season of "CSO Perspectives" - and let me just - quick aside here. I can't believe we're seven seasons already.
Rick Howard: Oh, my God.
Dave Bittner: Oh, how the - time does fly, right?
Rick Howard: It does, indeed (laughter).
Dave Bittner: So for Season 7, you have introduced your Rick the Tool Man series, which is - of course, is modeled after one of your favorite TV shows from back in the '90s, "Home Improvement." I think like a lot of folks, I love that show. I still can't help myself - whenever I have a home improvement project, I walk around the house going (vocalizing).
Dave Bittner: But since you started it, I know I've wondered along with a lot of our listeners who your sidekick was going to be. I mean, after all, on the Tim the Tool Man show, he had Al Borland.
Rick Howard: He did, yeah.
Dave Bittner: So are you going to designate an official sidekick like they did on "Home Improvement"?
Rick Howard: Well, it's funny you mention that, Dave, because you're not alone. The "CSO Perspectives" mailroom was flooded with that question and a gaggle of suggestions about who it should be. So we're not the only ones. That's kind of nice. So if that kind of esoteric TV trivia from the '90s is your thing, download the last episode of the season and find out who it is.
Dave Bittner: Yeah. All right. Well, you know, the holidays are upon us. And this week's episode is not only the last of the season, it's also the last of the year before we take a much needed break, as I like to say our long winter's nap for the holidays.
Rick Howard: (Laughter) Exactly right. And, you know, 2021 seems like it has gone by extremely fast - right?
Dave Bittner: Yeah, yeah.
Rick Howard: ...With all these great shows that we produced. But simultaneously, it has dragged on on a snail's pace with, like, COVID stuff and political upheaval. Yeesh. What a year, right?
Dave Bittner: (Laughter) Yeah.
Rick Howard: So I just want to say, Dave, that these past 12 months, working with you - OK - on this daily podcast and "Hacking Humans Goes to the Movies" and all of the CyberWireXs that we've done together, that brings a little joy into the world for our listeners and has been a real big highlight for me. So - and I thank you for it, my friend. Happy holidays, and I will see you in 2022.
Dave Bittner: Well, thank you, Rick. And a heartfelt thanks to you, as well. I have to say, it was really exciting when we heard that the opportunity was coming up that maybe you could join us here at the CyberWire. And I really think it's been great. So on behalf of all the rest of us, what a great addition to the team you've been, and we're all looking forward to what is yet to come.
Rick Howard: Well, thank you, sir. And it's been a highlight so - like I said. So thank you very much for accepting me and giving me the freedom to do all this, and we will do it again next year.
Dave Bittner: All right. Right back at you. Rick Howard, thanks for joining us.
Rick Howard: Thank you, sir.
Dave Bittner: And I'm pleased to be joined once again by Robert M. Lee. He is the CEO at Dragos. Rob, it is always great to have you back. You know, probably once or twice a year, I see a story come by, and the one from WIRED came by, written by Lily Hay Newman, who I have a tremendous amount of respect for as a journalist. This article is titled "A Bad Solar Storm Could Cause an 'Internet Apocalypse.'" You know, these come by once or twice a year. And I just wanted to sort of check in with you to calibrate, how big a deal is something like this?
Robert M Lee: I think Lily did a great job on the article for my two cents or whatever it's worth...
Dave Bittner: Yeah.
Robert M Lee: ...Where it was very measured. And usually, what turns me off about the EMP-style discussions is the sheer lunacy of how they're presented. You know, like, it's the - well, it's not about solar storms; it's about North Korea launching a missile. But they're going to drop it just a little bit above, but they won't actually take out the Capitol. They just want to take out the internet. And you know, oh, gosh, calm down. But like, you know, there's always some of that.
Robert M Lee: But I think the article is well presented in the sense that it talks about there is risk from high-altitude impact, from storms essentially creating EMP-like results across infrastructure. And it accurately captured that the electric system the United States, which is usually the the focus of these articles, has actually put a lot of research, development, preparation, etc. It will never be enough for the people who believe this is the existential crisis. But over the last decade, they've done a significant amount of work, and I like that the article talked about that there's not a lot of available data. So it's not as if people are ignoring a problem. It's - you don't even know if what you're doing is addressing the problem just 'cause the lack of insights and data on this. But we're doing something, and we're trying to be proactive. I think that's really sharp.
Robert M Lee: The open-ended question is, is it related to undersea internet cables? And I think that's a perfectly valid discussion where the electric sector has done a lot to be ready for these types of events. Maybe ISPs and sort of the transatlantic internet fiber and cable has not. And again, it goes back to, what can we invest to make it sort of a risk reduction that's appropriate with actually having some validation that it's going to work? And I think that's where most people get hung up.
Robert M Lee: So long story short, I don't think there's many serious people that debate the efficacy of the risk and say that, yeah, there's some risk there as it relates to storms and solar projections and so forth. But I do think most people struggle, myself included, with, well, what do you want me to do against a risk without understanding what I'm going to get in return? And it could - you could just waste a lot of resources by looking like you're doing something.
Dave Bittner: I think it's an interesting case study, though, I mean, in risk management, where you have something like this that historically we know has happened but seems to be unusual and yet could be a major event if it did happen. So dialing all of that in, your mitigations against something that has, you know, those particular aspects seems to me like it could be quite challenging.
Robert M Lee: Yeah, absolutely. And I think we've all had a master's level course over the last couple of years that people suck at risk management, right? So, like, it's - like, we're - it's not that we're just great at this. And we all need to be prepared for black swan events and once in 100, 200-year events. And you got to be prepared for it, anyways. And I think we've seen, especially relating to weather and climate and sometimes even cyber, where you're seeing, oh, that's that's a very unlikely thing to happen - once in 100 years. And it happens, like, four times in, like, five years. And you're like, oh, man. This is - OK, maybe our calculations are off.
Dave Bittner: Thousand-year floods, right?
Robert M Lee: Yeah, exactly. But when you're talking about winterizing an electric system in Texas and you're saying, yeah, it's a once in 100-year storm, but we know how to do it and we know that we'd be better off, that is a good conversation to have. And it's like, you know what? We need to invest in this. And the climate is unpredictable these days, and we can't have people dying in their homes because we didn't charge, you know, an uplift on the rate to be able to go winterize an electric system, you know? So there's some of those things that make sense.
Robert M Lee: Again, with these kind of discussions, though, I think where people lose traction is, what would you like me to do about it, so much so that I know it's actually going to return value? And if it's a, hey, we don't know when this is going to happen, we don't know what the impact is going to be, and it's extraordinarily rare and we don't know how to fix it - you combine all of those factors together, then people start turning off. And I think what some of the proponents of it sometimes lose out on is that last piece of it's not that people are not seeing the problem that they're seeing; it's that they don't see the resolution.
Robert M Lee: And I think every time you and I do an EMP-related segment, people emailing me for a week at least...
Dave Bittner: Me, too.
Robert M Lee: ...After like, you don't understand, Rob, and missiles - and, like, I get it. I really do understand the science behind it. I'm just saying we don't know how to solve it. So - and then you ask like, well, how much do you think this - how much do you think would be required to put a dent in the problem? And it's like, we need $300 billion to start. And it's like, what? (Laughter) That is not an early investment.
Dave Bittner: Right. But so I guess part of what I'm puzzling through in my mind here is, to what degree do you fund prevention, and to what degree do you fund cleaning up the mess afterwards? In other words, do we prevent the lights going out, or do we help people whose lights have gone out after the fact?
Robert M Lee: Yeah. I mean, this goes even to the cybersecurity discussion - right? - where everyone's always like, I want to prevent all cyberattacks. And, like, we can't. And also without detection, you don't even know what you're preventing. Without response, you never develop the right detection strategy. You got to do all three - prevent, detect, respond. And I don't think this is any bit different. There's going to be some element of detection of, hey, is there early warnings that we can establish that help us prepare, and, hey, you know, have the appropriate backup plans responsible for the situation. Is there a certain amount of response that we have an idea of what we can invest in to get things going again? Like, all of that is fair. And so I agree with you, but I don't know that we know. And it goes back to the, what are we going to invest?
Robert M Lee: And we can do as much research as we want. But as Lily's article captured, there's not a lot of data to operate on, so it's not a lack of interest and a lack of research. It's very theoretical for a lot of these discussions. And again, that doesn't mean we get to ignore it, but it means we have to be thoughtful in how much we invest in prevention, detection and response. Should it be all three? Yes. And especially if we don't know how to prevent it and we don't actually know what we're doing, then the response plan might be the best course of action. But if we don't know what we're preventing, then I don't know that we're going to know how to respond to it, either.
Robert M Lee: So we got to - again, we've got to be thoughtful in that, and then we've got to look at the other things that we could be using those resources for - winterizing the electric system as an example or redundant pathways as it relates to internet infrastructure, which are going to be useful in a lot of situations. And maybe they benefit the situation. Maybe they don't. But I don't think we can look at investments to be done by countries and their citizens in isolation of the other investments that need to take place.
Dave Bittner: All right. Well, Robert M. Lee, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.