The CyberWire Daily Podcast 12.14.21
Ep 1478 | 12.14.21

Log4Shell updates. Payroll provider disrupted by ransomware. Companies supporting surveillance distance themselves from the business. Cybercrime and IRL punishment.


Dave Bittner: An update on the Log4Shell and how it's being exploited in the wild. A ransomware attack disrupts a cloud-based business service provider. NSO Group is said to be considering selling off its Pegasus unit. A marketing presentation suggests Huawei has been deeply implicated in providing tools for Chinese repression. Nigeria's cyber gangs are acting like Murder Inc. An arrest in Romania; sentences in Germany. Joe Carrigan looks at the language of cybersecurity. Our guest, Brad Hawkins of SaferNet, wonders if digital privacy even exists anymore. And news from Mars.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, December 14, 2021. 

Dave Bittner: Criminals continue scanning for the Log4Shell vulnerability, and they've moved from cryptojacking to ransomware installation to data theft. Organizations have begun their long slog through a remediation that will take months, if you follow The Wall Street Journal, or years, if you believe CRN, or months, if not years, as ZDNet reports. In any case, consensus is that Log4j isn't going to be a simple fix. The vulnerable code is easy to exploit and is as close to ubiquitous as a Java logging package can be. 

Dave Bittner: The first step any organization should take is to determine where the library containing Log4j is actually used, and that's not a trivial task. As Duo Security observes, quote, "Log4j is so prevalent, utilized by millions of third-party enterprise applications, cloud services and manufacturers, including Apple, Twitter and Tesla, that security teams may have difficulties pinpointing where the library is actually being used," end quote. And once they've been found, upgrade Log4j or applications that use it to Apache's latest version, which is 2.15.0. 

Dave Bittner: Also, by consensus, the vulnerability is a serious one, being compared variously to Eternal Blue, NotPetya, Shellshock and the like. Netsparker, which thinks Log4Shell is arguably the worst software vulnerability ever, offers a brief review of how the vulnerability might be exploited. 

Dave Bittner: Quote, "the vulnerability is high-impact yet extremely easy to exploit. The attacker simply needs to prepare a malicious Java file, put it on a server they control, and include a specific string in any data that will be logged by the application server. When the vulnerable server logs this string, Log4j will retrieve and execute Java code from an attacker-controlled server, allowing arbitrary code execution. If the code is a remote shell, the attacker will obtain a local shell with the privileges of the system user running the vulnerable application," end quote. 

Dave Bittner: JFrog discusses the implications. Quote, "this means that if any part of a logged string can be controlled by a remote attacker, the remote attacker gains remote code execution on the application that logged the string," end quote. So, as Reuters reports, we're seeing the familiar race between offense and defense. 

Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency continues its active outreach to organizations affected by Log4Shell. The organization met yesterday with critical infrastructure stakeholders, CyberScoop reports. And it's worth noting that in the U.S., at least, most of these stakeholders are in the private sector. 

Dave Bittner: The public sector hasn't escaped attention, either. On Friday, CISA added Log4Shell to its known exploited vulnerabilities catalog of actively exploited vulnerabilities, and it gave the federal agencies under its jurisdiction until Christmas Eve, December 24, to apply updates per vendor instructions. CISA is updating its Apache Log4j vulnerability guidance as new information becomes available. U.S. federal agencies and other interested organizations may follow updates there. 

Dave Bittner: Scanning for vulnerable systems - and this is presumably hostile, of course - has been very widespread, ZDNet reports. Some of the earliest reports of exploitation in the wild involved, according to CyberScoop, cryptojacking. But the crooks seem to have quickly moved on from this grubbiest level of cybercrime. Microsoft researchers are among those who detected cryptojacking efforts, but they also saw attempts to install Cobalt Strike to enable credential theft and lateral movement and exfiltrating data from compromised systems. 

Dave Bittner: Since Cobalt Strike is a common precursor of ransomware, Venture Beat and others had predicted that ransomware exploiting the vulnerability would soon follow. And Bitdefender has reported finding Log4Shell exploited to install the relatively new Khonsari ransomware strain, as well as the Orcus remote access Trojan. And threat actors haven't been content to stick with the original exploits. Check Point reports that new variations of the original exploit are being introduced rapidly, over 60 in less than 24 hours. 

Dave Bittner: Industrial control systems security specialists at Dragos have evaluated the implications of the vulnerability for operational technology networks. Quote, "Dragos assesses with moderate confidence that as network defenders close off more simplistic exploit paths and advanced adversaries incorporate the vulnerability in their attacks, more sophisticated variations of Log4j exploits will emerge with a higher likelihood of directly impacting operational technology networks," end quote. 

Dave Bittner: They recommend that organizations move to and assume breach posture, and they also provide a useful set of steps that can be followed to locate Log4j in an enterprise's systems. In sum, their recommendations are similar to those offered by CISA. 

Dave Bittner: Sergio Caltagirone, vice president of threat intelligence at Dragos, summed up the company's advice in an email. Quote, "Log4j is used heavily in external or internet-facing and internal applications, which manage and control industrial processes, leaving many industrial operations, like electric power, water, food and beverage, manufacturing and others, exposed to potential remote exploitation and access. Dragos identified active exploitation of vulnerability CVE-2021-44228 and has provided immediate detection support and specific intelligence to industrial customers. It's important to prioritize external and internet-facing applications over internal applications due to their internet exposure, although both are vulnerable. Dragos recommends all industrial environments update all affected applications where possible based on vendor guidance immediately and employ monitoring that may catch exploitation and post-exploitation behaviors," end quote. 

Dave Bittner: The CyberWire's ongoing coverage of Log4Shell can be found on our website. 

Dave Bittner: UKG Kronos has disclosed to its users that the Kronos Private Cloud is currently down due to a ransomware attack. There are few details about the specific nature of the attack, but the business services customers depend upon from Kronos may, the company says, be unavailable for some weeks. Prominent among those services are payroll processing and human resources functions. The interruption of payroll processing comes at a particularly unfortunate time during the holiday season, ZDNet notes. 

Dave Bittner: UKG recommends putting business continuity procedures in place until their services can be restored. One of their clients told The Record that whatever inconvenience is involved, they appreciate UKG's realism in warning that recovery and restoration of service is likely to be a matter of weeks. 

Dave Bittner: The Times of Israel reports that NSO Group, feeling pressure from U.S. sanctions and the widespread odium abuse of its surveillance tools has attracted, is to be considering the sale of its Pegasus unit. There are thought to be two potential unnamed suitors. 

Dave Bittner: Should NSO Group succeed in offloading Pegasus in exchange for a cash infusion, the company is expected to shift to purely defensive products and services. Haaretz thinks other Israeli firms also in the intercept or surveillance business may eventually come under U.S. sanction, as well. 

Dave Bittner: The Washington Post finds Huawei documents suggesting a closer connection to Chinese state surveillance than Huawei has yet acknowledged. The documents were apparently marketing presentations and had been publicly available, posted to a public-facing Huawei website before the company removed them late last year. They show Huawei pitching how its technologies can help government authorities identify individuals by voice, monitor political individuals of interest, manage ideological re-education and labor schedules for prisoners and help retailers track shoppers using facial recognition. 

Dave Bittner: Huawei offered a denial that eschewed the subjunctive mood and the passive voice customary in such responses. Quote, "Huawei has no knowledge of the projects mentioned in The Washington Post report," the company said after the Post shared some of the slides and asked for comment. "Like all other major service providers, Huawei provides cloud platform services that comply with common industry standards," end quote. 

Dave Bittner: So yeah, Washington Post, who are you going to believe, Huawei or your lying eyes? Of course, we only ask this rhetorically. 

Dave Bittner: A BBC investigation of Nigeria's Black Axe gang, a curious combination of student fraternity, quasi-religious cult and criminal organization, finds that the group is engaged in far more lethal operations than the crude advance fee scams it's commonly associated with. The Black Axe is given to human trafficking and murder, even torture. And the advanced Nigerian prince scams and other internet hokum they're associated with are apparently ways of funding their core violent activity. 

Dave Bittner: They have rivals known as the Eiye, the Buccaneers, the Pyrates and the Maphites, and they're all engaged in a gang war for regional supremacy. I am the widow of the late prince so-and-so has become a punch line, but there's nothing funny about the Black Axe or its rivals. 

Dave Bittner: There's also some news from the world of law enforcement. Europol describes the operation in which it, with the U.S. FBI, supported the Romanian National Police, arresting a ransomware affiliate targeting high-profile organizations and companies for their sensitive data. The unnamed suspect, 41 years old, is one of those criminals, allegedly, who buy their attack tools from others, paying them an agreed upon fraction of their take. 

Dave Bittner: And a German court in Trier has sentenced eight proprietors of the cyberbunker, a bulletproof hosting service operated from a decommissioned NATO bunker in the Rhein valley town of Traben-Trarbach that catered to online contraband markets. The cyberbunker was closed down by police in 2019. The operators received prison sentences ranging from one year, suspended, to five years and nine months, SecurityWeek reports. 

Dave Bittner: And just one more thing. We return to Log4Shell before we sign off. 

Dave Bittner: So how widespread is the Log4Shell vulnerability? It is literally interplanetary. Log4j is in the code aboard NASA's Ingenuity Mars probe, the one with the helicopter. And in this case, when we say literally, we mean literally. So get patching on the Red Planet, NASA. 

Dave Bittner: When it comes to protecting your privacy online, many security practitioners will recommend a VPN as a potentially useful tool. Many will also follow that advice with a warning that not all VPNs are created equal, and it's a market with a wide spectrum of providers both good and bad. Brad Hawkins is CEO of VPN provider SaferNet. 

Brad Hawkins: Well, I got to tell you, I love the fact that people are starting to pay attention to it a little bit now, even though they may be resigning to it, because before it was hard to even get people to believe that their privacy was being invaded. You know, basically the most valuable part of business right now, or at least in the digital world, is metadata, and people are losing their metadata all over the world all the time. And most people don't even realize that it's happening. 

Dave Bittner: So what are your recommendations, then? For folks who want to get on top of this, what are some of the tools, the techniques that they have available to them to get a handle on it? 

Brad Hawkins: Really good question. There's multiple things that I think are important. One is turn off your Wi-Fi off of your mobile devices. When you're just at Starbucks, even if you're not - Starbucks or any public Wi-Fi. I use Starbucks as a general term. But when you're on any public Wi-Fi and you have your Wi-Fi turned on on that device, even though you're not logged in, there's still access to be able to reach into your device and gather that information. 

Brad Hawkins: And then be careful about what you're choosing to say yes to. I don't know if you're like most people, but when you download an app, there's a large permission that you're giving to people. It's fascinating. If you go through and read the permissions that you're giving, you're basically giving complete control over your device just by downloading an app. It could be a free app or it could be a paid app. It's still - you're giving that information away. Be aware of what it is that you're giving away and understand what you're getting in return. 

Brad Hawkins: But I truly believe that one of the most important things is to run a VPN 24-7, always on. That VPN will put you into a communication tube to anywhere that you're going in - on the internet. When you're running a VPN, you are not - people cannot penetrate that VPN, especially if it's an encrypted VPN. I'd suggest an encryption level at 256 bit, which is considered military or bank-grade encryption. So when you're running that VPN, people are not able to penetrate. 

Brad Hawkins: Just while we've been talking, I've probably been hit, oh, maybe 20 or 30 times by outside sources trying to gather information off of my devices. And by running my VPN - and we also have virus protection within that VPN - you can keep people from accessing your information, unless you choose to allow it, like you would on a specific app that you're allowing in. 

Dave Bittner: Now, you know, that is a product that you all supply. But broadly speaking, I think there's a lot of confusion out there when it comes to shopping around for VPNs. There are, you know, good suppliers, but there are absolutely bad suppliers out there as well. What's your guidance then for choosing a good one? 

Brad Hawkins: Very, very good question. And it's a little bit difficult because this bit of information is hidden. But it's important to find out who it is that owns the company. Who is the company behind the company? There's a lot of larger companies that are actually owned by Chinese companies, which is fascinating to me because I know as a company ourselves, we have access to more data than really anybody else. 

Brad Hawkins: Now, because we're a U.S.-based company and we have to abide by all U.S. laws, when we put in our privacy statement that we don't hang on to any data, we have to live by that. And by dumping the data as soon as it comes in, we don't collect it. 

Brad Hawkins: Now, I realize we could probably do the same thing that Google does and sell that data and make an enormous amount of money. But I personally believe that if we don't do that, people will gravitate towards the privacy and the safety, be much more motivated to use us versus other companies that might not be owned and operated under the same rules that we have to operate under. That's a critical aspect of things. 

Brad Hawkins: Two is you need to make sure that that VPN is encrypted, which means that the data is scrambled as you travel through the internet. If you just have a VPN that's not encrypted, if they penetrate that VPN, they can gather your data. But even if they encrypt - when you access a VPN that is encrypted, you can't even make sense of what happens. So those are some critical aspects of what's happening. 

Brad Hawkins: Now, in our VPN, I don't think there's anybody else that does this, but we also put virus scrubbing, virus protection within that VPN so that if you wind up at a website that happens to have viruses on it, you won't be able to allow that virus to get back to your device. That's a special thing that we do. I don't know if there's really other competitors that do that, from what I know. 

Brad Hawkins: But really, in my mind, making sure it's an encrypted VPN, making sure it's owned by the U.S. or a company that has to abide by the rules that they put out. European companies would be a wise move as well. So that's kind of the generals that I would look at. 

Dave Bittner: That's Brad Hawkins from SaferNet. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Interesting article here from The Wall Street Journal that, actually, you brought to my attention. It's called "The Language of Cybersecurity: Test Your Vocabulary." 

Joe Carrigan: Yes, indeed. 

Dave Bittner: And this is written by Cheryl Winokur Munk. What's going on here, Joe? 

Joe Carrigan: So this was sent to me by our executive director, Dr. Dahbura. 

Dave Bittner: OK. 

Joe Carrigan: And this article, I think, makes a really good point about cybersecurity jargon that they may not have actually intended to make. But let's take a look at some of these. Dave, I'm going to read them, and you tell me what they are. 

Dave Bittner: Oh, boy. 

Joe Carrigan: OK? 

Dave Bittner: (Laughter). 

Joe Carrigan: Chances are, Dave, you're going to do very well in this survey. 

Dave Bittner: I hope so (laughter). 

Joe Carrigan: What is an attack surface? 

Dave Bittner: What is an attack surface? 

Joe Carrigan: Mmm hmm. 

Dave Bittner: That is the ways that people can get into your system. That is sort of the total combined ways that they can have access to your stuff. 

Joe Carrigan: Right, very good. You said total, and the correct answer contains the word sum, right? 

Dave Bittner: OK. 

Joe Carrigan: The correct answer is the sum of the different points that bad actors can use to enter your systems. 

Dave Bittner: OK. Let's do one more. 

Joe Carrigan: OK, one more. Let's see here. Let's go with catfishing. 

Dave Bittner: Oh, catfishing. OK. Catfishing is when someone creates, like, a fictitious persona to try to trick you into something. So it could be like - I don't know - like, a romance scam or something like that. They're pretending to be someone they're not... 

Joe Carrigan: Right. 

Dave Bittner: ...To lure you in to do something that they want you to do. 

Joe Carrigan: Exactly right. The answer in the quiz here is when a bad actor creates an online fictional persona - almost the exact words you used - for deceptive purposes. 

Dave Bittner: OK. 

Joe Carrigan: So yes, that's correct. 

Dave Bittner: All right. 

Joe Carrigan: Now, there are a couple of things that this article or this quiz makes a point about that they really might not be trying to make a point about, but I picked up on it. 

Dave Bittner: Yeah. 

Joe Carrigan: And that is, in any industry, jargon tends to be an exclusionary factor. 

Dave Bittner: Yes. 

Joe Carrigan: Right? If you don't know the terms, then it's obvious you're not part of that club. 

Dave Bittner: That's right. 

Joe Carrigan: Right? Cybersecurity is a club that we want more members in - right? - so it really is a bad idea for us - I don't know if it's a bad idea to have jargon because we need a clear and concise way to communicate the ideas to one another without having to say long things, right? 

Dave Bittner: Yeah. 

Joe Carrigan: You know, like if I'm going to say clickjacking, everybody's supposed to know what that is. That's intercepting a browser click and redirecting it somewhere else, right? 

Dave Bittner: Right. 

Joe Carrigan: So - but I don't want to have to say, intercepting the browser click and redirecting it somewhere else. 

Dave Bittner: Yeah. 

Joe Carrigan: I just want to say clickjacking. 

Joe Carrigan: Here's a great point in this article. No. 10 is ransomware. 

Dave Bittner: OK. 

Joe Carrigan: And the first incorrect answer is a pejorative term for overpriced software. I got to tell you, the first time I heard the term ransomware, that is exactly what popped into my mind. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: That is exactly what I thought that term meant... 

Dave Bittner: Makes sense. 

Joe Carrigan: ...Until I learned what it meant a couple seconds ago. So we really have to be more open with our communication about what these jargon - what this jargon means. 

Dave Bittner: Yeah. 

Joe Carrigan: We can't assume. We have this thing called the curse of knowledge - right? - in the field where we live and breathe this stuff every single day. In fact, I use that exact phrase in the comment I made on this article on The Wall Street Journal's website. I scored 15 out of 15 on this quiz because this is what I do, right? Other people are scoring lower. 

Joe Carrigan: I'd like to hear from people who are doing about average - right? - getting about 50% of these questions right. I'd like to know what keys they're missing. These are all very important concepts not just for cybersecurity professionals but for everybody who uses any kind of connected device. And right now that's just about everybody. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? We all need to understand what these threats are, and it's helpful to be able to communicate quickly and elegantly with nice terms. 

Dave Bittner: Yeah, and I agree. There's - I think there's no question that there is too much gatekeeping... 

Joe Carrigan: Right. 

Dave Bittner: ...By some parties when it comes to welcoming folks into cybersecurity. I have a real problem with this. What really gets my dander up is when I hear people - like, for example, an exchange would go like this. Someone would say, well, we've been keeping an eye on their TTPs. 

Joe Carrigan: Right. 

Dave Bittner: Right. And then someone will say, oh, what's a TTP? And the person will say, oh, you don't know what a TTP is? 

Joe Carrigan: Right. Yeah. Yeah. 

Dave Bittner: Oh, well... 

Joe Carrigan: That's not... 

Dave Bittner: You consider yourself a cybersecurity professional... 

Joe Carrigan: Right. 

Dave Bittner: ...And you don't know what a TTP is? 

Joe Carrigan: I've asked that question once in public. I'm not ashamed to ask these questions because frankly, I'm not too worried about it (laughter). 

Dave Bittner: Well - and right. 

Joe Carrigan: It's not something that bothers me. But that kind of thing - I'm like, no. And there's a lot of things I know that you don't know, either. I'm... 

Dave Bittner: Yeah, yeah. And I - but I think your point is excellent. And first of all, I think it's important for those of us who've been around for a while, also those of us who are older, that we have the ability, we have the privilege, if you will, of saying, what does that mean... 

Joe Carrigan: Right. 

Dave Bittner: ...Without fear of someone, you know, looking down on us or giving us a bad recommendation or blah, blah, blah, blah, blah. 

Joe Carrigan: Right. I agree. 

Dave Bittner: Our experience shields us from a lot of that. 

Joe Carrigan: Right. A younger person might not be able to pull that off as well. 

Dave Bittner: Right. 

Joe Carrigan: That's right. 

Dave Bittner: Right. But I want to make the point that I think a lot of people think that asking those questions of saying, I don't know, is a sign of weakness. 

Joe Carrigan: Right. 

Dave Bittner: And I make the point that it is actually a sign of strength. 

Joe Carrigan: I would agree with that 100%. 

Dave Bittner: And so if someone uses a term that you don't understand, just say, what does - I'm sorry. What does that mean? I don't know what that... 

Joe Carrigan: You used a term there that I don't understand. What does... 

Dave Bittner: Yeah. 

Joe Carrigan: ...TTP mean? 

Dave Bittner: I don't understand. What does that mean? 

Joe Carrigan: The first time I heard TTP, I was - I had no idea what it meant. 

Dave Bittner: Yeah. Just help me understand. People want to be helpful. So if you frame it that way, you say, I'm sorry. Wait. Help me understand. What does that mean? That tends to not put them on the defensive. You get to learn something. You're being viewed as being inquisitive rather than ignorant, you know? 

Joe Carrigan: Right. 

Dave Bittner: So there are diplomatic ways to handle this, but I think your overall point is excellent. We got to stop, you know, making people feel dumb for not... 

Joe Carrigan: Right. 

Dave Bittner: ...Knowing things. Help spread the information. 

Joe Carrigan: Yeah. 

Dave Bittner: Don't keep it to yourself. Don't let it be something that you lord over people just to demonstrate how smart you are, right? 

Joe Carrigan: Right. 

Dave Bittner: Spread - a lot of us have a lot of knowledge. Spread that wealth, right? 

Joe Carrigan: Yeah, absolutely. 

Dave Bittner: That's how we're going to make everybody safer and solve these problems, not by keeping the secret code words to ourselves. 

Joe Carrigan: Yeah. The conversation has to be much more open, and we have to be much more willing to share information. 

Dave Bittner: We got to do better. 

Joe Carrigan: I agree. 

Dave Bittner: All right. Joe Carrigan, thanks for joining. 

Joe Carrigan: It's my pleasure. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White (ph), Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.