The CyberWire Daily Podcast 12.15.21
Ep 1479 | 12.15.21

Log4j and Log4shell updates. Cyberespionage and C2C market developments. Patch Tuesday notes. And how do you pronounce that, anyway?.


Dave Bittner: A second vulnerability is found and fixed in Log4j as both criminals and nation-state intelligence services increase their exploitation of Log4shell. Iranian intelligence services have been actively conducting cyberespionage against a range of targets in the Middle East and Asia. Andrea Little Limbago from Interos checks in on supply chain issues. Our guest is Suzy Greenberg from Intel with a look ahead toward the coming year. A quick look back at Patch Tuesday. And finally, some musings on literacy, orality and the way you pronounce stuff people tweet about.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, December 15, 2021.

Dave Bittner: We open, as we have all week, with updates on the vulnerabilities found in Apache's Log4j. And today it is indeed vulnerabilities, plural, because a second vulnerability has been discovered. Unlike its Log4shell cousin, it hasn't, as we go to press, received a catchy nickname yet, but MITRE has registered the issue as CVE-2021-45046. MITRE says, quote, "it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over thread context map, MDC, input data when the logging configuration uses a non-default pattern layout with either a context lookup or a thread context map pattern to craft malicious input data using a JNDI lookup pattern, resulting in a denial-of-service attack," end quote. In any case, the flaw is now patched, and organizations should apply that patch or if they're using older versions of Log4j, they should disable JNDI functionality. That's, in any case, the default in the newer patched versions. 

Dave Bittner: Late yesterday afternoon and running into the early evening, the U.S. Cybersecurity and Infrastructure Security Agency held a phone conference with the media to discuss the current state of risk and remediation surrounding Log4shell. CyberScoop quotes CISA's executive assistant director Eric Goldstein to the effect that, quote, "certainly, given the nature of this vulnerability, the triviality of exploitation, the ubiquity of the presence across enterprise, consumer and IoT products, really, our broad focus here is driving mitigation across the board, recognizing that malicious cyber actors of all types may decide to use this vulnerability to achieve a variety of attack types or drive a variety of malicious ends," end quote. In some respects, Goldstein offered reassurances that exploitation had so far been not as consequential as it might have been, but that this was no grounds for complacency. ABC News quotes him as saying, "at this point in time, we are not seeing widespread, highly sophisticated damaging intrusion campaigns. But certainly, we are deeply concerned about the prospects of adversaries using this vulnerability to cause real harm and even impacting national critical functions, which is why we have such a sense of urgency at CISA and across the cybersecurity community to drive urgent mitigation and adoption of controls wherever we can," end quote. On balance, however, as Reuters reports, CISA thinks most of the activity has been scanning and cryptojacking, and that it hasn't confirmed industry reports of more damaging activity. 

Dave Bittner: Those industry reports are warning of both nation-state activity and more sophisticated moves from cyber gangland. We've seen, as the Record notes, that Log4shell has been exploited to distribute ransomware. It's also now being used by nation-state espionage services. Microsoft reported yesterday that it's seeing, quote, "the CVE-2021-44228 vulnerability being used by multiple tracked nation-state activity groups originating from China, Iran, North Korea and Turkey. This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment and exploitation against targets to achieve the actor's objectives," end quote. Microsoft particularly draws attention to Iran's Phosphorus and China's Hafnium groups as among the nation-state actors that have been using Log4shell against their targets. 

Dave Bittner: SecurityWeek reports that Mandiant has also seen Iranian and Chinese exploitation in progress. Mandiant thinks more intelligence services will be joining the party soon. The company's vice president of intelligence analysis, John Hultquist, emailed SecurityWeek to tell them, quote, "we have seen Chinese and Iranian state actors leveraging this vulnerability, and we anticipate other state actors are doing so as well or preparing to. We believe these actors will work quickly to create footholds in desirable networks for follow-on activity, which may last for some time. In some cases, they will work from a wish list of targets that existed long before this vulnerability was public knowledge. In other cases, desirable targets may be selected after broad targeting," end quote. 

Dave Bittner: The criminal-to-criminal market has also taken note, and Microsoft has seen access brokers working to monetize the vulnerability. Quote, "MSTIC and the Microsoft 365 Defender team have confirmed that multiple tracked activity groups acting as access brokers have begun using the vulnerability to gain initial access to targeted networks. These access brokers then sell access to these networks to ransomware-as-a-service affiliates. We have observed these groups attempting exploitation on both Linux and Windows systems, which may lead to an increase in human-operated ransomware impact on both of these operating system platforms." 

Dave Bittner: The basic advice about handling the vulnerability has remained stable. Both ESET and Fastly, to take two of the many security firms who've published recommendations, emphasize the importance of determining where the Log4shell vulnerability exists in an organization and of then applying the available patches. BleepingComputer is offering a list of affected products along with vendor advice on mitigation. And SecurityWeek is maintaining a current list of tools and resources for defenders. 

Dave Bittner: Spare a thought, gentle listener, for the Apache volunteers working their end of this problem. The Apache Software Foundation is, the Wall Street Journal reminds us, a U.S. 501(c)(3) not-for-profit outfit and dependent on its volunteers. Their work is invaluable. 

Dave Bittner: Self-described cybersecurity pleb and DoublePulsar editor Kevin Beaumont, who tweets under the handle @GossiTheDog, has been following the Log4shell incident with bemused interest. He summed things up yesterday with an askance look at some of the freewheeling history of open-source development. Quote, "basically, the perfect ending to cybersecurity in 2021 is a '90s-style Java vuln in an open-source module, written by two volunteers with no funding, used by large cybersecurity vendors, undetected until Minecraft chat got pwned (ph), where nobody knows how to respond properly," end quote. Nicely woofed, and good doggy, GossiTheDog. 

Dave Bittner: An apparent Iranian government threat actor, which Symantec tentatively associates with the organization known variously as Seedworm or MuddyWater, has been active against targets in Israel, Jordan, Kuwait, Saudi Arabia, the United Arab Emirates, Pakistan, Thailand and Laos. The cyberespionage campaign has concentrated on telecommunications and IT service providers. The attacks do not appear to use bespoke malware but instead rely on legitimate tools and commodity malware. Once inside the targets, the operators live off the land, making use of the victims' own infrastructure, and steal credentials to pivot across networks of interest to them. 

Dave Bittner: IBM independently has identified a novel attack vector in use by Iranian state actors, and that vector is Slack. The group IBM tracks as TG17, and others call MuddyWater, employed free workspaces in the legitimate and widely used business chat tool in an attempt to compromise an unnamed Asian airline. IBM wrote, quote, "dubbed Aclip, this new back door conducts C2 utilizing Slack's APIs to create an actor-controlled Slack workspace and channels where the adversary could receive system information, including requested files and screenshots, post commands to the back door and receive commands in return," end quote. It's not clear yet what data, if any, MuddyWater removed through the back door, but it's at least possible some information about reservations was obtained. Slack has shut down the malicious workspaces and reassures users that their services as a whole have not been compromised. 

Dave Bittner: Lest you find yourself inclined to be too hard on Tehran, Tehran would like you to know that, hey, it's the victim here, really. Iran's ambassador to the United Nations complained that the Islamic Republic is more sinned against than sinning, since it's well-behaved in cyberspace and because of the way it's subjected to constant cyber harassment by Israel and the U.S. He called for more development of international norms for cyberspace. 

Dave Bittner: The Zero Day Initiative offers a rundown of fixes Adobe, Apache, Apple, Google and Microsoft issued yesterday on Patch Tuesday. Some of Microsoft's fixes addresses a zero-day that's been used in the resurgent Emotet campaigns. 

Dave Bittner: Also yesterday, the U.S. Cybersecurity and Infrastructure Security Agency released three industrial control system advisories. 

Dave Bittner: And finally, our social media desk tells us there's a hot debate among infosec practitioners on the one true pronunciation of the library at the root of the Log4Shell vulnerability, with some saying it's log for J, and others proclaiming, no, FYI, it's actually log forge, thank you very much. Not since GIF versus jif (ph) have we seen such passion over a label, but that's what you get when a post-literate culture like ours abandons the oral-formulaic tradition and names stuff as if it's to be read silently instead of spoken aloud. The greatest generation got this. Everyone knew how to pronounce Kilroy was here, and the acronyms all made sense, like SNAFU. 

Dave Bittner: We'll add that perhaps as an industry, we would do well to stop naming things like they're track titles from a 1980s album from Prince. That new vulnerability in Log4j, by the way, doesn't yet have a snazzy name, so hop to it, infosec world, and share your thoughts. And you can take that from me because I'm giving it to you straight here. I'm the artist formerly known as Dave. 

Dave Bittner: Suzy Greenberg is vice president of communications and incident response at Intel. As we approach the end of 2021, I spoke with her to gather her insights on the year we've had, what's yet to come and how to ensure everyone has an opportunity to contribute. 

Suzy Greenberg: It's been an exciting year, to say the least. I think we've really seen an expanded attack surface, especially for our adversaries to capitalize on. And, you know, we have a number of things that we can thank for that. There's been technology advancements, for one. Others include a more complex and growing supply chain. And then we're seeing this shift from what, you know, was the new normal to just it now is just reality of full-time remote and hybrid work that we really need to take into consideration. And that really is going to impact all of the areas of security that we're seeing. So that's everything from firmware and hardware security to supply chain and then - and really that importance on transparency as well. 

Dave Bittner: You know, when I think of Intel, I certainly think about hardware innovation; literally, dozens of devices that use the chips that you all manufacture. What is on the roadmap there in terms of innovation and the types of things we might expect to see from a security point of view going forward? 

Suzy Greenberg: One of the things that we've seen is that organizations - it's really basic in terms of what we need to be doing, and that's being more proactive versus reactive in the way that we're responding to threats. Typically today, the way organizations are, they're more reactive in the way that they're responding. What we're seeing is that there's a shift more to that proactive side and that it's important to be identifying these vulnerabilities. And that requires a significant investment. 

Suzy Greenberg: And so businesses are really looking at the way that they increase their engagements and partnerships with external researchers in developing, you know, a more coordinated vulnerability disclosure and bug-bounty programs that really kind of get to the root of some of these issues and facilitate better collaboration between companies and external researchers to stay ahead of these threats and help avoid zero-days wherever possible. 

Dave Bittner: You know, I know something that you're very active in is working on improving the situation when it comes to diversity in cybersecurity; specifically, more opportunities for women. And I'm curious, you know, where do you think we find ourselves there? Have we seen improvements this year, and what work is yet to be done? 

Suzy Greenberg: I don't know how much improvement we've seen this last year. I think, in fact, we've probably seen in the industry as a whole a drop-off in the number of women that are working at all. They've had to make some really tough choices in the last year about what they're able to do when it comes to working and then also supporting their families. I have three young kids and, you know, I'm very fortunate that I didn't have to make those decisions, but I'm not the norm. And, you know, there was a recent study that came out from the Aspen Institute, and it found that only 24% of cybersecurity workers self-identify as women. And so, you know, while we're seeing a greater awareness around the need for diversity in security today, there's really no question that the gender gap in cybersecurity remains an industry-wide problem. 

Suzy Greenberg: And, you know, I do feel really passionate about this because I think employees and individuals feel some sort of security and - no pun intended - and safety in numbers. And, you know, we really need to be fostering an environment that gives women more opportunities to thrive and environments that are friendly towards all different types of people and perspectives. And so, you know, I think we have a significant way to go in this area. And we're seeing, still, a pretty major gap, and that's going to negatively impact the overall workforce and diversity as well. So bringing awareness, I think, is the first step in talking about it, which is something I don't think we typically have done in the past. And then how do we support and give those platforms to women to feel like they can come into this type of field and feel supported and feel recognized for their contributions in a very male-dominated environment? 

Dave Bittner: That's Suzy Greenberg from Intel. 

Dave Bittner: And I'm pleased to be joined once again by Andrea Little Limbago. She is vice president of research and analysis at Interos. Andrea, it's always great to have you back. You know, we have seen lots of headlines about supply chain issues, both, of course, in the cybersecurity realm, but then just globally in general. Those things are, of course, linked. And I'm curious for your take on this - kind of where things stand and how you think it's going to shake out. 

Andrea Little Limbago: Yeah, thanks for having me, Dave. And this is an important area that I think we've risen to prominence, you know, from the beginning of COVID and with SolarWinds. And I think it is just going to be an area that will dominate discussions going into 2022. And there are those two different angles that are, though, really just almost increasingly intertwined. You almost can't separate them. One is the notion of the supply chain attacks, and that's like your SolarWinds exchange. Could say Codecov, Accellion. Kind of the list kind of keeps going on and on that we saw over the last year. And that's where there is manipulation of the software or malicious code embedded within it as part of updates and so forth. There are many different ways that the supply chain, hardware and software can get manipulated. And that's one component of it. And that we really have seen to be on the rise and is a troubling trend. 

Andrea Little Limbago: We are seeing some legislation on the U.S. to help secure some aspects of that, and I think the movement toward the software bill of material isn't the S bomb (ph), which we hear a lot about. And I think we're just continually hearing a lot more about that. And that really requires companies to know where the various code comes from - basically having (ph) transparency for, you know, the various libraries and software and so forth that are within their ecosystem. And I think that's a big shift, where many companies don't necessarily know that. And so I think that there'll be some requirements that will continue to come along. At the same time, we're seeing all the supply chain disruptions. And those are also tightly linked because some of them are and have been disrupted by ransomware really disrupting the supply chain. 

Dave Bittner: Right. 

Andrea Little Limbago: So there's supply chain issues as far as some of the supply and demand and the just in time and some of the disruptions due to concentration risk. But there are also the disruptions that are occurring because of ransomware and other kinds of cyberattacks that are occurring on the energy sector, which we saw in Colonial Pipeline, for instance, the transportation sector logistics. An interesting way - where I'm seeing right now where there - that intersection - China's new data privacy law basically has large requirements on data transfer outside of China. And so where that's impacting right now is the shipping data that's - we're seeing, where the companies that normally - you know, that track global shipping to help assess for congestion and so forth and bottlenecks in the shipping lanes, they're now missing a lot of that Chinese data. It's basically - has gone blank based on the data privacy regulations of not sharing that data externally. And so that's your relatively new occurrence that's going on. The data privacy law came into effect in early November, but it's already having an impact there for those companies that track - basically, maritime tracking metrics are seeing basically a huge data gap now. And so it's just an interesting sort of confluence of how all this is just so interdependent with each other and has these externalities that, in many ways, are just unanticipated. 

Dave Bittner: You know, it's easy to Monday morning quarterback this stuff. And I think for me, you know, it seems as though we chipped away at the supply chain in terms of having things be more and more just in time and where can we save money, where can we save money, where can we save money? And we're kind of paying for that now. We're paying for that in that there was very little room for excess - you know, room - excess capacity. Do you think we're going to see a global emphasis on getting some of that capacity back? Is this a lesson learned? 

Andrea Little Limbago: I think the companies that are going to have a competitive advantage going forward are taking this as a lessons learned. And what I've seen - you know, it varies across industries. It varies even within some companies. You know, there are debates going on exactly about that right now. 

Andrea Little Limbago: But sort of the biggest, you know, sort of, you know, bumper sticker that summarizes what - where some companies are heading is, you know, from just in time to just in case and so basically making sure that - switching that paradigm so that they have that - some sort of capacity, so just in case, you know, a big climate - weather - severe weather event happens, just in case a ransomware attack happens, just in case, you know, a global pandemic requires a lockdown. I mean - and it's really that broad a range, right? I mean, it could even be just in case your key supplier goes bankrupt, just in case you have a key supplier that, all of a sudden, is connected to human rights violations. It's - or is linked to, you know, technology that supports a foreign military. I mean, it's really - the just in case really isn't just just in case for having capacity in the storage, it's just in case for all - this whole range of events that can disrupt supply chains. 

Andrea Little Limbago: I think it will become a competitive advantage for the - so for those companies that are thinking that way and are adjusting and making those investments now, I think that will pay off. For those that don't or are kind of still wanting to retreat back to the old ways, I think are going to pay the price down the road. 

Dave Bittner: Yeah. That's interesting. All right. Well, Andrea Little Limbago, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.