The CyberWire Daily Podcast 12.20.21
Ep 1482 | 12.20.21

Log4j: new exploitation, new mitigations, new risk assessments. Service interruptions, Space Force’s capture-the-flag, and official interventions.


Dave Bittner: Updates on Log4j vulnerabilities - new exploitation, new mitigations, new risk assessments, some good advice from the NCSC and from analysts at Booz Allen Hamilton. Kronos interruptions continue into the holiday season. NCA shares compromised passwords with Have I Been Pwned. A power grid security exercise in Ukraine. AWS outage last week put down to congestion. Hack-A-Sat promises more transparency. 'Tis the season for charity scams, as Carole Theriault reports. And the SEC wants financial services companies to use proper channels, not, say, WhatsApp and personal email.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, December 20, 2021. 

Dave Bittner: Today's news continues to be dominated by the fallout from vulnerabilities disclosed in Apache's Log4j library. New patches, new attacks and fresh assessments have all appeared over the weekend. 

Dave Bittner: Apache on Saturday introduced Log4j 2.17.0, a new version that addresses the denial-of-service risk posed by vulnerability CVE-2021-45105. The problem, now fixed in the latest release, is that, as Apache puts it, Apache Log4j 2 does not always protect from infinite recursion in lookup evaluation. 

Dave Bittner: Ransomware continues to arrive via Log4Shell. The first major ransomware strain to take advantage of Log4Shell was newcomer Khonsari, but a familiar player has now also been observed exploiting the vulnerability. Advanced Intelligence tells BleepingComputer that it's observed Conti seeking to use Log4Shell to move laterally into VMware vCenter networks. BleepingComputer quotes them as saying, "the current exploitation led to multiple use cases through which the Conti group tested the possibilities of utilizing the Log4j exploit," end quote. 

Dave Bittner: Those servers aren't normally exposed to the internet, and Conti's activity shows that networks are susceptible to attack via RDP, VPN or email phishing vectors, so security teams should expand their focus to include these alternative avenues of approach. 

Dave Bittner: Ridiculously widespread and incredibly dangerous is Morphisec's summary risk assessment of Log4Shell. The company explains, quote, "many widely used frameworks, such as enterprise search platform Apache Solr and database platform Apache Druid, use Log4j. This makes the likelihood that any organization hosts a compromised application or server incredibly high. Even for C-based servers that are theoretically safe, a connected online form written in Java could lead to a compromise," end quote. 

Dave Bittner: Google's Security Blog is equally grim and applies some quantification to its assessment. Quote, "as of December 16, 2021, we found that 35,863 of the available Java artifacts from Maven Central depend on the affected Log4j code. This means that more than 8% of all packages on Maven Central have at least one version that is impacted by this vulnerability. These numbers do not encompass all Java packages, such as directly distributed binaries, but Maven Central is a strong proxy for the state of the ecosystem. As far as ecosystem impact goes, 8% is enormous. The average ecosystem impact of advisories affecting Maven Central is 2%, with the median less than 0.1%," end quote. 

Dave Bittner: And where are the attackers coming from? The call is coming from inside the house, says Bitdefender. The Log4j exploitation the company's honeypots have drawn show that most attacks are originating in Germany and the U.S. But that doesn't mean the threat actors are predominantly or even significantly German or American. Quote, "threat actors exploiting Log4j are routing their attacks through machines that are closer to their intended targets, and just because we don't see countries commonly associated with cybersecurity threats at the top of the list does not mean that attacks did not originate there," end quote. 

Dave Bittner: So the honeypots reveal staging, not origin. And Bitdefender in this case has used its familiarity with slasher flicks to good effect. The call is coming from inside the house, but that doesn't mean the menace lives at that address. 

Dave Bittner: The geolocation of the targets is unsurprising, with the U.S., the U.K. and Canada leading the pack. Rounding out the top 10 are, in this order, Romania, Germany, Australia, France, the Netherlands, Brazil and Italy. 

Dave Bittner: Britain's National Cyber Security Centre has offered corporate boards advice on dealing with Log4j vulnerabilities. NCSC writes, quote, "the Log4j issue has the potential to cause severe impact to many organizations. As cybersecurity experts attempt to detect which software and organizations are vulnerable, attackers start to exploit the vulnerability. Initial reports indicate this is likely to include remote control malware and ransomware. However, the situation is fluid and changing regularly," end quote. 

Dave Bittner: The NCSC usefully frames its advice in the form of questions boards should be asking executives and security leads. Who is leading our response? What is our plan? How will we know if we're being attacked, and can we respond? What percentage visibility of our software and services do we have? How are we addressing shadow IT in appliances? And this one is actually two related questions. Does anyone in our organization develop Java code? What is their plan for finding out if we are affected? How will people report issues they find to us? When did we last check our business continuity plans and crisis response? And how are we preventing teams from burning out? 

Dave Bittner: They're good questions and ones that could be readily adapted to use in other security incidents. 

Dave Bittner: More of the CyberWire's ongoing coverage of Log4j can be found on our website. 

Dave Bittner: The ransomware attack that led UKG to shut down elements of its Kronos payroll service have, The Wall Street Journal reports, led retailers and other affected users to revert to manual payroll processing during the busy holiday season. It's an inconvenience, especially coming as it does when many retailers have taken on part-time holiday staff to handle the seasonal surge in trade. 

Dave Bittner: The U.K.'s National Crime Authority (ph) has shared 585 million compromised passwords with Have I Been Pwned, The Record writes, making the NCA the second major law enforcement organization, with the U.S. FBI, to undertake such sharing with the security breach intelligence website. 

Dave Bittner: As tensions with Russia remain high and as Russia issues what approaches an ultimatum to NATO about the Atlantic Alliance's expansion into the Near Abroad, Ukraine conducts, with the SANS Institute, an exercise that simulated a large-scale cyberattack on the country's power grid. The Daily Swig reports that Grid NetWars involved some 250 Ukrainian security professionals. 

Dave Bittner: Ukraine's power grid has been the subject of at least two regional disruptions run by Russian intelligence services, and it's likely to be the focus of escalated cyber operations during the ongoing conflict between the two countries. 

Dave Bittner: According to Computing, Amazon has traced last Wednesday's regional AWS outages - the second in as many weeks - to network congestion, more specifically to network congestion between parts of the AWS backbone and a subset of internet service providers, which was triggered by AWS traffic engineering, executed in response to congestion outside of their network. 

Dave Bittner: Those interested in white hat hacking a satellite will be interested to know that U.S. Space Force plans more transparency in scoring for its next Hack-A-Sat competition. Air Force Magazine explains the plans to give white hats another go at ground-based satellite hardware provided for a capture-the-flag exercise. That's ground-based hardware, for any Chicken Littles who may be listening. The sky is not going to fall on you or on anyone else - at least not because of this Space Force exercise. 

Dave Bittner: And, finally, JPMorgan Chase has agreed to pay a $125 million penalty to the U.S. Securities and Exchange Commission imposed for employees' use of WhatsApp and personal email accounts to transact official business. That usage ran afoul of SEC record-keeping requirements, UPI reports. 

Dave Bittner: It's not that there's anything inherently nefarious about either WhatsApp or personal email accounts, but the SEC wants transactions and communications about them to be properly recorded and accessible, and both those methods of communicating fall outside the scope of what's on the books. 

Dave Bittner: 'Tis the season for generosity, for goodwill toward your friends, family and colleagues and, for folks inclined to do so, to take care of their end-of-year charitable giving. Not surprisingly, scammers are more than willing to take advantage of that, as our U.K. correspondent Carole Theriault explains. 

Carole Theriault: Every year, at the end of October, charity regulators bang the same drum in order to raise awareness about charity fraud. I've seen reports from organizations like the U.S. Federal Trade Commission, the FTC, the Federal Bureau of Investigation, the FBI, and, oh, the Fraud Advisory Panel. And there's the U.K. government Action Fraud and Charity Commission, Canada's Better Business Bureau, oh, and Australia's Scamwatch. You get the idea. This charity scam awareness drive is transcending national borders. 

Carole Theriault: The FTC wrote that it joins this effort once again this year because it's so important for us all to know how to spot a charity scam. They write, the more you know, the less likely you'll donate to a bogus charity. Better yet, you'll make sure your money is helping in the way you intended. 

Carole Theriault: I mean, if you think about it, being duped by a charity scam during the holiday season is akin to skidding wallet-first into a steaming pile of reindeer muck. You decide to do the right thing and help the homeless or the sick or the elderly or the lonely, and you end up lining the pocket of some ne'er-do-well festive season scrounger. 

Carole Theriault: So let's unpack this a bit. Charity scammer is different from other scammers in that it needs to fool you into happily giving your money away, unlike a ransomware attack, where you are threatened with data loss or a reputation hit unless you pay up. The charity scammer convinces you to generously part with your cash. 

Carole Theriault: And this makes these scams particularly insidious. We depend on charities to help our communities, both local and elsewhere. If people stop giving to food banks or shelters or health centers, they cannot look after the most vulnerable in our society. So if your cash is misdirected by a charity scam, it is a double-tap hit. One - the giver, of course, has been scammed out of their donation. But even worse, those that are dependent on these donations are utterly shafted. 

Carole Theriault: So rather than not give to charities because there are scammers out there, how about we check the latest advice from the experts on how to donate safely to a chosen charity? 

Carole Theriault: Charity scammers all have a preferred attack method, from the traditional to the digital. They can hack ads, post fake social posts, send emails, call you, doorstop you or even stop you in the city center. 

Carole Theriault: So the first thing to do is to slow everything down. Responding to a charity donation request does not need to happen right now. So in other words, listen to the pitch, ask for information and then take it away to do your own research. If they pressure you into donating right away, my advice is to walk away. 

Carole Theriault: Now, scammers often pick names or use website addresses that sound very similar to legitimate, well-known charities. So instead of clicking a link in an email or in a social media post, use a search engine to find the homepage of the charity of interest. 

Carole Theriault: And then research the cause organization, searching online for the name of the organization with words like review or scam or complaint to see if any others have had good or bad experiences with this charity. 

Carole Theriault: Know that legitimate charities are registered, and you can verify this fact at your government official website. Check out charity watchdog groups. So in the U.S., for example, consider BBB Wise Giving Alliance, Charity Navigator, CharityWatch and Candid. 

Carole Theriault: Now here's a pro tip. The IRS' Tax Exempt Organization Search tool - I know it's a mouthful, but this is a smart way to check if the charity in question you're considering giving to is officially listed in the U.S. as an actual bona fide charity. And I'm sure similar services exist elsewhere. 

Carole Theriault: More than any other payment method, a credit card will give you more rights to dispute the charge if something goes wrong. And maybe this is obvious, but never buy from sellers that only accept gift cards, money transfers or cryptocurrency for payment. 

Carole Theriault: And if you decide to proceed with your donation, make sure you get a receipt and review that it contains all the correct details. 

Carole Theriault: So there you have it. Now, I know most you listeners out there probably knew most of that because, well, you listen to the smart people on the CyberWire. But I am sure you have someone in your life, a generous soul who likes to give, especially around the festive season. It might be good for them to be forewarned with this info. I leave it in your very capable hands. 

Carole Theriault: This was Carole Theriault for the CyberWire. 

Dave Bittner: The Log4Shell vulnerability has prompted an all-hands-on-deck response from cyber defenders. I checked in with our CyberWire partner from Booz Allen Hamilton, Betsy Carmelite, and her colleague, senior associate Mike Saxton, for the latest. Betsy Carmelite started our discussion with insights on what she and her colleagues are seeing in terms of nation-states exploiting the Log4Shell vulnerability. 

Betsy Carmelite: So what we're seeing here is that nation-state actors could exploit the Log4j vulnerability through a number of means. For example, the vulnerability could be exploited to extend the reach of groups targeting in new ways, possibly by targeting virtualization infrastructure with the exploits, or it could be leveraged to deploy new strains of ransomware. 

Betsy Carmelite: We did hear you mention a list of reported state-sponsored actors that have been observed using the exploits to compromise targets earlier this week. And what will really make the understanding of what nation-state sponsors are doing with this vulnerability are the goals of and the behaviors of state-sponsored or intelligence services. And so we're talking about patience, avoiding detection, penetration, persistence, all of this prior to conducting possible loud exfiltration activities. 

Betsy Carmelite: And finally, an attacker can leverage the noise being created right now with this publicized vulnerability. They know all security operators and defenders are focusing on Log4j. So what other known vulnerabilities have been designated as lower priorities now and overlooked to address the hot issue of the day? And who is manipulating those other flaws? 

Dave Bittner: You know, Mike, since the Log4Shell vulnerability was revealed a week or so ago, it's really been all hands on deck for a lot of organizations out there. What are you seeing in terms of smaller businesses? What are your recommendations for them to protect themselves? 

Mike Saxton: Yeah. You know, our approach for initial defense and countermeasures against this, regardless of size, has been pretty consistent that we're going to need a short-term, mid-term and long-term approach here. 

Mike Saxton: Specifically for smaller business, I would recommend working across the industry to find out the newest and latest and greatest indicators of compromise, continuing to apply countermeasures for other types of activity, as we are seeing botnet - increasing activity with botnets and malware being dropped as a result of this. 

Mike Saxton: And also, as always, continue patching. And just general security hygiene is the best place to start, especially as the patch to this vulnerability has seen, I think, three different versions come out. 

Mike Saxton: The mid-term step - and this can be difficult for some organizations, but we recommend moving logs that have not been previously put into a SIM (ph) into a SIM (ph) or, if smaller businesses don't have access to a SIM (ph), moving them to a central location. And there's been a number of scripts that have been released to help organizations process the vast amount of data so they can find things easily. 

Mike Saxton: And finally, in our long-term approach, we look at the need to move to a persistent hunt operation. CISA has mentioned persistent hunt. DOD is getting to hunt forward. And for some of the smaller organizations, using managed service providers can help them accomplish this mission. 

Dave Bittner: What about for the professionals, you know, in cybersecurity, the sector as a whole? How should they go about calibrating their response to this? 

Mike Saxton: Yeah, I think this has been a, you know, massive vulnerability that has caught everybody a little bit off guard. I think one of the things we need to keep in mind is that sharing information widely and broadly as much as possible, be it your ISACs, Twitter, social media, email, threat intelligence platforms - you know, there's no good in holding back information in this environment. It should all be shared. 

Mike Saxton: And finally, you know, continuing to rely on expertise and guidance from some of these organizations as it relates to hunt activity, software developers that understand the countermeasures that need to be applied, the software development practices that got us here in the first place. So, you know, continuing information sharing and collaboration, I think, is our best approach here from an industry. 

Dave Bittner: Our thanks to Betsy Carmelite and Mike Saxton from Booz Allen for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White (ph), Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.