The CyberWire Daily Podcast 1.3.22
Ep 1486 | 1.3.22

Log4j updates, including an Aquatic Panda sighting. Cyberattacks hit news services in Norway, Israel, and Portugal. Addressing Y2K22.


Dave Bittner: Aquatic Panda has been found working Log4Shell exploits against an academic institution. Apache fixes new Log4j issues reported last week, and Microsoft also updates Windows Defender to address Log4j risks. Cyberattacks, criminal or hacktivist in motivation, hit news outlets around the new year. Microsoft works on fixing a Y2K22 bug in on-premise Exchange Server. Andrea Little Limbago from Interos on technology spheres of influence. Our guest is Mark Dehus from Lumens Black Lotus Labs with DDoS insights and CISA issues some ICS security advisories.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, January 3, 2022. 

Dave Bittner: CrowdStrike has found Log4Shell exploitation tools in the possession of Aquatic Panda, a Chinese government-operated threat group. The researchers explain, quote, "Aquatic Panda is a Chinese-based targeted intrusion adversary with a dual mission of intelligence collection and industrial espionage. It has likely operated since at least May 2020. Aquatic Panda operations have primarily focused on entities in the telecommunications, technology and government sectors. Aquatic Panda relies heavily on Cobalt Strike, and its toolset includes the unique Cobalt Strike downloader tracked as Fishmaster. Aquatic Panda has also been observed delivering njRAT payloads to targets," end quote. The affected organization was able to address the issue, patch the vulnerability and disrupt the attempt. 

Dave Bittner: This isn't the first nation-state exploitation of a Log4j issue. North Korean, Turkish, Iranian and Russian units have all been reported to be active against the vulnerability. 

Dave Bittner: On December 28, Checkmarx reported and Apache fixed a new arbitrary code execution vulnerability in Log4j. It's not, as Naked Security notes, an unauthorized remote code execution issue, which is probably among the reasons it's rated at moderate severity. An attacker would need to be authenticated inside the target in order to be able to take advantage of the flaw. Nonetheless, users would do well to upgrade their systems promptly. And Naked Security also suggests that it might be worth seeing if your organization could do without Log4j entirely. Quote, "But we're going to suggest once again that if you have found Log4j in your ecosystem recently, especially on servers where you didn't even know it was there, that you should ask yourself the question, do I genuinely need a multi-megabyte logging toolkit consisting of close to half a million lines of source code or would something much more modest and easier to review do at least as well? That's not a criticism of Apache; it's merely a reminder that inherited security problems such as Log4Shell are often the unexpected side effect of a cybersecurity decision made years ago by someone from outside your company whom you've never met and never will," end quote. 

Dave Bittner: BleepingComputer, keeping score, counts this as the fifth Log4j CVE that's been addressed in less than a month. 

Dave Bittner: And Microsoft last week issued new services designed to protect its users against exploitation of Log4j vulnerabilities. The company blogged on December 27, quote, "new capabilities in threat and vulnerability management, including a new advanced hunting schema and support for Linux, which requires updating the Microsoft Defender for Linux client; new Microsoft Defender for Containers solution," end quote. 

Dave Bittner: You can follow the CyberWire's Pro coverage of the Log4j affair on the Stories page of the Cyberwire website. 

Dave Bittner: Several media companies have been hit over the past week with cyberattacks that are interfering with publication. Reuters reports that the websites of Portugal's Expresso newspaper and SIC TV station, both owned by the media conglomerate Impresa, were taken down over the weekend by a ransomware attack. This one seems to be a straightforward criminal double extortion scam, thereby continuing 2021's big cybercrime trend into the new year. The Lapsus$ Group gang has claimed responsibility, and Impresa says it's working with the authorities. 

Dave Bittner: SC Magazine reports that last week, Norway's Amedia, which owns some 50 newspapers and the ANB News Agency, was hit with an unspecified cyberattack that disrupted printing. Amedia has also been working with the authorities since detecting the incident last Tuesday, but the group has been tight-lipped about both the nature of the data incident and the pace of its recovery. 

Dave Bittner: And Reuters reports that The Jerusalem Post was hit yesterday in an apparent hacktivist incident that came on the anniversary of the U.S. drone strike that killed Iranian General Qassem Soleimani in 2020. The attack was a website defacement with a hand wearing a ring said to resemble one worn by general Soleimani, is shown shooting a missile downward as if from the heavens alongside the legend, we are close to you where you do not think about it. The Post is resolving the issue with its website. 

Dave Bittner: Microsoft is working to fix an issue with on-premise Exchange Servers that's been causing emails to hang in transport queues since January 1. In an homage to the Y2K episode those of a certain age will remember, some are calling it Y2K22. BleepingComputer says the problem arose because Microsoft used a signed int32 variable to store the value of the date, but the minimum value of dates in 2022 exceeds the maximum permissible value. 

Dave Bittner: Redmond explained, quote, "we have addressed the issue causing messages to be stuck in transport queues of on-premises Exchange Server 2016 and Exchange Server 2019. The problem relates to a date check failure with the change of the new year and is not a failure of the AV engine itself. This is not an issue with malware scanning or the malware engine, and it is not a security-related issue. The version checking performed against the signature file is causing the malware engine to crash, resulting in messages being stuck in transport queues. We have now created a solution to address the problem of messages stuck in transport queues on Exchange Server 2016 and Exchange Server 2019 because of a latent date issue in a signature file used by the malware scanning engine within Exchange Server. Customer action is required to implement the solution," end quote. A note in disclosure - Microsoft is a CyberWire sponsor. 

Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency - that's CISA - of course spent the holidays working to mitigate the risk of Log4j vulnerabilities in federal systems, but its more routine work also continued. On December 23, CISA released two industrial control system advisories. 

Dave Bittner: And finally, we wish all of you a happy, healthy and prosperous new year as we open 2022. We hope you all got a bitcoin in your stocking, or at least a nice NFT. We hear those were all the rage for the holidays. 

Dave Bittner: Mark Dehus is director of information security and Threat Intelligence with Lumen's Black Lotus Labs. He and his colleagues recently released their third quarter DDoS report, and Mark Dehus joins us with some of the highlights. 

Mark Dehus: So some key things that I'd highlight from the report that we observed in Q3 was a increase in the number of complex attacks, meaning typically when we see an attack, there's many different types. There's reflective DDoS attacks, and typically they tend to use - in the past, they'll use, like, a single protocol for reflection. We're seeing a lot more of different botnets using multiple protocols for reflection. And so that is a trend in growth that we've seen Q3 compared to others. We also scrubbed our larger attack than prior and had an increase in terms of bandwidth quarter over quarter, which was also interesting and concerning as well. 

Mark Dehus: So those are a couple of key things that were in the report. Some things that occurred towards the end of Q3 and beginning of Q4 that were also of interest was a trend towards DDoS actors attacking services not commonly attacked by other actors. And so there were some targets towards the voice and telecom industry in particular that had some pretty significant impacts that we observed and helped work to mitigate and clean up as well. 

Dave Bittner: Yeah. It's interesting because just in the past few days here, I've seen some reports of, I guess, extortion threats at voice over IP companies. And when you align that with the report that you and your team have put out here, I wonder, you know, were we doing some tests here? Were these shots across the bow to - is there any relationship at all? 

Mark Dehus: Yeah, I'd say these attacks seem like they are just the forefront of some future attacks that could come. They were definitely very successful in terms of the impact that they had. And so it is concerning that those actors, other actors have observed the success of these voice attacks - could be targeting other services and other providers. 

Dave Bittner: What are your recommendations for organizations to dial in their - the appropriate amount of risk management here when it comes to how much of an investment should they make towards blocking DDoS attempts here? Any words of wisdom there? 

Mark Dehus: Yeah, sure. I mean, that's always a - that's a challenge where it's something that's, you know, unique to that individual organization and their trade-offs. In general, I'd recommend, you know, having a DDoS mitigation service in place for key services that are business-critical, or if not, having one that is capable of being turned up very quickly. We at Lumen have been working hard to make our DDoS services - the provisioning fully automated. And we do emergency turn-ups in very quick time frames. And so that, to me, is key because extortion-based DDoS attacks, letters could come in at any time. And, you know, actors can be threatening. Well, that sure is a nice service you have there. It would be a shame if something happened to it on your most important business day on this week. 

Dave Bittner: Right. 

Mark Dehus: We could, you know, make that not happen if you send us this much bitcoin to this address or doing the same thing while an attack is actually active and having a business impact. And so it's far much better to at least be prepared and know, what are you going to do in those circumstances and who are you going to work with and how are you going to mitigate that attack without having to go, you know, pay the ransom? 

Dave Bittner: Where do you suppose we're headed with this? Do you suspect that the DDoS attacks will continue to grow in size and folks like you will keep pace with them, or are there ways that we - this may become something that, you know, we look back on and say, well, remember when those things used to happen? 

Mark Dehus: (Laughter) It's always hard to predict the future. 

Dave Bittner: Yeah. 

Mark Dehus: My speculation with it would be, yeah, I mean, obviously, DDoS attacks and those trends are going to continue, but we've been seeing a lot of the less sophisticated actors realize, hey, I could actually make money at this. And so more extortion type of attacks and those sorts of type attacks continuing in the coming year, if I had to guess, in something that we'd see as being more of a trend, and especially towards the services not typically attacked, right? Just as we as a corporate business look for ways we can be differentiated, we're seeing actors and DDoS actors in particular try to find ways that they can differentiate themselves from the types of attacks they launch as well as the degree of success they can have in getting an extortion payment out of those things. 

Dave Bittner: That's Mark Dehus from Lumen's Black Lotus Labs. 

Dave Bittner: And I'm pleased to be joined once again by Andrea Little Limbago. She's the vice president of research and analysis at Interos. You know, I wanted to touch today on sort of the regulatory things that are going on globally, touching on some of the different spheres - hardware, software, restrictions on trade, who's allowed to have what and different people's telecommunication systems. Seems to me like there's a lot of action in this area right now, and you're a good person to touch base with on this. What's on your radar right now? 

Andrea Little Limbago: Yeah, it is. And it's one of those things that - it comes out almost like dripping from different places here and there, but when you start looking at the whole picture, it becomes fairly overwhelming and obvious that there are major changes going on - and to the point that it really is the area where we're seeing industrial policy making a very big comeback over the course of this, you know, last two years and really will continue going forward. And what that means, you know, for those of us in the cybersecurity community, it's really the industrial policy is focused on that technology and the software, the hardware and just trusted technologies within your own ecosystems. It's really become quite a prominent tool to help ensure that, almost to the point where - I know we've talked a lot about, you know, the weaponization of cyber, and that is something that garnered a ton of discussion for a while and almost is taken for granted now. We're seeing the same thing starting to happen evolve in trade policy as it pertains to technologies. So just a good example of that would be there's a tech partnership called the quad, which is India, Japan, Australia and U.S., really focused on helping create more resilient and trusted technologies, collaboration and networks across those countries. And I think that that's just one of several instances that we're seeing. 

Andrea Little Limbago: And then even just within the U.S., there's a huge whole-of-government approach from DOD, Treasury, Commerce, State Department, FCC all focused on sharing trusted technologies that are within the supply chain and within the ecosystem both of the government, the government's providers and then within U.S. companies as well. And even just sort of a good example is just Commerce alone has basically - on their denial list has over 300 different Chinese companies that are part of that. And we hear a lot about, you know, Huawei, perhaps ZTE. But when you get to - when you start thinking about it, it's really that broad to - everything from, like, drone makers to surveillance companies. It's a whole range of technology that - technological companies that are under there. 

Dave Bittner: Yeah. And, I mean, it has the potential to really be a serious tension there with - I mean, so much of our stuff, the stuff we rely on day to day - I'm looking at my mobile device, my iPhone. You know, these things - they come out of China. And it's not like we can just switch to a different nation to provide those, you know, by turning a dial. 

Andrea Little Limbago: No. And I think that's where it's going to be - you know, something to keep an eye on is, on the one hand, where does it make sense to maintain those ties? - because I think that any kind of - you know, there's too many just interdependencies - right? - to do a complete divide. But at the same time, there is going to have to be - you know, based on just the regulatory framework and how everything is evolving, you know, companies really do need to think about what their plan is to deal with these regulations so they're not in compliance problems. But also there are national security issues that come along with it as well. 

Andrea Little Limbago: The government has talked about funding some aspects of this because the rip and - especially for telecoms, the rip and replace is in the billions by estimates. I mean, it's - and you think about some of the small companies. And that's just going to be very, very hard. So there is a focus on the government providing various kinds of funding for that. But at the same time, it - while it is going to be a big investment, it's almost a necessity, at least the way the regulatory framework is evolving right now. 

Andrea Little Limbago: You know, Australia recently released their list of core technologies that they're focusing on. And basically, a fundamental belief within those technologies is focusing on collaboration with like-minded nations. And that's a term that you're going to just continue to hear. We've heard it a fair amount, but we're going to keep hearing that as far as - really, what it means - you know, the like-minded nations - those are the alliance of the democracies, really. 

Andrea Little Limbago: What may fall into a democracy then becomes the next question based on various criteria and so forth because, you know, there are different - like, you know, Australia, for instance, has the anti-encryption law, right? And so how does that play into, you know, basic data security for those companies in the U.S.? So there are going to be a lot of interesting, you know, conflicts within democracies themselves as we try and figure out what that trusted network may look like. And... 

Dave Bittner: Yeah. 

Andrea Little Limbago: In its case, you know, China's doing something very similar. It basically has a strategy to lay out to replace U.S. and foreign technology with their own. 

Dave Bittner: And I suppose, I mean, along with that are going to come ramping up manufacturing capabilities within various nations as well. I mean, you know, you mentioned rip and replace. I mean, you can only do that so fast. 

Andrea Little Limbago: Right. And that's why you can't do it alone. And I think that's the key thing that gets lost in a lot of these conversations - that it really does take a community. And this is where I try and focus on the notion of collective resilience, where we actually need to - you know, we need to be working together. We cannot be doing all this alone. We're all too interdependent. It doesn't make sense financially for efficiency, for resilience, for so many different reasons. So we need to identify those areas where, you know, comparative advantage exists and leverage those. And that's where, hopefully, you know, we continue to have more of these discussions, you know, at the governmental level. But I would even argue at the private sector level, within the kind of private sector do both now across, you know, with their peers for companies, but also across with - or down within their supply chain because there are things that the companies themselves can also do across their entire supply chain to help incentivize, encourage their own suppliers to adhere to some of these trusted technology and security protocols. And we really just haven't taken a holistic view on that on how to really create greater collective resilience in this area for the government and for the private sector. So I think there's going to be a lot of interesting things going on there over the next year. 

Dave Bittner: Yeah. All right, well, Andrea Little Limbago, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.